- Type of Publication: Guideline
- Category: Sound Business and Financial Practices
- No: E-19
- Date: December 2017
- Effective Date: January 1, 2018
This guideline sets out OSFI’s expectations with respect to the Own Risk and Solvency Assessment (ORSA) of federally regulated insurers (FRI or insurer).
The ORSA should reflect an insurer’s own risk and solvency assessment. OSFI expects an insurer to have processes in place to conduct an ORSA that is proportionate to the nature, scale and complexity of its business and risk profile.
This guideline outlines OSFI’s expectations with respect to an insurer’s own assessment of its risks, capital needs and solvency position, and for setting Internal Targets, based on an insurer’s Own Risk and Solvency Assessment (ORSA).
The ORSA should serve as a tool to enhance an insurer’s understanding of the interrelationships between its risk profile and capital needs. The ORSA should consider all reasonably foreseeable and relevant material risks, be forward-looking and be congruent with an insurer’s business and strategic planning.
As the ORSA is a dynamic forward-looking process, stress and scenario testing should be an important component used in an insurer's determination of its own capital needs and as it sets and evaluates the adequacy of its Internal Targets and operating capital level throughout the business cycle.
This guideline addresses the scope of the ORSA, its relation to enterprise risk management, the role of Senior Management and other participants in performing, monitoring, reporting or reviewing the ORSA, and other key elements of the assessment process.
OSFI, in its normal course supervisory monitoring, may review the company’s ORSA including related documentation and reports. OSFI will consider this information in its assessment of inherent risks and risk management practices. OSFI does not approve an insurer’s ORSA.
For further guidance and considerations about the identification, assessment, management and other aspects of risk, insurers may also consult other OSFI guidelines or publications such as: Supervisory Framework, Guidelines B-2: Large Exposure Limits and Investment Concentration Limit for Property and Casualty Insurance Companies and Guideline B-3: Sound Reinsurance Practices and Procedures.
For further guidance and considerations about stress and scenario testing, insurers may also consult sources such as OSFI’s Guideline E 18: Stress Testing and actuarial standards of practice with respect to an insurer’s Dynamic Capital Adequacy Testing (DCAT).
OSFI expects the ORSA to be tailored to and cover the consolidated operations of an insurer. An insurer’s capital assessment should consider the risks of its domestic and foreign operations as well as group risks. It should also consider the availability of capital and assets in each jurisdiction for on-going viability and for the protection of policyholders and creditors of each insurance entity.
The ORSA can be prepared either on an individual insurer basis or on a group basis (Group ORSA). Where the Group ORSA includes, in addition to the consolidated operations of an individual insurer, the operations of other related insurers or the operations of its parent or home office, it should give adequate consideration to the business and risk profile of the individual insurer and the particular circumstances of the relevant markets in which it operates (e.g. by using relevant subsets of group data and modified methodologies, tools and/or assumptions) to yield own capital needs and Internal Targets that are appropriate for the individual insurer. The components of the Group ORSA that are used in or otherwise support an individual insurer’s ORSA should be consistent with the expectations of this guideline.
When an insurer’s business and risk profiles or circumstances are not adequately reflected in a Group ORSA, or its own capital needs and Internal Targets are not adequately determined or supported using a Group ORSA, OSFI expects the insurer to have a separate ORSA that covers only the consolidated operations of the insurer and not the operations of its parent, home office or other related insurers.
III. ORSA and Enterprise Risk Management
In conducting its ORSA, an insurer should determine its own capital needs and establish its Internal Targets based on an internal assessment of all material risks, including the results of the enterprise risk management process. The existence of a robust enterprise risk management framework enhances the ability of an insurer to effectively reflect risks in its ORSA.
Enterprise risk management, along with related controls and governance mechanisms, and the ORSA should be well integrated so that the information, analysis and results from both processes are consistent. The same is true for other processes that either feed into the ORSA or are impacted by ORSA results.
IV. Key Elements
The ORSA should contain, at a minimum, certain key elements and considerations, including:
- Comprehensive Identification and Assessment of Risks
- Relating Risk to Capital
- Monitoring and Reporting
- Internal Controls and Objective Review
There is no single correct approach to an ORSA, and one approach will not fit all insurers. Therefore, these key elements and considerations are broadly stated and it is understood that the manner with which some of these elements are integrated in an insurer’s ORSA may vary by company.
Comprehensive Identification and Assessment of Risks
An insurer’s ORSA should identify, define and assess the materiality of all known, reasonably foreseeable, emerging and other relevant risks that may have an impact on an insurer’s ability to continue operations, in both normal and stressed situations. An insurer’s identified risks are expected to evolve as its business activities and environment evolve.
The assessment should include all material risks, whether these are explicitly captured in the regulatory capital framework or not, as well as risks that are not easily quantifiable.
Some risks can be broken down into other more discrete risks and may take different forms depending on the nature of the business and activities of an insurer. The ORSA should give proper consideration to non-material risks that, when combined with other non-material risks, become material. For example, risk categorisation or break down should not produce a lower assessment of own capital needs that would otherwise result if related risks were combined or aggregated.
Insurers should document underlying assumptions, processes and key considerations with regard to the drivers, the assessment, measurement and mitigants in place for each risk. The appendix Supplementary Risk Considerations includes other risk identification and assessment considerations.
Relating Risk to Capital
As part of its ORSA, an insurer is expected to set Internal Targets. These should normally be determined without undue reliance on regulatory capital measures.
Before an insurer gives consideration to external constraints, Internal Targets should be, first and foremost, based on an insurer’s assessment of its own capital needs. For example, Internal Targets should normally not be determined by simply adding a margin on the Supervisory Targets. However, as stress and scenario testing should be an integral part of an insurer’s process for determining its Internal Targets, consideration of the results of these tests may cause an insurer to add explicit capital cushions/buffers to complement its initial assessment of own capital needs and set its Internal Targets so it can withstand a specified level of losses without falling below the Supervisory Targets.
Nature, Scale and Complexity
The ORSA is an internal assessment process, tailored to an insurer’s own view of its risk profile and appetite, and reflective of the nature, scale and complexity of the insurer.
Insurers are expected to use more sophisticated methods to estimate the amount of own capital needed for material complex risks they take on or are exposed to. For less material and less complex risks, or for those that are not readily quantifiable, insurers may opt for simpler quantitative analysis (e.g. generally accepted prudent factors or extremely severe but plausible deterministic stress scenarios) combined with well documented qualitative considerations, and incorporate these amounts into their overall assessment of capital adequacy.
Determining Own Capital Needs
In conducting an ORSA, insurers should determine whether or not, for each risk, an explicit amount (quantity) of capital should be held and how the results for each risk should be aggregated. In doing so, insurers’ own capital assessments will reflect their choice of data sets, distributions, measures, confidence levels, time horizons, valuation approaches, financial tools and methodologies, appropriate to their unique profile.
The approaches and tools used should be calibrated to determine the total amount of capital needed to cover extremely severe losses. Aggregated, these losses should represent the insurer’s total quantity of capital that it needs to absorb the losses and be left with an equal amount of assets and liabilities.
Insurers are expected to consider publications and professional and other research materials dealing with quantification of risks and risk mitigants such as:
- Regulators, consulting firms, professional and other associations, academia, credit rating agencies and other purveyors of research, data, models and publications relating to the measurement of risks and risk mitigants;
- Empirical data, evidence and studies of the different and varying manifestations of historical and potential new risks in different markets for similar and dissimilar business activities and products;
- Developments in the insurance, financial and other markets and their potential impact on the continued appropriateness of current measurement tools, data and assumptions used by the insurer;
- Benchmarking exercises with respect to risk measurement and mitigation tools and their results, whether in the insurance sector or in other sectors where similar risks exist.
When giving consideration to various methodologies, tools or resulting factors, insurers should consider, among other things, that these may be calibrated using a confidence level/time horizon that is different from what the insurer desires, calibrated at an unspecified confidence level/time horizon or designed for a different purpose (e.g. scenario and stress testing can be used to gain a better understanding of risks and identify potential management actions that an insurer can take or its ability to continue to meet regulatory requirements during a stressful event). In these cases, the insurer should make adjustments to the methodology, tool or resulting factor so that the ORSA results are appropriate for determining its own capital needs.
When discrete methods (e.g. sensitivity testing, statistical analysis) are used for determining own capital needs with respect to individual risks, the assessment may not identify or measure dependencies or inter-relations that cause some risks to be greater in the presence of other stresses to other risks. To complement the assessment of individual risks, other tools (e.g. stochastic models or multi-dimensional deterministic scenarios of extremely severe but plausible past, potential or theoretical events) may be used to uncover potential impacts that are due to concentrations, dependencies and interactions between risks. The appendix Supplementary Risk Considerations includes other considerations for relating risks to own capital needs.
Setting Internal Targets
Once an insurer has determined its own capital needs, these initial results should be assessed to determine if they are appropriate in relation to external or third party capital expectations, including OSFI’s expectation that Internal Targets exceed Supervisory Targets.
In setting Internal Targets, an insurer should assess the adequacy of its Capital Resources for supporting its current risk profile, and enabling it to continue its current operationsin the normal course, under varying degrees of stress and under a wind-up scenario.
Therefore, in addition to the process described above to determine an insurer’s own capital needs, an insurer should also consider the impact of a range or series of adverse scenarios (e.g. an economic downturn) of varying nature or severity and its ability to avoid supervisory interventions (i.e. not fall below its Supervisory Targets) or continue as a going concern (i.e. not fall below the Minimums). The results of stress testing per OSFI’s Guideline E-18: Stress Testing, along with other single and combined forward-looking stress and reverse stress tests, including an insurer’s Dynamic Capital Adequacy Testing (DCAT) scenarios, can be directly incorporated, referenced or otherwise used in the ORSA for setting an insurer’s Internal Targets.
As outlined in OSFI’s Guideline A-4, while all insurers are expected to determine an Internal Target of total capital, life insurers are expected to also determine an Internal Target of core capital. Core capital should serve to reduce the likelihood of insolvency, both in normal times and during periods when the insurer is under stress. When setting a core capital Internal Target, a life insurer should consider its target capital composition/mix and its assessment of the characteristics and quality of Capital Resources.
With respect to Canadian branches of foreign insurers, the determination and assessment of the composition of the margin of assets over liabilities may not include all of the same considerations that are relevant for determining and assessing the quality of capital instruments needed or issued by insurers if the branch does not raise capital within Canada. However, the ORSA should include many of the same considerations with respect to the quality of the assets vested in trust in Canada and other assets under the control of the Chief Agent in Canada that support the liabilities in Canada and how these are recognized and valued for capital adequacy purposes.
Integration with Other Business Processes
The ORSA is a forward-looking process. It should be consistent with an insurer’s strategic and business planning and should contemplate the potential adverse capital impacts over an insurer’s planning horizon (e.g. 3 to 5 years). An insurer’s ORSA process should be consistent with and linked to the enterprise risk management and other management processes. For example, quantifiable estimates of risks that are used for ORSA purposes should be consistent with or feed into the decision making process and, where appropriate, have other business uses.
The assessment of adequacy of capital should also consider the capital needed to support an insurer’s longer term business strategies and, in particular, new business and planned growth. Considering this, an insurer should determine an appropriate level or range of capitalization at which it operates, set above its Internal Targets. In determining an operating level, an insurer should consider the impact of future planned, foreseen and likely potential changes to its risk profile due to changes in its operations, its business strategy or its operating environment. For example, it should consider a series of varying adverse scenarios and, at a certain operating level, assess the insurer’s ability to continue operating and not fall below its Internal Targets. It should also evaluate whether long-run Internal Targets are consistent with short-run goals, and adjust its operating levels as appropriate; recognizing that accommodating additional capital needs or additional risk mitigants can require significant lead time.
In this context, an insurer should relate its capital needs to, for example, potential changes in risks, anticipated growth, acquisitions and divestments, potential group needs and limits on fungibility/transfer of capital, plans to access external sources of capital and the level of capital desired to enable the insurer to take identified potential countervailing actions against a stress event at an acceptable cost.
All material risks, including those that are difficult to quantify in the ORSA, should be subject to internal controls. An insurer should identify relevant countervailing measures and actions that could be taken to improve its solvency position, should it be negatively impacted by economic downturns or other stress events. These may include, for example, raising additional capital, slowing or ceasing new business, entering into reinsurance arrangements, implementing changes to product pricing and/or changes to business mix.
A sound risk management and oversight process should assist an insurer in performing an effective assessment of its own capital needs, in determining its Internal Targets and in assessing the adequacy of its current and likely future solvency position. In this context, the establishment of appropriate policies, procedures, systems, controls and personnel for identifying, analysing, assessing, monitoring and measuring its risk exposures can improve the quality and effectiveness of the ORSA.
Senior Management should have a good understanding of the nature and significance of the risk exposures of the insurer, the related risk mitigants, risk management tools/techniques and oversight processes and how these relate to adequate levels of capital. Senior Management should review the appropriateness of the formality and sophistication of the methods used to quantify risks and risk mitigants as well as the risk management and reporting processes vis-à-vis the Risk Appetite Framework and the general risk profile and business plans of the insurer.
The ORSA should assist the insurer in its risk assessment, risk management and planning by exploring and assessing potential threats to an insurer’s capital and solvency positions. For example, the results of stress scenario tests should be used to identify actions that could be taken either to lessen the likelihood of such threats occurring or to mitigate the impact of an adverse scenario, should one actually occur.
Please refer to OSFI’s Corporate Governance Guideline for OSFI’s expectations of insurer Boards of Directors in regards to the management of capital and liquidity.
Monitoring and Reporting
The ORSA should be performed on a regular basis so that it continues to provide relevant information for an insurer’s management processes. It should be clearly and formally documented in a report at least annually and more often if circumstances warrant, for example when there are changes to the insurer’s risk profile or risk appetite.
The ORSA report should contain sufficient information about the process, underlying principles, methodologies, key assumptions, key sensitivity information and overall results relative to the risk appetite, strategic and operational plans and capital management framework of the insurer. The report should be used by the insurer to assess the appropriateness of the ORSA, including the overall results and the quality/composition of its capital, and confirm the insurer’s Internal Targets.
An insurer’s Senior Management should receive regular and timely reports on the insurer’s risks and capital. These reports should allow Senior Management to:
- Evaluate the level and trend of material risks and their potential effect on capital;
- Evaluate the sensitivity and reasonableness of assumptions used in the risk and capital assessment and measurement process;
- Determine that the insurer holds sufficient capital in relation to established capital adequacy targets and goals (both internal and regulatory/external);
- Evaluate the adequacy of capital using stresses and scenarios;
- Assess future capital needs (e.g. dividend plans, issuance/retirement of capital instruments and capital fungibility constraints) and make any adjustments to the insurer’s strategic, capital and other plans, as necessary;
The monitoring and reporting process should take into account the current and forecasted business environments and should, consistent with the risk and capital adequacy assessment, be adjusted when appropriate so that capital remains adequate during periods when the insurer is under stress and through entire business cycles.
Internal Controls and Objective Review
An insurer’s internal control structure is essential to the quality of its ORSA. An insurer’s Senior Management reviews the insurer’s method for monitoring and reporting on compliance with internal policies as well as the system for assessing risks and for relating risks to the insurer’s own capital needs. Senior Management should satisfy itself that the insurer’s system of internal controls continues to be adequate for well-ordered and prudent conduct of business, including the quality of its ORSA process.
An insurer should conduct regular reviews of its ORSA process for integrity, accuracy, and reasonableness. Areas that should be reviewed include, among others:
- Comprehensiveness and appropriateness of an insurer’s assessment process, given the insurer’s nature, scale and complexity, the soundness of the controls underpinning it, and OSFI’s expectations with respect to the ORSA process;
- Governance mechanisms related to the assessment and review by the insurer of group processes used in its operations, where the insurer uses a group ORSA;
- Process for identification of risks, large exposures, risk concentrations, dependencies and interactions;
- Appropriateness of the methodologies, distributions and measures and accuracy and completeness of financial and quantitative data inputs;
- Reasonableness and validity of the ORSA results, including the embedded assumptions and inputs from stress tests, scenarios, models and other methodologies and tools used in the assessment process;
- Reasonableness of the individual risk and other components and overall ORSA results;
- Consistency of the ORSA results with an insurer’s risk limits and risk appetite;
- Appropriateness of the documentation that supports the ORSA and the contents of the ORSA report;
- Effectiveness of information systems that support the ORSA;
- Consistency and linkages of the ORSA process and results with the risk management, strategic, business and capital planning processes.
The ORSA, including the ORSA report, should be subject to periodic objective reviews. The objective review may be conducted by an internal or external auditor, by a skilled and experienced internal or external resource or by a skilled and experienced individual, who reports directly to or is a member of the Board.
An objective reviewer should not be responsible for nor have been actively involved in the part of the ORSA that it reviews. For example, where the internal auditor is not otherwise involved in the process, the ORSA may be included in the internal audit plan so that it is covered within the audit cycle.
V. Interaction of the ORSA with the Supervisory Review
OSFI assesses capital adequacy at multiple levels. An insurer should have sufficient capital to meet Minimum and Supervisory Target regulatory capital, as well as sufficient capital to support its risk profile, (i.e. Inherent and Net Risks of its significant activities and Overall Net Risk (ONR)) as determined through the OSFI’s Supervisory Framework.
OSFI may review the ORSA and, upon request, the ORSA report (and/or other supporting documentation) in its assessment of the risk profile of an insurer to determine whether the ORSA is consistent with OSFI’s understanding and assessment of the insurer’s risk appetite and risk profile.
The depth and frequency of supervisory review of an insurer’s ORSA will be proportional to the nature, scale and complexity of its activities, and the risks assumed by an insurer as assessed through OSFI’s Supervisory Framework.
The supervisory review of the ORSA is not intended to prescribe how an insurer should perform, use or report on its ORSA. Rather, the review allows for dialogue on OSFI’s assessment of inherent risk, capital and Composite Risk Rating (CRR), and of an insurer’s ORSA including:
- The approach/methodology, assumptions, data and other considerations (e.g. level of confidence and rationale) supporting internal estimates of risks that are also explicitly captured in the regulatory capital guidelines;
- Risks not fully captured (e.g. concentration, contagion and aggregation of risks) and/or not explicitly captured (e.g. reputation and strategic risk) by regulatory capital guidelines;
- External factors, where not already considered in the previous points, including stress testing, impact of economic cycles and other external risks;
- The level and quality of the insurer’s capital, and the quality of the assessment by the insurer using a range of stress scenarios included or referenced in the ORSA;
- Limitations of the insurer’s ORSA;
- Other regulatory requirements and expectations or market considerations;
- Identification of best practices and potential gaps arising from a cross-sector review of ORSA;
- How and to whom ORSA related information is communicated and how ORSA issues or limitations are shared with users and appropriately elevated to relevant parties within the insurer.
In addition to quantitative efforts, OSFI understands and expects that expert judgement will be necessary to operationalize an insurer’s assessment and measurement of risks and to integrate those results into the overall assessment of own capital needs and the determination of Internal Targets. The ORSA is a process and a tool that OSFI expects will be used to support insurers risk and capital assessment, on-going management, governance and other decision making activities; therefore, both the quantitative and the qualitative aspects of the ORSA are equally important.
Appendix – Supplementary Risk Considerations
The risk considerations contained within this appendix do not constitute an exhaustive list of exposures and factors that insurers should consider for purposes of the ORSA and for establishing Internal Targets. Rather, they provide some examples that may be relevant for a particular insurer and that may be used when exploring and assessing risks in the context of the ORSA.
Comprehensive Identification and Assessment of Risks
Certain risks may be identified based on possible new developments or emerging trends in the internal or external environment. While some may have been reviewed and found to be non-material, others may not have yet been defined or evaluated. Also, risks that were once considered immaterial may become material as the insurer’s environment changes.
The ORSA should consider how risks may evolve and what measurement and management techniques are required for monitoring purposes.
Risk transfer/Mitigation activities
Insurers should be cognizant of any risks that may exist within certain risk transfer or risk mitigation activities (such as reinsurance, hedging or securitization transactions), and how these would behave under stress conditions. Resulting new or additional risks such as credit/counterparty and operational risk should be taken into consideration.
Cross border activities
Insurers that operate in multiple jurisdictions or otherwise engage in cross border investments and transactions with foreign counterparties may be subject to increased risk including: country risk, concentration risk, foreign currency risk (market risk) as well as regulatory, legal, compliance and operational risks. Laws and regulators’ actions in foreign jurisdictions could make it much more difficult to realize on assets and security in the event of a default.
An insurer's ORSA should consider these types of activities and assess the controls, capital or assets needed in support of the regulatory, legal and compliance risks associated with concentrations in cross border activities. If an insurer has operations in foreign jurisdictions where restrictions on fungibility or access to capital apply (or could apply), where there is potential ring-fencing of funds, or where minimum/target regulatory capital requirements exceed levels in Canada, this should also be clearly identified and taken into account in setting both group-wide capital needs and Internal Targets for individual insurers.
Relating Risk to Capital (Determining Own Capital Needs)
This guideline does not provide a list of available approaches, methodologies or tools. As a result ORSA practices across insurers are likely to vary. For example, some insurers may:
- consider that their assessment of a material complex risk or set of risks would be best performed through the use of sophisticated internal models;
- determine that developing complex internal models for a material complex risk, although desirable, is not feasible and, as a result, select somewhat simpler, less refined approaches and compensate with more prudent assumptions that nonetheless yield reasonable estimates of own capital needs;
- expend considerable effort to develop an advanced methodology to assess a specific complex risk which they believe will give them a competitive advantage in the market and allow for improved capital allocation;
- choose to rely heavily on qualitative considerations, including expert judgement, for risks that are difficult to quantify and for which measurement results vary significantly depending on the approach and method used;
- develop complex methodologies to aggregate results and estimate the capital needs for concentrations, dependencies and risk interactions along with prudent benefits of diversification;
- choose a simple aggregation approach producing cruder results that achieve little or no diversification benefits.
Where risk aggregation/diversification adjustment benefits are applied in an insurer’s ORSA, they should be validated and calibrated by the insurer on a regular basis. Insurers should be prudent in their assessment of aggregation/diversification benefits and should consider whether such benefits exist in periods of stress. When giving consideration to the benefits of diversification, equal consideration should be given to the potential concentrations, dependencies and interactions of risks that may cause the total impact to be greater than the sum of the impact of the risks considered individually.
Concentrations, Dependencies and Interactions of Risks
Situations in which risk concentrations, dependencies and interactions can arise include, among others, exposures to:
- one or many severe or extremely severe events/scenarios and their knock-on effects;
- a series of many small events/scenarios or individual claims and their knock-on effects;
- a common cause across many underwriting years (e.g. asbestos, pollution, etc.);
- one or very few reinsurers or other counterparties, or connections between counterparties;
- one or very few products/lines of business or sources of business/assets;
- geographical regions.
Risk concentrations, dependencies and interactions can arise through a combination of exposures across these and other broad categories. An insurer should have an understanding of its insurance, market, credit and other risk concentrations, dependencies and interactions resulting from exposures within and across its different business lines.