Office of the Superintendent of Financial Institutions
This guideline sets out OSFI's expectations with respect to the Own Risk and Solvency Assessment (ORSA) of federally regulated insurers (insurer)Footnote 1.
The ORSA should reflect an insurer's own risk and solvency assessment. OSFI expects an insurer to have processes in place to conduct an ORSA that is proportionate to the nature, scale and complexity of its business and risk profile.
This guideline outlines OSFI's expectations with respect to an insurer's own assessment of its risks, capitalFootnote 2 needs and solvency position, and for setting Internal TargetsFootnote 3, based on an insurer's Own Risk and Solvency Assessment (ORSA).
The ORSA should serve as a tool to enhance an insurer's understanding of the interrelationships between its risk profile and capital needs. The ORSA should consider all reasonably foreseeable and relevant material risks, be forward-looking and be congruent with an insurer's business and strategic planning.
As the ORSA is a dynamic forward-looking process, stress and scenario testing should be an important component used in an insurer's determination of its own capital needs and as it sets and evaluates the adequacy of its Internal Targets and operating capital level throughout the business cycle.
This guideline addresses the scope of the ORSA, its relation to enterprise risk management, the role of Senior ManagementFootnote 4 and other participants in performing, monitoring, reporting or reviewing the ORSA, and other key elements of the assessment process.
OSFI, in its normal course supervisory monitoring, may review the company's ORSA including related documentation and reports. OSFI will consider this information in its assessment of inherent risks and risk management practices. OSFI does not approve an insurer's ORSA.
For further guidance and considerations about the identification, assessment, management and other aspects of risk, insurers may also consult other OSFI guidelines or publications such as: Supervisory Framework, Guidelines B-2: Large Exposure Limits, Investment Concentration Limit for Property and Casualty Insurance Companies and Guideline B-3: Sound Reinsurance Practices and Procedures.
For further guidance and considerations about stress and scenario testing, insurers may also consult sources such as OSFI's Guideline E 18: Stress Testing and actuarial standards of practice with respect to an insurer's Financial Condition Testing (FCT).
OSFI expects the ORSA to be tailored to and cover the consolidated operations of an insurer. An insurer's capital assessment should consider the risks of its domestic and foreign operations as well as group risks. It should also consider the availability of capital and assets in each jurisdiction for on-going viability and for the protection of policyholders and creditors of each insurance entity.
The ORSA can be prepared either on an individual insurer basis or on a group basis (Group ORSA). Where the Group ORSA includes, in addition to the consolidated operations of an individual insurer, the operations of other related insurers or the operations of its parent or home office, it should give adequate consideration to the business and risk profile of the individual insurer and the particular circumstances of the relevant markets in which it operates (e.g. by using relevant subsets of group data and modified methodologies, tools and/or assumptions) to yield own capital needs and Internal Targets that are appropriate for the individual insurer. The components of the Group ORSA that are used in or otherwise support an individual insurer's ORSA should be consistent with the expectations of this guideline.
When an insurer's business and risk profiles or circumstances are not adequately reflected in a Group ORSA, or its own capital needs and Internal Targets are not adequately determined or supported using a Group ORSA, OSFI expects the insurer to have a separate ORSA that covers only the consolidated operations of the insurer and not the operations of its parent, home office or other related insurers.
In conducting its ORSA, an insurer should determine its own capital needs and establish its Internal Targets based on an internal assessment of all material risks, including the results of the enterprise risk management processFootnote 5. The existence of a robust enterprise risk management framework enhances the ability of an insurer to effectively reflect risks in its ORSA.
Enterprise risk management, along with related controls and governance mechanisms, and the ORSA should be well integrated so that the information, analysis and results from both processes are consistent. The same is true for other processes that either feed into the ORSA or are impacted by ORSA results.
The ORSA should contain, at a minimum, certain key elements and considerations, including:
There is no single correct approach to an ORSA, and one approach will not fit all insurers. Therefore, these key elements and considerations are broadly stated and it is understood that the manner with which some of these elements are integrated in an insurer's ORSA may vary by company.
An insurer's ORSA should identify, define and assess the materiality of all known, reasonably foreseeable, emerging and other relevant risks that may have an impact on an insurer's ability to continue operations, in both normal and stressed situations. An insurer's identified risks are expected to evolve as its business activities and environment evolve.
The assessment should include all material risks, whether these are explicitly captured in the regulatory capital framework or not, as well as risks that are not easily quantifiable.
Some risks can be broken down into other more discrete risks and may take different forms depending on the nature of the business and activities of an insurer. The ORSA should give proper consideration to non-material risks that, when combined with other non-material risks, become material. For example, risk categorisation or break down should not produce a lower assessment of own capital needs that would otherwise result if related risks were combined or aggregated.
Insurers should document underlying assumptions, processes and key considerations with regard to the drivers, the assessment, measurement and mitigants in place for each risk. The appendix Supplementary Risk Considerations includes other risk identification and assessment considerations.
As part of its ORSA, an insurer is expected to set Internal Targets. These should normally be determined without undue reliance on regulatory capital measures.
Before an insurer gives consideration to external constraints, Internal Targets should be, first and foremost, based on an insurer's assessment of its own capital needs. For example, Internal Targets should normally not be determined by simply adding a margin on the Supervisory Targets. However, as stress and scenario testing should be an integral part of an insurer's process for determining its Internal Targets, consideration of the results of these tests may cause an insurer to add explicit capital cushions/buffers to complement its initial assessment of own capital needs and set its Internal Targets so it can withstand a specified level of losses without falling below the Supervisory TargetsFootnote 6.
The ORSA is an internal assessment process, tailored to an insurer's own view of its risk profile and appetite, and reflective of the nature, scale and complexity of the insurer.
Insurers are expected to use more sophisticated methods to estimate the amount of own capital needed for material complex risks they take on or are exposed to. For less material and less complex risks, or for those that are not readily quantifiable, insurers may opt for simpler quantitative analysis (e.g. generally accepted prudent factors or extremely severe but plausible deterministic stress scenarios) combined with well documented qualitative considerations, and incorporate these amounts into their overall assessment of capital adequacy.
In conducting an ORSA, insurers should determine whether or not, for each risk, an explicit amount (quantity) of capital should be held and how the results for each risk should be aggregated. In doing so, insurers' own capital assessments will reflect their choice of data sets, distributions, measures, confidence levels, time horizons, valuation approaches, financial tools and methodologies, appropriate to their unique profile.
The approaches and tools used should be calibrated to determine the total amount of capital needed to cover extremely severe losses. Aggregated, these losses should represent the insurer's total quantity of capital that it needs to absorb the losses and be left with an equal amount of assets and liabilities.
Insurers are expected to consider publications and professional and other research materials dealing with quantification of risks and risk mitigants such as:
When giving consideration to various methodologies, tools or resulting factors, insurers should consider, among other things, that these may be calibrated using a confidence level/time horizon that is different from what the insurer desires, calibrated at an unspecified confidence level/time horizon or designed for a different purpose (e.g. scenario and stress testing can be used to gain a better understanding of risks and identify potential management actions that an insurer can take or its ability to continue to meet regulatory requirements during a stressful event). In these cases, the insurer should make adjustments to the methodology, tool or resulting factor so that the ORSA results are appropriate for determining its own capital needs.
When discrete methods (e.g. sensitivity testing, statistical analysis) are used for determining own capital needs with respect to individual risks, the assessment may not identify or measure dependencies or inter-relations that cause some risks to be greater in the presence of other stresses to other risks. To complement the assessment of individual risks, other tools (e.g. stochastic models or multi-dimensional deterministic scenarios of extremely severe but plausible past, potential or theoretical events) may be used to uncover potential impacts that are due to concentrations, dependencies and interactions between risks. The appendix Supplementary Risk Considerations includes other considerations for relating risks to own capital needs.
Once an insurer has determined its own capital needs, these initial results should be assessed to determine if they are appropriate in relation to external or third party capital expectationsFootnote 7, including OSFI's expectation that Internal Targets exceed Supervisory TargetsFootnote 8.
In setting Internal Targets, an insurer should assess the adequacy of its Capital Resources for supporting its current risk profile, and enabling it to continue its current operationsFootnote 9 in the normal course, under varying degrees of stress and under a wind-up scenario.
Therefore, in addition to the process described above to determine an insurer's own capital needs, an insurer should also consider the impact of a range or series of adverse scenarios (e.g. an economic downturn) of varying nature or severity and its ability to avoid supervisory interventions (i.e. not fall below its Supervisory Targets) or continue as a going concern (i.e. not fall below the MinimumsFootnote 10). The results of stress testing per OSFI's Guideline E-18: Stress Testing, along with other single and combined forward-looking stress and reverse stress tests, including an insurer's Financial Condition Testing (FCT) scenarios, can be directly incorporated, referenced or otherwise used in the ORSA for setting an insurer's Internal Targets.
As outlined in OSFI's Guideline A-4, while all insurers are expected to determine an Internal Target of total capital, life insurers are expected to also determine an Internal Target of core capital. Core capital should serve to reduce the likelihood of insolvency, both in normal times and during periods when the insurer is under stress. When setting a core capital Internal Target, a life insurer should consider its target capital composition/mix and its assessment of the characteristics and quality of Capital Resources.
With respect to Canadian branches of foreign insurers, the determination and assessment of the composition of the margin of assets over liabilities may not include all of the same considerations that are relevant for determining and assessing the quality of capital instruments needed or issued by insurers if the branch does not raise capital within Canada. However, the ORSA should include many of the same considerations with respect to the quality of the assets vested in trust in Canada and other assets under the control of the Chief Agent in Canada that support the liabilities in Canada and how these are recognized and valued for capital adequacy purposes.
The ORSA is a forward-looking process. It should be consistent with an insurer's strategic and business planning and should contemplate the potential adverse capital impacts over an insurer's planning horizon (e.g. 3 to 5 years). An insurer's ORSA process should be consistent with and linked to the enterprise risk management and other management processes. For example, quantifiable estimates of risks that are used for ORSA purposes should be consistent with or feed into the decision making process and, where appropriate, have other business uses.
The assessment of adequacy of capital should also consider the capital needed to support an insurer's longer term business strategies and, in particular, new business and planned growth. Considering this, an insurer should determine an appropriate level or range of capitalization at which it operates, set above its Internal Targets. In determining an operating level, an insurer should consider the impact of future planned, foreseen and likely potential changes to its risk profile due to changes in its operations, its business strategy or its operating environment. For example, it should consider a series of varying adverse scenarios and, at a certain operating level, assess the insurer's ability to continue operating and not fall below its Internal Targets. It should also evaluate whether long-run Internal Targets are consistent with short-run goals, and adjust its operating levels as appropriate; recognizing that accommodating additional capital needs or additional risk mitigants can require significant lead time.
In this context, an insurer should relate its capital needs to, for example, potential changes in risks, anticipated growth, acquisitions and divestments, potential group needs and limits on fungibility/transfer of capital, plans to access external sources of capital and the level of capital desired to enable the insurer to take identified potential countervailing actions against a stress event at an acceptable cost.
All material risks, including those that are difficult to quantify in the ORSA, should be subject to internal controls. An insurer should identify relevant countervailing measures and actions that could be taken to improve its solvency position, should it be negatively impacted by economic downturns or other stress events. These may include, for example, raising additional capital, slowing or ceasing new business, entering into reinsurance arrangements, implementing changes to product pricing and/or changes to business mix.
A sound risk management and oversight process should assist an insurer in performing an effective assessment of its own capital needs, in determining its Internal Targets and in assessing the adequacy of its current and likely future solvency position. In this context, the establishment of appropriate policies, procedures, systems, controls and personnel for identifying, analysing, assessing, monitoring and measuring its risk exposures can improve the quality and effectiveness of the ORSA.
Senior Management should have a good understanding of the nature and significance of the risk exposures of the insurer, the related risk mitigants, risk management tools/techniques and oversight processes and how these relate to adequate levels of capital. Senior Management should review the appropriateness of the formality and sophistication of the methods used to quantify risks and risk mitigants as well as the risk management and reporting processes vis-à-vis the Risk Appetite FrameworkFootnote 11 and the general risk profile and business plans of the insurer.
The ORSA should assist the insurer in its risk assessment, risk management and planning by exploring and assessing potential threats to an insurer's capital and solvency positions. For example, the results of stress scenario tests should be used to identify actions that could be taken either to lessen the likelihood of such threats occurring or to mitigate the impact of an adverse scenario, should one actually occur.
Please refer to OSFI’s Corporate Governance Guideline for OSFI’s expectations of insurer Boards of Directors in regards to operational, business, risk and crisis management policies.
The ORSA should be performed on a regular basis so that it continues to provide relevant information for an insurer's management processes. It should be clearly and formally documented in a report at least annually and more often if circumstances warrant, for example when there are changes to the insurer's risk profile or risk appetite.
The ORSA report should contain sufficient information about the process, underlying principles, methodologies, key assumptions, key sensitivity information and overall results relative to the risk appetite, strategic and operational plans and capital management framework of the insurer. The report should be used by the insurer to assess the appropriateness of the ORSA, including the overall results and the quality/composition of its capital, and confirm the insurer's Internal Targets.
An insurer's Senior Management should receive regular and timely reports on the insurer's risks and capital. These reports should allow Senior Management to:
The monitoring and reporting process should take into account the current and forecasted business environments and should, consistent with the risk and capital adequacy assessment, be adjusted when appropriate so that capital remains adequate during periods when the insurer is under stress and through entire business cycles.
An insurer's internal control structure is essential to the quality of its ORSA. An insurer's Senior Management reviews the insurer's method for monitoring and reporting on compliance with internal policies as well as the system for assessing risks and for relating risks to the insurer's own capital needs. Senior Management should satisfy itself that the insurer's system of internal controls continues to be adequate for well-ordered and prudent conduct of business, including the quality of its ORSA process.
An insurer should conduct regular reviews of its ORSA process for integrity, accuracy, and reasonableness. Areas that should be reviewed include, among others:
The ORSA, including the ORSA report, should be subject to periodic objective reviews. The objective review may be conducted by an internal or external auditor, by a skilled and experienced internal or external resource or by a skilled and experienced individual, who reports directly to or is a member of the Board.
An objective reviewer should not be responsible for nor have been actively involved in the part of the ORSA that it reviews. For example, where the internal auditor is not otherwise involved in the process, the ORSA may be included in the internal audit plan so that it is covered within the audit cycle.Footnote 12
OSFI assesses capital adequacy at multiple levels. An insurer should have sufficient capital to meet Minimum and Supervisory Target regulatory capital, as well as sufficient capital to support its risk profile, (i.e. Inherent and Net Risks of its significant activities and Overall Net Risk (ONR)) as determined through the OSFI's Supervisory Framework.
OSFI may review the ORSA and, upon request, the ORSA report (and/or other supporting documentation) in its assessment of the risk profile of an insurer to determine whether the ORSA is consistent with OSFI's understanding and assessment of the insurer's risk appetite and risk profile.
The depth and frequency of supervisory review of an insurer's ORSA will be proportional to the nature, scale and complexity of its activities, and the risks assumed by an insurer as assessed through OSFI's Supervisory Framework.
The supervisory review of the ORSA is not intended to prescribe how an insurer should perform, use or report on its ORSA. Rather, the review allows for dialogue on OSFI's assessment of inherent risk, capital and Composite Risk Rating (CRR), and of an insurer's ORSA including:
In addition to quantitative efforts, OSFI understands and expects that expert judgement will be necessary to operationalize an insurer's assessment and measurement of risks and to integrate those results into the overall assessment of own capital needs and the determination of Internal Targets. The ORSA is a process and a tool that OSFI expects will be used to support insurers risk and capital assessment, on-going management, governance and other decision making activities; therefore, both the quantitative and the qualitative aspects of the ORSA are equally important.
The risk considerations contained within this appendix do not constitute an exhaustive list of exposures and factors that insurers should consider for purposes of the ORSA and for establishing Internal Targets. Rather, they provide some examples that may be relevant for a particular insurer and that may be used when exploring and assessing risks in the context of the ORSA.
Certain risks may be identified based on possible new developments or emerging trends in the internal or external environment. While some may have been reviewed and found to be non-material, others may not have yet been defined or evaluated. Also, risks that were once considered immaterial may become material as the insurer's environment changes.
The ORSA should consider how risks may evolve and what measurement and management techniques are required for monitoring purposes.
Insurers should be cognizant of any risks that may exist within certain risk transfer or risk mitigation activities (such as reinsurance, hedging or securitization transactions), and how these would behave under stress conditions. Resulting new or additional risks such as credit/counterparty and operational risk should be taken into consideration.
Insurers that operate in multiple jurisdictions or otherwise engage in cross border investments and transactions with foreign counterparties may be subject to increased risk including: country risk, concentration risk, foreign currency risk (market risk) as well as regulatory, legal, compliance and operational risks. Laws and regulators' actions in foreign jurisdictions could make it much more difficult to realize on assets and security in the event of a default.
An insurer's ORSA should consider these types of activities and assess the controls, capital or assets needed in support of the regulatory, legal and compliance risks associated with concentrations in cross border activities. If an insurer has operations in foreign jurisdictions where restrictions on fungibility or access to capital apply (or could apply), where there is potential ring-fencing of funds, or where minimum/target regulatory capital requirements exceed levels in Canada, this should also be clearly identified and taken into account in setting both group-wide capital needs and Internal Targets for individual insurers.
This guideline does not provide a list of available approaches, methodologies or tools. As a result ORSA practices across insurers are likely to vary. For example, some insurers may:
Where risk aggregation/diversification adjustment benefits are applied in an insurer's ORSA, they should be validated and calibrated by the insurer on a regular basis. Insurers should be prudent in their assessment of aggregation/diversification benefits and should consider whether such benefits exist in periods of stress. When giving consideration to the benefits of diversification, equal consideration should be given to the potential concentrations, dependencies and interactions of risks that may cause the total impact to be greater than the sum of the impact of the risks considered individually.
Situations in which risk concentrations, dependencies and interactions can arise include, among others, exposures to:
Risk concentrations, dependencies and interactions can arise through a combination of exposures across these and other broad categories. An insurer should have an understanding of its insurance, market, credit and other risk concentrations, dependencies and interactions resulting from exposures within and across its different business lines.
Insurer refers to federally regulated insurers including Canadian branches of foreign life and property and casualty companies, fraternal benefit societies, regulated insurance holding companies and non-operating insurance companies.
Return to footnote 1 referrer
With respect to Canadian branches of foreign insurers, the term "capital" in this guideline includes the parallel concept of "margin of assets over liabilities".
Return to footnote 2 referrer
Guideline A-4: Regulatory Capital and Internal Capital Targets outlines OSFI's expectations with respect to Internal Targets.
Return to footnote 3 referrer
For foreign company branches, OSFI looks to Branch Management to oversee operations in Canada.
Return to footnote 4 referrer
For further guidance on enterprise risk management, refer to OSFI's sound business and financial practices guideline: Corporate Governance.
Return to footnote 5 referrer
Supervisory Target capital levels are not applicable to regulated insurance holding companies and non-operating insurance companies.
Return to footnote 6 referrer
For example: securities, insurance or other regulators and credit rating agencies.
Return to footnote 7 referrer
As outlined in Guideline A-4: Regulatory Capital and Internal Capital Targets.
Return to footnote 8 referrer
In determining capital needed to support an insurer's current risk profile and for continuing its current operations, it is expected that an insurer would, for example, assume that its current capital needs include any amount required to support short-term insurance contract renewals at the current business level.
Return to footnote 9
As defined in Guideline A-4: Regulatory Capital and Internal Capital Targets.
Return to footnote 10 referrer
Refer to OSFI's Corporate Governance Guideline for additional guidance in this area.
Return to footnote 11 referrer
OSFI may request that a report by an objective reviewer be prepared and made available at a specific date so it can be included in a planned review of an insurer's ORSA.
Return to footnote 12 referrer