The supervisor requires the insurer to establish within its risk management system an enterprise risk management (ERM) framework for solvency purposes to identify, measure, report and manage the insurer’s risks in an ongoing and integrated manner.
ERM for solvency purposes is the coordination of risk management, strategic planning, capital adequacy, and financial efficiency in order to enhance sound operation of the insurer and ensure the adequate protection of policyholders. Capital adequacy measures the insurer’s assessment of residual risk of its business, after overlaying the mitigating financial effect of the insurer’s established risk management system. Any decision affecting risk management, strategic planning or capital would likely necessitate a compensating change in one or both of the other two. Successful implementation of ERM for solvency purposes results in enhanced insight into an insurer’s risk profile and solvency position that promotes an insurer’s risk culture, earnings stability, sustained profitability, and long-term viability, as well as the insurer’s ability to meet obligations to policyholders. Collectively practiced in the industry, ERM for solvency purposes supports the operation and financial condition of the insurance sector. These aspects of ERM should therefore be encouraged from a prudential standpoint.
The ERM framework for solvency purposes (ERM framework) is an integrated set of strategies, policies and processes, established by the insurer for an effective implementation of ERM for solvency purposes.
- Risk identification (including group risk and relationship between risks);
- Quantitative techniques to measure risk;
- Inter-relationship of risk appetite, risk limits and capital adequacy;
- Risk appetite statement;
- Asset-liability management, investment, underwriting and liquidity risk management policies;
- Own risk and solvency assessment (ORSA); and
- Recovery planning.
The ERM framework should be integrated within the insurer’s risk management system (see ICP 8 Risk Management and Internal Controls).
The ERM framework should enhance an insurer’s understanding of material risk types, their characteristics, interdependencies, and the sources of the risks, as well as their potential aggregated financial impact on the business for a holistic view of risk at enterprise level. Senior Management should exhibit an understanding of the insurer’s enterprise risk issues and show a willingness and ability to address those issues. A fundamental aspect of ERM is the development and execution of a consistent, transparent, deliberate, and systematic approach to manage risks, both individually and in aggregate, on an ongoing basis to maintain solvency and operation within the risk appetite and risk limits. ERM should be embedded in an insurer’s corporate culture to ensure that the whole organisation contributes to risk awareness, feedback loops and coordinated responses to risk management needs.
The objective of ERM is not to eliminate risk. Rather, it is to manage risks within a framework that includes self-imposed limits. In setting limits for risk, the insurer should consider its solvency position and its risk appetite. Risk limits should be set after careful consideration of strategic objectives, business plans and circumstances and should take into account the projected outcomes of scenarios run using a range of plausible future business assumptions which reflect sufficiently adverse scenarios. A risk limits structure is used to establish guardrails on an insurer’s risk profile to optimise its returns without endangering the ability of the insurer to meet its commitments to policyholders.
Some insurers may utilise internal models as part of their ERM process in order to generate sophisticated risk metrics to inform management actions and capital needs. Internal models may enhance risk management and embed risk culture in the insurer. They may provide a common measurement basis across all risks (eg same methodology, time horizon, risk measure, level of confidence) and strengthened risk-based strategic decision-making across the organisation. Such an approach typically adopts a total balance sheet approach whereby the impact of the totality of material risks is fully recognised on an economic basis. A total balance sheet approach reflects the interdependence between assets, liabilities, capital requirements and capital resources, and identifies the capital allocation sufficient to protect the insurer and its policyholders, as well as to improve capital efficiency.
The insurer should have adequate governance and internal controls in place for models used in the ERM framework. The calculation of risk metrics should be transparent, supportable, and repeatable.
An insurer should have contingency plans that describe in advance the necessary actions and resources to limit business disruption and losses resulting from an adverse financial event (such as risk exposures exceeding risk limits), or an operational event (such as a natural disaster). Contingency planning may include a recovery plan, when deemed necessary.
The supervisor requires the insurer’s ERM framework to provide for the identification of all reasonably foreseeable and relevant material risks and risk interdependencies for risk and capital management.
The scope of risk identification and analysis of risk interdependencies should cover, at least: insurance risk, market risk, credit risk, concentration risk, operational risk and liquidity risk. Other risks may be included, such as conduct risk, legal risk, political risk, reputational risk, strategic risk and group risk.
An insurer should consider the sources of different risks and their impacts and assess the relationship between risk exposures. By doing so, an insurer can better identify both strengths and weaknesses in governance, control functions and business units. The insurer should use and improve risk management policies, techniques and practices and change its organisational structure to make these improvements where necessary. The insurer should also assess external risk factors which, if they were to crystallise, could pose a significant threat to its business.
In assessing the relationship between risk exposures, consideration should be given to correlations between the tails of risk profiles. For example, risks that show no strong dependence under normal economic conditions (such as catastrophe risks and market risks) could be more correlated in a stress situation.
Assessments of risk exposures should consider macroeconomic exposures. For example, an insurer should consider interdependencies between guarantees and options embedded in its products, the assets backing those products, financial markets and the real economy.
Sources of risks may include catastrophes, downgrades from rating agencies or other events that may have an adverse impact on the insurer’s financial condition and reputation. These events can result, for example, in an unexpected level of claims, collateral calls or policyholder terminations and may lead to serious liquidity issues. The ERM framework should adequately address the insurer’s options for responding to such events.
Group risk is the risk that the financial condition of a group or a legal entity within the group may be adversely affected by a group-wide event, an event in a legal entity, or an event external to the group. Such an event may either be financial or non-financial (such as a restructuring).
Group risk may arise, for example, through contagion, leveraging, double or multiple gearing, concentrations, large exposures and complexity. Participations, loans, guarantees, risk transfers, liquidity, outsourcing arrangements and off-balance sheet exposures may all give rise to group risk. Many of these risks may be borne by stand-alone insurance legal entities and are not specific to being a legal entity that is part of a group. However, the inter-relationships among legal entities within a group including aspects of control, influence and interdependence alter the impact of risks on the legal entities and should therefore be taken into account in managing the risks of an insurance legal entity within the insurance group and in managing the risks of that insurance group as a whole.
The ERM framework of an insurance group should address the direct and indirect interrelationships between legal entities within the insurance group. The more clearly-defined and understood such relationships are, the more accurately they can be allowed for in the group-wide solvency assessment. For example, legally enforceable capital and risk transfer instruments between legal entities within a group may help with the effectiveness of its ERM framework for group-wide solvency assessment purposes. To be effective, the management of insurance group risk should take into account risks arising from all parts of an insurance group, including non-insurance legal entities (regulated or unregulated) and partly-owned entities.
Assumptions that are implicit in the solvency assessment of an insurance legal entity may not apply at an insurance group level because of separation of legal entities within the insurance group. For example, there may be few, if any, constraints on the fungibility of capital and the transferability of assets within an individual insurance legal entity. However, such constraints may feature much more prominently for an insurance group and may restrict the degree to which benefits of diversification of risks across the group can be shared among legal entities within the insurance group. Such constraints should be taken into account in both the insurance group’s and the insurance legal entity’s ERM frameworks.
- the group-wide ERM framework to be as consistent as possible across its legal entities; and
- material differences in the group-wide ERM framework to be transparent and explicitly linked to legal and supervisory requirements in the jurisdictions where the IAIG operates, and the risks associated with business conducted in those jurisdictions.
- insurance risk;
- market risk;
- credit risk;
- liquidity risk;
- concentration risk;
- operational risk;
- group risk; and
- strategic risk.
While these risks should be recognised and managed in the group-wide ERM framework, each risk category does not have to be managed separately. Some risk types, such as strategic or concentration risk, may be included in other risk categories.
- the mechanisms to keep track of intra-group transactions that are of substantial importance to, and have a significant consequence for, the IAIG;
- the risks arising from intra-group transactions; and
- the qualitative and quantitative restrictions on such risks.
- loans;
- guarantees;
- issuance of contingent capital;
- payment of dividends;
- cost sharing structures;
- service contracts;
- management arrangements and outsourcing;
- reinsurance;
- transactions across different financial services entities within the IAIG; and
- equity holdings.
- fungibility of capital and transferability of assets (such as capital or equity injections from one legal entity into another);
- currency effects such as if there are cost sharing or service contracts between legal entities located in different jurisdictions;
- correlation or concentration of risk;
- practical issues, including the time needed to reallocate risk and risk mitigants among legal entities; and
- contagion risk within the group.
The IAIG should take account of, the risk of support being withdrawn from one part of the IAIG to another due to adverse publicity, poor results, operational inefficiencies, or supervisory measures.
The group-wide ERM framework should address any financial or other activities (eg maturity transformation, securities lending) being undertaken by individual legal entities that may change the risk profile of the group. For example, in securities lending transactions, the group-wide ERM framework may provide that high quality assets not be swapped with low quality assets, that appropriate arrangements for the provisioning of collateral are in place, or that the maturity of the swapped assets does not significantly alter the risk profile of the IAIG.
- provide for the quantification of risk and risk interdependencies under a sufficiently wide range of techniques for risk and capital management; and
- as necessary, include the performance of stress testing to assess the resilience of its total balance sheet against macroeconomic stresses.
The level of risk is a combination of the impact that the risk will have on the insurer and the probability of that risk materialising. The insurer should assess regularly the level of risk it bears by using appropriate forward-looking quantitative techniques (such as risk modelling, stress testing, including reverse stress testing, and scenario analysis). An appropriate range of adverse circumstances and events should be considered, including those that pose a significant threat to the financial condition of the insurer, and management actions should be identified together with the appropriate timing of those actions. Risk measurement techniques may also be used in developing long-term business and contingency plans.
Different approaches to measuring risk may be appropriate depending on the nature, scale and complexity of a risk and the availability of reliable data on the behaviour of that risk. For example, a low frequency but high impact risk where there is limited data (such as catastrophe risk) may require a different approach from a high frequency, low impact risk for which there is substantial amounts of experience data available. Stochastic risk modelling may be appropriate to measure some risks (such as non-life catastrophe), whereas relatively simple calculations may be appropriate in other circumstances.
The measurement of risks should be based on a consistent economic assessment of the total balance sheet as appropriate to ensure that appropriate risk management actions are taken. In principle, an insurer’s ERM framework should take into consideration the distribution of future cash flows to measure the level of risks. The insurer should be careful not to base decisions purely on accounting or regulatory measures that involve non-economic considerations and conventions although the constraints on cash flows that they represent should be taken into account.
An insurance group should clarify whether data used in risk assessments is based on a consolidated, aggregated or other method. The insurance group should take into account the implications and inherent risks of the selected methodology when developing its ERM framework. For example, intra-group transactions may be eliminated in consolidation and thus may not be reflected in the consolidated financial statement of the insurance group at the top level. In using the consolidation basis for the ERM framework, the insurance group may be able to account, and take credit, for diversification of risk. Conversely, using another aggregation method may facilitate a more granular recognition of risk.
Measurement of risks undertaken at different valuation dates should be produced on a broadly consistent basis overall, which may make variations in results easier to explain. Such analysis also aids the insurer in prioritising its risk management.
Regardless of how sophisticated they are, models cannot exactly replicate the real world. Risks associated with the use of models (modelling and parameter risk), if not explicitly quantified, should be acknowledged and understood as the insurer implements its ERM framework, including by the insurer’s Board and Senior Management.
Models may be external or internal. External models may be used to assess catastrophes or market risks. Internal models may be developed by an insurer to assess specific material risks or to assess its risks overall.
Internal models can play an important role in facilitating the risk management process and the supervisor should encourage insurers to make use of such models for parts or all of their business, where it is appropriate.
An insurer may consider that the assessment of current financial resources and the calculation of regulatory capital requirements would be better achieved through the use of internal models, where permitted.
If used, an internal model may provide an important strategic and operational decision-making tool and should be used to enable the insurer to integrate its risk and capital management processes. In particular, the internal model used for ORSA should be consistent with models for other processes within the ERM framework. These include: assessment of the risks faced within the insurer’s business; construction of risk limits structure; and the determination of the economic capital needed, where appropriate, to meet those risks.
To be effective, an internal model should address all the identified risks within its scope, and their interdependencies, and assess their potential impact on the insurer’s business given the possible situations that could occur. The methods by which this analysis could be conducted range from simple stress testing of events to more complex stochastic modelling, as appropriate.
The insurer’s internal model should be calibrated on the basis of defined modelling criteria that the insurer believes will determine the level of capital appropriate and sufficient to meet its business plan and strategic objectives. These modelling criteria may include the basis for valuation of the assets and liabilities, the confidence level, risk measure and time horizon, as well as other business objectives (for example, aiming to achieve a certain minimum investment rating).
In constructing its internal model, an insurer should adopt risk modelling techniques and approaches that are appropriate to its risk strategy and business plans. An insurer may consider various inputs to the modelling process, such as economic scenarios, asset portfolios and liabilities from in-force or past business, and regulatory constraints on the transfer of assets.
An internal model used to determine economic capital may enable the insurer to allocate sufficient financial resources to ensure it continues to meet its policyholder liabilities as they fall due, at a confidence level appropriate to its business objectives. To fully assess policyholder liabilities in this way, all liabilities that should be met to avoid putting policyholder interests at risk need to be considered, including any liabilities for which a default in payment could trigger the winding up of the insurer.
If an insurer uses its own internal model as part of its risk and capital management processes, the insurer should validate it and review it on a regular basis. Validation should be carried out by suitably experienced individuals in a different department or persons other than those who created the internal model, in order to facilitate independence. The insurer may wish to consider an external review of its internal model by appropriate specialists; for example, if the internal review cannot be performed with sufficient independence, an external review may be warranted.
Where a risk is not readily quantifiable (for instance some operational risks or where there is an impact on the insurer’s reputation), the insurer should make a qualitative assessment that is appropriate to that risk and sufficiently detailed to be useful for risk management. The insurer should analyse the controls needed to manage such risks to ensure that its risk assessments are reliable and consider events that may result in high operational costs or operational failure. Such analysis should inform the insurer’s judgments in assessing the size of the risks and enhancing overall risk management.
It may be appropriate for internal models to be used for a group even where the use of an internal model is not an approach appropriate at the insurance legal entity level due to, for example, lack of sufficient data.
The group-wide supervisor requires the Head of the IAIG to ensure that the IAIG measures all reasonably foreseeable, quantifiable, and relevant material risks using an economic capital model taking into account the risks that the IAIG faces in different sectors, jurisdictions and economic environments.
The IAIG should prioritise its risks in a consistent and reliable manner using appropriate means, including the use of an economic capital model.
The economic capital model should be based on techniques that estimate the amount of capital needed in reasonably foreseeable adverse situations to which the IAIG is or may be exposed. The economic capital model, in conjunction with other relevant capital measures (for example, regulatory capital requirements), should support major management decisions by focusing attention on capital adequacy.
The IAIG should consider the output of its economic capital model and regulatory capital requirements as inputs to its capital planning, which covers at least the IAIG’s business planning period.
Stress testing measures the financial impact of stressing one or more factors which could severely affect the insurer. Scenario analysis considers the impact of a combination of circumstances to reflect historical or other scenarios which are analysed in the light of current conditions. Scenario analysis may be conducted deterministically using a range of specified scenarios or stochastically, using models to simulate many possible scenarios, to derive statistical distributions of the results.
Stress testing and scenario analysis should be carried out by the insurer to validate and understand the limitations of its models. They may also be used to complement the use of models for risks that are difficult to model or where the use of a model may not be appropriate from a cost-benefit perspective. For example, these techniques can be used to investigate the effect of proposed management actions.
Scenario analysis may be particularly useful as an aid to communicate risk management issues to the Board, Senior Management, business units and control functions. As such, scenario analysis can facilitate the integration of the insurer’s ERM framework within its business operations and establish a sound risk culture.
Reverse stress testing may help identify scenarios that could result in failure or cause the financial position of an insurer to fall below a predefined level. While some risk of failure is always present, such an approach may help to ensure adequate focus on the management actions that are appropriate to avoid undue risk of business failure. The focus of such reverse stress testing is on appropriate risk management actions rather than the assessment of its financial condition and so may be largely qualitative in nature although broad assessment of associated financial impacts may help in deciding the appropriate action to take.
Stress testing is intended to serve the insurer as an aid to sound risk management, including by identifying residual macroeconomic exposure.
- savings-oriented products (or protection-oriented products with a savings component) that offer unmatched guarantees on policyholders’ premium payments, often combined with embedded options for policyholders;
- products embedding features such as automatic asset sales triggered by asset value decreases or that require dynamic hedging; and
- derivatives contracts such as financial guarantee products including credit default swaps (CDS) that are not used to hedge risk.
- the nature, scale and complexity of: the insurer, its activities, business model and products, including the characteristics of the guarantees it provides;
- the characteristics of any automatic asset reallocation mechanisms;
- the use of dynamic hedging and the extent to which such guarantees are matched or hedged; and
- its activity in derivatives markets.
The risks identified and the techniques that are appropriate and adequate for measuring them (including stress testing, scenario analysis, risk modelling and reverse stress testing) may differ at insurance group and insurance legal entity level. Where an insurance legal entity’s ERM framework is an integral part of the insurance group’s ERM framework, the techniques used to measure risks at group level should consider those that are appropriate and adequate at the insurance legal entity level.
- stress and reverse stress testing and scenario analysis the IAIG deems relevant to its risk profile; and
- the resilience of its total balance sheet against macroeconomic stresses.
Stresses should include (but may not be limited to) those in the risk transfer markets that may have an adverse effect on the IAIG’s risk profile. For example, when developing its scenarios for stress testing, the IAIG should consider reinsurance capacity and related risk transfer costs in future periods after a catastrophic event.
The IAIG’s assessment of macroeconomic stresses should pay particular attention to the impact of stresses on the value of guarantees and options embedded in insurance products and on the assets backing them.
The group-wide supervisor requires the group-wide ERM framework to be independently reviewed at least once every three years, in order to ascertain that it remains fit for purpose.
The group-wide ERM framework review may be carried out by an internal or external body as long as the reviewer is independent and not responsible for, nor been actively involved in, the part of the group-wide ERM framework that it reviews.
It may be necessary for the IAIG to perform an ad hoc review after a major change has occurred, such as a change in its risk profile, structure or business strategy.
The supervisor requires the insurer’s ERM framework to reflect the relationship between the insurer’s risk appetite, risk limits, regulatory capital requirements, economic capital and the processes and methods for monitoring risk.
An insurer's ERM framework should reflect how its risk management coordinates with strategic planning and its management of capital (regulatory capital requirement and economic capital).
As an integral part of its ERM framework, an insurer should also reflect how its risk management links with corporate objectives, strategy and current circumstances to maintain capital adequacy and solvency and to operate within the risk appetite and risk limits described in the risk appetite statement.
An insurer’s ERM framework should use reasonably long time horizon, consistent with the nature of the insurer’s risks and the business planning horizon, so that it maintains relevance to the insurer's business going forward. This can be done by using methods (such as scenario models) that produce a range of outcomes based on plausible future business assumptions which reflect sufficiently adverse scenarios. The analysis of these outcomes may help the Board and Senior Management in strategic business planning.
Risks should be monitored and reported to the Board and Senior Management, in a regular and timely manner, so that they are fully aware of the insurer's risk profile and how it is evolving and make effective decisions on risk appetite and capital management.
Where internal models are used for business forecasting, the insurer should perform back-testing, to the extent practicable, to validate the accuracy of the model over time.
- reflect the insurer’s risk limits structure;
- play a role in mitigating risk; and
- impact the insurer’s capital requirements.
- articulates the aggregate level and types of risk the insurer is willing to assume within its risk capacity to achieve its financial and strategic objectives, and business plan;
- takes into account all relevant and material categories of risk and their interdependencies within the insurer’s current and target risk profiles; and
- is operationalised in its business strategy and day-to-day operations through a more granular risk limits structure.
An insurer’s risk appetite statement should include qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate.
- complement quantitative measures;
- set the overall tone for the insurer’s approach to risk taking; and
- articulate clearly the motivations for taking on or avoiding certain types of risks, products, jurisdictional/regional exposures, or other categories.
Risk appetite may not necessarily be expressed in a single document. However the way it is expressed should provide the insurer’s Board with a coherent and holistic, yet concise and easily understood, view of the insurer’s risk appetite.
The supervisor should require risk capacity of the insurer to include the consideration of regulatory capital requirements, economic capital, liquidity and operational environment.
The risk appetite statement should give clear guidance to operational management on the level of risk to which the insurer is prepared to be exposed and the limits of risk to which they are able to expose the insurer. It should also be communicated across and within the insurer to facilitate entrenching the risk appetite into the insurer’s risk culture.
An insurer should consider how to embed these limits in its ongoing operations. This may be achieved by expressing limits in a way that can be measured and monitored as part of ongoing operations. Stress testing may provide an insurer with a tool to help ascertain whether the limits are suitable for its business.
An insurance legal entity’s risk appetite statement should define risk limits taking into account all of the group risks it faces to the extent that they are relevant and material to the insurance legal entity.
When creating a risk limits structure at the insurance legal entity level, the entity’s Board and Senior Management should take into account risk limits at the group level.
The group-wide supervisor requires the group-wide ERM framework to establish and maintain processes to communicate its risk appetite internally and externally.
The granularity of disclosure may differ between internal and external communication.
The supervisor requires the insurer’s ERM framework to include an explicit asset-liability management (ALM) policy which specifies the nature, role and extent of ALM activities and their relationship with product development, pricing functions and investment management.
- the investment and liability strategies allow for the interaction between assets and liabilities;
- the liability cash flows will be met by the cash inflows; and
- the economic valuation of assets and liabilities will change under a range of different scenarios.
The insurer’s ALM policy should recognise the interdependence between all of the insurer’s assets and liabilities and take into account the correlation of risk between different asset classes as well as the correlations between different products and business lines, recognising that correlations may not be linear. The ALM policy should also take into account any off-balance sheet exposures that the insurer may have and the contingency that risks transferred may revert to the insurer.
Different strategies may be appropriate for different categories of assets and liabilities. One possible approach to ALM is to identify separate homogeneous segments of liabilities and obtain investments for each segment that would be appropriate if each liability segment was a stand-alone business. Another possible approach is to manage the insurer’s assets and liabilities together as a whole. The latter approach may provide greater opportunities for profit and management of risk than the former. If ALM is practised for each business segment separately, this is likely to mean that the insurer may not benefit as much from the benefits of scale, hedging, diversification and reinsurance.
However, for some types of insurance business it may not be appropriate to manage risks by combining liability segments. It may be necessary for the insurer to devise separate and self-contained ALM policies for particular portfolios of assets that are ring-fenced or otherwise not freely available to cover obligations in other parts of the insurer.
Assets and liabilities may be ring-fenced to protect policyholders. For example, non-life insurance business is normally ring-fenced from life insurance business, and likewise, participating business is separated from non-participating. Supervisory requirements or the insurer’s ERM framework may require some liabilities to be closely matched with the supporting assets. For example, equity-linked or indexed-linked benefits may be closely matched with corresponding assets, and annuities’ cash outflows may be closely matched with cash inflows from fixed income instruments.
Some liabilities may have particularly long durations, such as certain types of liability insurance and whole-life policies and annuities. In these cases, assets with sufficiently long duration may not be available to match the liabilities, introducing a significant reinvestment risk, such that the present value of future net liability cash flows is particularly sensitive to changes in interest rates. There may also be gaps in the asset durations available. An ALM policy should address the risks arising from duration or other mismatches (for example, by holding adequate capital or having appropriate risk mitigation in place). The ERM framework should reflect the insurer’s capacity to bear ALM risk, according to the insurer’s risk appetite and risk limits structure.
The group-wide ALM policy should take into account any legal restrictions that may apply to the treatment of assets and liabilities within the jurisdictions in which the group operates.
- addresses investment risk according to the insurer’s risk appetite and risk limits structure;
- specifies the nature, role and extent of the insurer’s investment activities and how the insurer complies with regulatory investment requirements; and
- establishes explicit risk management procedures with regard to more complex and less transparent classes of asset and investments in markets or instruments that are subject to less governance or regulation; and
- as necessary, includes a counterparty risk appetite statement.
An investment policy may set out the insurer’s strategy for optimising investment returns and specify asset allocation strategies and authorities for investment activities and how these are related to the ALM policy.
The investment policy should address the safe-keeping of assets including custodial arrangements and the conditions under which investments may be pledged or lent.
Credit risk should be considered in the investment policy.
- type of asset;
- credit rating;
- issuer/counterparty or related entities of an issuer/counterparty;
- financial market;
- sector; and
- geographic area.
It is important for the insurer to understand the source, type and amount of investment risk. For example, it is important to understand who has the ultimate legal risk or basis risk in a complex chain of transactions. Similar questions arise where the investment is via external funds, especially when such funds are not transparent.
A number of factors may shape the insurer’s investment strategy. For insurers in many jurisdictions concentration risk arising from the limited availability of suitable domestic investment vehicles may be an issue. By contrast, international insurers’ investment strategies may be complex because of a need to manage or match assets and liabilities in a number of currencies and different markets. In addition, the need for liquidity resulting from potential large-scale payments may further complicate an insurer’s investment strategy.
Where appropriate, the investment policy should outline how the insurer deals with inherently complex financial instruments such as derivatives, hybrid instruments that embed derivatives, private equity, hedge funds, insurance linked instruments and commitments transacted through special purpose entities. Complex or less transparent assets may present operational risks that are difficult to assess reliably, especially in adverse conditions.
An effective investment policy and ERM framework should provide for appropriately robust models reflecting relevant risks of complex investment activities (including underwriting guarantees for such complex securities). There should be explicit procedures to evaluate non-standard risks associated with complex structured products, especially new forms of concentration risk that may not be obvious.
For complex investment strategies, the insurer’s investment policy and ERM framework may incorporate the use of stress testing and contingency planning to handle hard-to-model risks such as liquidity and sudden market movements. Trial operation of procedures may also be appropriate in advance of ‘live’ operation.
- the potential exposure cannot be reliably measured;
- closing out of a derivative is difficult considering the illiquidity of the market;
- the derivative is not readily marketable as may be the case with over-the-counter instruments;
- independent (ie external) verification of pricing is not available;
- collateral arrangements do not fully cover the exposure to the counterparty;
- the counterparty is not suitably creditworthy; and
- the exposure to any one counterparty exceeds a specified amount.
A counterparty risk appetite statement sets out the level of risk the insurer is willing to accept that a counterparty will be unable to meet its obligations as they fall due. This may impact the insurer’s financial position through, for example, reductions in fair value or impairment of investments, loss of reinsurance cover, open market exposures or the loss of securities that have been loaned.
In deciding whether it is necessary to require a counterparty risk appetite statement, the supervisor should take into account the size of the insurer’s counterparty exposures, both in absolute terms and relative to the insurer’s portfolio, according to the characteristics outlined in Guidance 16.6.4, as well as the complexity and form of these exposures. Particular attention should be paid to financial sector counterparties, as these counterparties may be more likely to contribute to the build-up of systemic risk. Attention should also be paid to off-balance sheet exposures or commitments, as these may be more likely to materialise during stress.
The group-wide supervisor requires the Head of the IAIG to establish and maintain a group-wide investment policy that sets criteria for investment quality and addresses the selection of, and exposure to, low-quality investments or investments whose security is difficult to assess.
The group-wide investment policy should take into account the different regulatory investment requirements of the jurisdictions in which the IAIG operates.
- set limits, or other requirements, in the group-wide investment policy so that assets are properly diversified and asset concentration risk is mitigated; and
- have a counterparty risk appetite statement.
- type of asset;
- credit rating;
- issuer/counterparty or related entities of an issuer/ counterparty;
- financial market;
- sector; or
- geographic area.
To support the assessment of concentrations, the IAIG should analyse aggregate exposures to individual counterparties and to groups of related counterparties both at the legal entity level and group-wide level.
The group-wide supervisor requires the Head of the IAIG to establish criteria on intra-group investments in the group-wide investment policy.
- liquidity;
- contagion or reputational risk;
- valuation uncertainty;
- impact on capital resources;
- nature of the IAIG’s business; and
- financial condition of the individual legal entities.
The group-wide supervisor requires the Head of the IAIG to monitor investments on a group-wide basis to identify levels of investment exposure that do not comply with the group-wide investment policy.
Group-wide investment exposures that exceed limits, or any other non-compliance, should be reported to the IAIG Board and Senior Management upon identification. Reports to the IAIG Board and Senior Management should include material exposures that, even if within limits, could create financial difficulties within the IAIG if the value or liquidity of the investments decreases.
- insurer’s underwriting risk according to the insurer’s risk appetite and risk limits structure;
- nature of risks to be underwritten, including any material relationship with macroeconomic conditions; and
- interaction of the underwriting strategy with the insurer’s reinsurance strategy and pricing.
- the terms on which contracts are written and any exclusions;
- the procedures and conditions that need to be satisfied for risks to be accepted;
- additional premiums for substandard risks; and
- procedures and conditions that need to be satisfied for claims to be paid.
Control of expenses associated with underwriting and payment of claims is an important part of managing risk especially in conditions of high general rates of inflation. Inflation of claim amounts also tends to be high in such conditions for some types of risk. Insurers should have systems in place to control their expenses. These expenses should be monitored by the insurer on an ongoing basis.
- the insurer’s reinsurance programme provides coverage appropriate to its level of capital, the profile of the risks it underwrites, its business strategy and risk appetite; and
- the risk will not revert to the insurer in adverse circumstances.
- product classes the insurer is willing to write;
- relevant exposure limits (eg geographical, counterparty, economic sector); and
- a process for setting underwriting limits.
The underwriting policy should address the potential impact on the insurer’s financial position from material correlations between macroeconomic conditions and the insurance portfolio (for example by assessing the potential impact stemming from certain insurance products with embedded guarantees and options).
- how an insurer analyses emerging risks in the underwritten portfolio; and
- how emerging risks are considered in modifying underwriting practices.
The underwriting policy should describe interactions with the reinsurance strategy and associated credit risk, and should include details of the reinsurance cover of certain product classes or particular risks.
The group-wide supervisor requires the Head of the IAIG to ensure that the IAIG implements its group-wide ERM framework by establishing procedures and monitoring practices for the use of sufficient, reliable and relevant data for its underwriting, pricing, reserving and reinsurance processes.
- claims estimation and settlement;
- feedback into the group-wide underwriting policy and reinsurance strategy; and
- claims data reporting for group analysis.
- delegations of authority for claims settlement;
- criteria for accepting or rejecting claims; and
- escalating claims.
A group-wide claims management policy should allow insurance legal entities to establish individual claims management policies and processes, adjusted to supervisory requirements and circumstances in their jurisdictions.
Escalating claims may include information about sudden increases in claim activity, delays in settlements and increased rejections.
- the interaction with the group-wide risk and capital management strategies;
- how the risk appetite is achieved, on both a gross limit and net retention basis;
- the appetite for reinsurer credit risk, including approved security criteria for reinsurance transactions and aggregate exposure criteria to individual or related reinsurers;
- the autonomy afforded to individual insurance legal entities to enter into “entity specific” reinsurance arrangements, and the management and the aggregation of these exposures in the group-wide context;
- procedures for managing reinsurance recoverables, including required reporting from insurers;
- intra-group reinsurance strategy and practice;
- use of alternative risk transfer, including capital markets risk transfer products; and
- effectiveness of risk transfer in adverse circumstances.
A strategy for other forms of risk transfer may include the use of capital markets risk transfer products (for example, insurance linked securities). Strategic considerations may include factors like the maturity of the capital markets offering such risk transfer products, regulatory approaches regarding the use of such risk transfer products, and overall mix of traditional reinsurance with other forms of risk transfer.
- the process to assess the appropriateness, at the group-wide level, of the data, methodologies and underlying models used, as well as the assumptions made in the calculation of technical provisions;
- the process to calculate reinsurance recoverable assets taking into account the design of the reinsurance programme under the reinsurance strategy of the IAIG; and
- model risk management of internal models that generate actuarial and financial projections for solvency purposes.
- be compliant with applicable laws and regulations, accounting regime, and professional actuarial standards;
- formalise materiality thresholds to trigger higher levels of management actions to ensure well-governed activities;
- provide for a data validation process that supports actuarial activities to ensure data quality, comprehensiveness, granularity and timeliness;
- provide a framework for determining assumptions used in valuations, including a process of incorporating the experience of the IAIG and its insurance legal entities, as well as a process of developing assumptions if the IAIG does not have enough experience in a particular business line or market;
- articulate model validation and maintenance procedure to ensure that model usage and model modifications align with the risk appetite and risk limits structure; and
- create consistent management information requirements from in-depth reviews and monitoring of actuarial activities.
The group-wide actuarial policy should contain practice standards to raise awareness of matters that have, or are likely to have, a materially adverse effect on the solvency, reserves or financial condition of one of the insurance legal entities, or the IAIG as a whole. Such standards would prompt the group-wide actuarial function to inform the relevant Board, Senior Management or Key Persons in Control Functions, as appropriate, for suitable action (see ICP 8 Risk Management and Internal Controls).
Differences in reporting may exist at the insurance legal entity level to comply with jurisdictional requirements. The group-wide actuarial policy should focus on group-wide reporting requirements, both for internal management purposes and for reporting and disclosure purposes. The group-wide reporting should reflect jurisdictional differences.
The group-wide actuarial policy should require an assessment of the consistency of the base assumptions used to derive technical provisions compared to those used to derive capital requirements, economic capital models, or the forward-looking view in the ORSA. Such an assessment of consistency may provide insight as to the coherence of the base assumptions and those applied in stress conditions.
- a prospective actuarial analysis of the financial condition of the IAIG which goes beyond the current balance sheet of the IAIG;
- the reliability and sufficiency of the technical provisions;
- the adequacy of reinsurance credit for technical provisions; and
- consideration of non-insurance legal entities and non-regulated legal entities.
The group-wide actuarial function should provide the IAIG Board an actuarial analysis of the current and future financial condition of the IAIG given recent experience and the group-wide policies for underwriting, claims management and investment and the group-wide reinsurance strategy.
- the assumptions used by all of the insurance legal entities in the group and the consolidation/aggregation method applied at the group level;
- the methodologies used to determine current estimates by each insurance legal entity and the consolidation/ aggregation method applied at the group level;
- the methodologies used to determine the margin over current estimate by each insurance legal entity and the consolidation/aggregation method applied at the group level;
- the availability and appropriateness of data used in valuations;
- back-testing of assumptions and valuations;
- uncertainty in current estimates used by both insurance legal entities and at the consolidated/aggregated group level;
- the adequacy of pricing, taking into account the underwriting policies, at the appropriate unit level, the insurance legal entity level and the group level;
- the performance of the IAIG's insurance portfolios and analysis of any changes in business volumes, exposures, claims experience, mix of business and pricing during the year;
- asset-liability management under the group-wide investment policy;
- suitability and adequacy of reinsurance or other forms of risk transfer arrangements, taking into account the strategies for underwriting and claims management, as well as the overall financial condition and risk appetite of the IAIG; and
- the extent of reliance on the values provided by non-insurance legal entities.
The supervisor requires the insurer’s ERM framework to address liquidity risk and to contain strategies, policies and processes to maintain adequate liquidity to meet its liabilities as they fall due in normal and stressed conditions.
- market liquidity in normal and stressed conditions, quality of assets and its ability to monetise assets in each situation
- characteristics of insurance contracts that may affect policyholder behaviour around lapse, withdrawal or renewal;
- adverse insurance events that may trigger short-term liquidity needs, including catastrophes;
- non-insurance activities such as margining or posting collateral for derivatives contracts, securities lending or repurchase agreements; and
- contingent sources of liquidity (including committed lines of credit or future premium income) and whether these would be available in stressed conditions.
An insurer should have well-defined processes and metrics in place, which may be simple or more advanced depending on its activities, to assess its liquidity position at different time horizons on a regular basis. An insurer’s liquidity analysis should cover both normal and stressed market conditions. The insurer should assess the results of such analysis in light of its risk appetite.
Upon the supervisor’s request, the insurer should report its liquidity risk management processes and analysis, including key assumptions or metrics.
An insurance group’s assessment should result in a coherent view of liquidity risk across legal entities within the group. For example, where an individual legal entity relies on the head of the group for funding, this should be accounted for in both the individual legal entity’s and the head of the group’s liquidity analysis.
When analysing its liquidity position, an insurance group may use different scenarios and analyses on a legal entity level and group-wide level where appropriate. Such scenarios should take into account that circumstances may differ between individual legal entities and the group as a whole.
- liquidity stress testing;
- maintenance of a portfolio of unencumbered highly liquid assets in appropriate locations;
- a contingency funding plan; and
- the submission of a liquidity risk management report to the supervisor.
Some insurers are required to establish more detailed liquidity risk management processes as compared to those processes set out in Standard 16.8. More detailed liquidity risk management processes are intended to help the insurer with its risk management. Additionally, the measures may provide the supervisor with a view on vulnerabilities that may cause funding shortfalls in stress.
- derivatives, particularly any collateral or margin that needs to be posted for mark-to-market declines in the value of the contract;
- securities financing transactions, including repurchase agreements and securities lending
- insurance products that contain provisions that allow a policyholder to withdraw cash from the policy with little notice or penalty; and
- insurance products covering natural catastrophes.
Liquidity stress testing is a forward looking risk management tool to reveal vulnerabilities in the insurer’s liquidity profile and provide information on its ability to meet liabilities as they fall due. A portfolio of unencumbered highly liquid assets may provide a source of liquidity for the insurer to meet its liabilities as they fall due. A contingency funding plan, describing the strategies for addressing liquidity shortfalls in stress situations, may assist the insurer in addressing an unforeseen stress situation, where its liquid assets are insufficient or unexpectedly become illiquid. A liquidity management report could assist the insurer and the supervisor to address shortcomings in the insurer’s risk management by laying out details of its liquidity risk management in an accessible format.
In deciding whether it is necessary to require more detailed liquidity risk management processes, and the intensity of such processes, the supervisor should take into account the nature, scale and complexity of the insurer’s activities that lead to increased liquidity risk exposure as well as the risk amplification effects related to the size of the insurer. Increased liquidity risk exposure may depend on, for example, the magnitude of potential collateral or margin calls from derivatives or other transactions, the use of securities financing transactions or the characteristics of insurance contracts that may affect policyholder behaviour around lapse, withdrawal or renewal.
The supervisor may increase or decrease the intensity of these requirements by, for example, varying the frequency, scope and granularity of liquidity stress testing, the proportion of various types of highly liquid assets allowed in the portfolio or the form and level of detail in the contingency funding plan and liquidity risk management report.
Where an insurer is required to establish more detailed liquidity risk management processes, the supervisor should assess the effectiveness of their implementation, including the interaction with existing control mechanisms. Additionally, the supervisor should evaluate the quality and quantity of the assets that the insurer includes in its portfolio of highly liquid assets in light of the liquidity characteristics of its activities. The supervisor may develop its own, general, criteria for highly liquid assets.
The group-wide supervisor requires the Head of the IAIG to assess the IAIG’s resilience against severe but plausible liquidity stresses to determine whether current exposures are within the IAIG’s liquidity risk appetite.
Forward-looking risk assessments should be done through scenario analysis or stress testing to reveal vulnerabilities in an IAIG’s liquidity profile and should be performed for material legal entities and the IAIG as a whole.
Depending on its business model, an IAIG may be vulnerable to different liquidity stresses than other insurers. Certain activities may contribute to larger or less predictable liquidity needs. The group-wide supervisor should therefore consider the nature, scale, and complexity of the IAIG’s activities that lead to increased liquidity risk exposure as well as the risk amplification effects related to the size of the IAIG when setting its expectations of the IAIG’s stress testing. The group-wide supervisor may, based on these considerations, vary the frequency, scope and granularity of liquidity stress testing.
The group-wide supervisor may suggest the IAIG include in its assessment certain stresses that have been informed by the group-wide supervisor’s macroprudential surveillance (ICP 24 Macroprudential Supervision).
- exposure to insurable events;
- withdrawals from, and run-offs of, insurance policies;
- contingent off-balance sheet exposures;
- the impact of a deterioration in the IAIG’s credit rating;
- the ability to transfer liquidity between legal entities and between jurisdictions;
- currency convertibility and access to foreign exchange markets;
- reductions in the ability to access secured and unsecured wholesale funding; and
- the correlation and concentration of funding sources.
- correlations between funding markets;
- the effectiveness of diversification across its chosen sources of funding;
- additional margin calls and collateral requirements;
- reliance on committed lines of credit;
- estimates of future balance sheet growth and premium income;
- the continued availability of market liquidity, including in currently highly liquid markets;
- ability to access secured and unsecured funding; and
- currency convertibility.
The IAIG should evaluate its cash inflows (sources) and cash outflows (needs) under stress scenarios and determine its stressed liquidity position, ie its net stressed cash outflows.
The group-wide supervisor requires the Head of the IAIG to establish and maintain an adequate level of unencumbered highly liquid assets in appropriate locations.
The IAIG should maintain adequate liquidity to meet its liabilities as they fall due in normal and stressed conditions. Where stress scenarios reveal stressed cash outflows that exceed stressed cash inflows, the IAIG should hold unencumbered highly liquid assets, with appropriate haircuts, of sufficient value to meet excess stressed cash outflows.
The group-wide supervisor should consider the results of the IAIG’s stress testing or scenario analysis when assessing the quality and quantity of the assets that the IAIG considers to be highly liquid assets.
Where an IAIG is subject to significant short-term liquidity needs (for example daily or weekly) the supervisor may require higher quality assets than an IAIG subject to longer-term needs. The group-wide supervisor may also require an IAIG with larger or less predictable stressed liquidity needs to hold a larger amount of highly liquid assets than an IAIG with smaller and more consistent liquidity needs.
The IAIG should be able to demonstrate to the group-wide supervisor the liquidity of any assets it considers highly liquid assets in its liquidity risk management report.
To promote their usability, assets that the IAIG relies on for liquidity should be free of legal, regulatory, contractual or other restrictions on the ability of the IAIG to liquidate, sell, transfer, or assign the assets (ie unencumbered).
The Head of the IAIG should ensure that its portfolio of highly liquid assets is sufficiently diversified. This may include looking through to the underlying assets to determine the extent of concentration risk. The Head of the IAIG should also consider whether it holds a substantial share of the market for a particular instrument, counterparty or asset class to assess if the market would be able to bear the IAIG’s sales and whether market reaction would not adversely impact the IAIG’s ability to monetise its assets as planned.
The Head of the IAIG should consider the marketability and realisability, including as acceptable collateral, of its highly liquid assets by taking into account factors such as market depth and access, monetisation timelines (for example delays in finding a willing buyer, time to settlement) and the likelihood and extent of forced-sale losses. In stressed market conditions, it may not be feasible to value properly or sell some types of assets or to do so without a significant loss in value.
Liquidity is not always freely transferable within a group when needed. The Head of the IAIG should ensure that liquidity is available to legal entities within the group when needed, subject to any applicable legal, regulatory or operational constraints, including cross-border constraints.
The minimum criteria for determining asset liquidity may be addressed in the group-wide investment policy or a separate liquidity policy.
The group-wide supervisor requires the Head of the IAIG to maintain a contingency funding plan to respond to liquidity stress events.
The group-wide supervisor should consider the nature, scale, and complexity of the IAIG’s activities that lead to increased liquidity risk exposure, as well as the risk amplification effects related to the size of the IAIG, when setting its expectations of the IAIG’s contingency funding plan requirements. This includes the form and level of detail of the contingency funding plan and the frequency for reviewing and updating the plan. The group-wide supervisor’s expectations may be informed by the IAIG’s liquidity stress testing or scenario analysis, which may reveal funding sources most likely to be impacted during stress and those on which the IAIG is most reliant. The group-wide supervisor may consider requiring a more detailed or frequently updated plan from an IAIG with more unpredictable cash inflows and outflows or where cash inflows and outflows are more significantly impacted by the IAIG’s liquidity stress tests or scenario analysis.
A contingency funding plan describes the strategies for addressing liquidity shortfalls in stress situations, including the methods that the IAIG would use to access alternative sources of funding.
A contingency funding plan should include quantitative metrics that the IAIG would use to identify a liquidity stress event, including the level and nature of the effect it would have on the IAIG’s liquidity position and on sources of available funding.
A contingency funding plan should outline the strategies, policies and processes to manage a range of stresses. The plan should establish a clear allocation of roles and clear lines of management responsibility. The plan should define procedures for identifying early warning indicators for potential liquidity stress events that are based on the features of the IAIG’s business.
The supervisor may allow the IAIG’s contingency funding plan to be developed as part of a recovery plan.
- a liquidity risk appetite statement;
- established liquidity risk limits;
- a discussion of the current liquidity position of the IAIG in relation to its liquidity risk appetite and limits;
- a summary of strategies, policies and processes that the IAIG has in place to manage liquidity risk;
- a discussion of potential vulnerabilities in the IAIG’s liabilities as well as the means of enhancing the liquidity position; and
- the IAIG’s approach to, and results of, liquidity stress testing.
The group-wide supervisor should consider the nature, scale, and complexity of the IAIG’s activities that lead to increased liquidity risk exposure as well as the risk amplification effects related to the size of the IAIG when setting liquidity reporting requirements, including the level of detail of the report and the frequency for reviewing and updating the report. The supervisor may determine that the reporting requirement is satisfied by reference to other risk management policies, risk reporting and/or the ORSA report.
The summary of strategies, policies and processes should discuss any metrics the IAIG uses to identify, measure, monitor, and control liquidity risk as well as how the results from the liquidity stress testing are incorporated into day-to-day management of the IAIG. The Head of the IAIG should have a process in place to discuss the results and take the necessary actions.
The supervisor requires the insurer to perform regularly its own risk and solvency assessment (ORSA) to assess the adequacy of its risk management and current, and likely future, solvency position.
The insurer should document the main outcomes, rationale, calculations and action plans arising from its ORSA.
ORSAs should be largely driven by how an insurer is structured and how it manages itself. The performance of an ORSA at the insurance legal entity level does not exempt the group from conducting a group-wide ORSA.
The supervisor requires the insurer’s Board and Senior Management to be responsible for the ORSA.
The Board should adopt a rigorous process for setting, approving, and overseeing the effective implementation by Senior Management of the insurer’s ORSA.
Where appropriate, the effectiveness of the ORSA should be validated through internal or external independent overall review by a suitably experienced individual.
- encompass all reasonably foreseeable and relevant material risks including, at least, insurance, credit, market, concentration, operational and liquidity risks and (if applicable) group risk; and
- identify the relationship between risk management and the level and quality of financial resources needed and available
- assess the insurer’s resilience against severe but plausible macroeconomic stresses through scenario analysis or stress testing; and
- assess aggregate counterparty exposures and analyse the effect of stress events on material counterparty exposures through scenario analysis or stress testing.
The ORSA should explicitly state which risks are quantifiable and which are non-quantifiable.
The insurer should consider in its ORSA all material risks that may have an impact on its ability to meet its obligations to policyholders, including in that assessment a consideration of the impact of future changes in economic conditions or other external factors. The insurer should undertake an ORSA on a regular basis so that it continues to provide relevant information for its management and decision making processes. The insurer should regularly reassess the sources of risk and the extent to which particular risks are material. Significant changes in the risk profile of the insurer should prompt it to undertake a new ORSA. Risk assessment should be done in conjunction with consideration of the effectiveness of applicable controls to mitigate the risks.
In deciding whether it is necessary to require scenario analysis or stress testing as part of the ORSA, and the frequency, scope and type of such scenario analysis or stress testing, the supervisor should take into account, for example, the nature, scale and complexity of the insurer, its business model and products and the size of the insurer’s exposures, both in absolute terms and relative to the insurer’s portfolio. For macroeconomic exposure, relevant factors may include the characteristics of the guarantees the insurer provides and the extent to which such guarantees are matched or hedged, the characteristics of any (automatic) asset reallocation mechanisms, the use of dynamic hedging, the insurer’s activity in derivatives markets or other drivers of volatility in the sources or uses of cash. For counterparty exposure, particular attention should be paid to financial sector counterparties, as these may be more likely to contribute to the build-up of systemic risk, and to off-balance sheet exposures or commitments, as these may be more likely to have an impact during stress.
- include all reasonably foreseeable and relevant material risks arising from every legal entity within the insurance group and from the widest group of which the insurance group is part;
- take into account the fungibility of capital and the transferability of assets within the group; and
- ensure capital is not double counted.
Similarly, an insurance legal entity’s ORSA should include all additional risks arising from the widest group to the extent that they impact the insurance legal entity.
In the insurance legal entity’s ORSA and the insurance group’s ORSA, it may be appropriate to consider scenarios in which a group splits or changes its structure in other ways. Assessment of current capital adequacy and continuity analysis should include consideration of relevant possible changes in group structure and integrity in adverse circumstances and the implications this could have for group risks, the existence of the group and the support or demands from the group to or on its insurance legal entities.
Given the level of complexity at insurance group level compared with that at an insurance legal entity level, additional analysis and information is likely to be needed for the group’s ORSA in order to address comprehensively the range of insurance group level risks. For example, it may be appropriate to apply a contagion test by using stress testing to assess the impact of difficulties in each legal entity within the insurance group on the other insurance group entities.
In conducting its group-wide ORSA, the group should be able to account for diversification in the group. Moreover, the group should be able to demonstrate how much of the diversification benefit would be maintained in a stress situation.
- the legal and management structures of the group;
- group-wide economic capital models;
- risk aggregation;
- the fungibility of capital and the transferability of assets within the group; and
- the outputs of the economic capital model and the regulatory capital requirements.
In conducting its group-wide ORSA, the IAIG should consider all material risks arising from its legal entities including non-regulated ones. In particular, political and reputational risks should be considered.
- assess the IAIG’s resilience against severe but plausible macroeconomic stresses through scenario analysis or stress testing; and
- assess aggregate counterparty exposures and analyse the effect of stress events on material counterparty exposures through scenario analysis or stress testing.
Scenario analysis of material counterparty exposures should assess the potential impact on the IAIG’s financial position of the deterioration of the credit-worthiness or of the default of individual legal entities, sectors or geographic areas.
- determine, as part of its ORSA, the overall financial resources it needs to manage its business given its risk appetite and business plans;
- base its risk management actions on consideration of its economic capital, regulatory capital requirements, financial resources, and its ORSA; and
- assess the quality and adequacy of its capital resources to meet regulatory capital requirements and any additional capital needs.
It is important that an insurer has regard for how risk management and capital management relate to and interact with each other. Therefore, an insurer should determine the overall financial resources it needs, taking into account its risk appetite, risk limits structure and business plans, based on an assessment of its risks, the relationship between them and the risk mitigation in place. Determining economic capital may help an insurer to assess how best to optimise its capital base, whether to retain or transfer risk and how to allow for risks in its pricing.
Although the amounts of economic capital and regulatory capital requirements and the methods used to determine them may differ, an insurer should be aware of, and be able to analyse and explain, these differences. Such analysis helps to embed supervisory requirements into an insurer's ORSA and risk and capital management, so as to ensure that obligations to policyholders continue to be met as they fall due.
As part of the ORSA, the insurer should perform its own assessment of the quality and adequacy of capital resources both in the context of determining its economic capital and in demonstrating that regulatory capital requirements are met having regard to the quality criteria established by the supervisor and other factors which the insurer considers relevant.
If an insurer suffers losses that are absorbed by its available capital resources, it may need to raise new capital to meet ongoing regulatory capital requirements and to maintain its business strategies. It cannot be assumed that capital will be readily available at the time it is needed. Therefore, an insurer’s own assessment of the quality of capital should also consider the issue of re-capitalisation, especially the ability of capital to absorb losses on an ongoing basis and the extent to which the capital instruments or structures that the insurer uses may facilitate or hinder future re-capitalisation. For example, if an insurer enters into a funding arrangement where future profits are cashed immediately, the reduced future earnings potential of the insurer may make it more difficult to raise capital resources in the future.
For an insurer to be able to recapitalise in times of financial stress, it is critical to maintain market confidence at all times, through its solvency and capital management, investor relationships, robust governance structure/practices and fair conduct of business practices. For example, where an insurer issues preferred stock without voting rights, this may affect the robustness of the governance structure and practice of that insurer. The voting rights attached to common stock can provide an important source of market discipline over an insurer’s management. Other insurers may issue capital instruments with lower coupons and fees, sacrificing the economic value of the existing shareholders and bondholders.
When market conditions are good, many insurers should be readily able to issue sufficient volumes of high quality capital instruments at reasonable levels of cost. However, when market conditions are stressed, it is likely that only well capitalised insurers, in terms of both the quality and quantity of capital resources held, will be able to issue high quality capital instruments. Other insurers may only be able to issue limited amounts of lower quality capital and at higher cost. Therefore, the supervisor should make sure that insurers have regard for such variations in market conditions and manage the quality and quantity of their capital resources in a forward looking manner. In this regard, it is expected that high quality capital instruments (such as common shares) should form the substantial part of capital resources in normal market conditions as that would enable insurers to issue capital instruments even in stressed situations. Such capital management approaches also help to address the procyclicality issues that may arise, particularly in risk-based solvency requirements.
An insurance group should determine, as part of its ORSA, the overall financial resources it needs to manage its business given its risk appetite and business plans and demonstrate that its supervisory requirements are met. The insurance group’s risk management actions should be based on appropriate risk limits and consideration of its economic capital, regulatory capital requirements and financial resources. Economic capital should thus be determined by the insurance group as well as its insurance legal entities, and appropriate risk limits and management actions should be identified for both the insurance group and the insurance legal entities.
Key group-wide factors to be addressed in the insurer’s assessment of group-wide capital resources include multiple gearing, intra-group creation of capital and reciprocal financing, leverage of the quality of capital and fungibility of capital and free transferability of assets across group entities.
- the insurer, as part of its ORSA, to analyse its ability to continue in business, and the risk management and financial resources required to do so over a longer time horizon than typically used to determine regulatory capital requirements; and
- the insurer’s continuity analysis to address a combination of quantitative and qualitative elements in the medium and longer-term business strategy of the insurer and include projections of its future financial position and analysis of its ability to meet future regulatory capital requirements.
An insurer should be able to demonstrate an ability to manage its risk over the longer term under a range of plausible adverse scenarios. An insurer’s capital management plans and capital projections are therefore key to its overall risk management strategy. These should allow the insurer to determine how it could respond to unexpected changes in market and economic conditions, innovations in the industry and other factors such as demographic, legal and regulatory, medical and social developments.
Where appropriate, the supervisor should require an insurer to undertake periodic, forward-looking continuity analysis and modelling of its future financial position including its ability to continue to meet its regulatory capital requirements in future under various conditions. Insurers should ensure that the capital and cash flow projections (before and after stress) and the management actions included in their forecasts are approved at a sufficiently senior level.
In carrying out its continuity analysis, the insurer should also apply reverse stress testing to identify scenarios that would be the likely cause of business failure (eg where business would become unviable or the market would lose confidence in it) and the actions necessary to manage this risk.
As a result of continuity analysis, the supervisor should encourage insurers to maintain contingency plans and procedures. Such plans should identify relevant countervailing measures and off-setting actions they could realistically take to restore/improve the insurer’s capital adequacy or cash flow position after some future stress event and assess whether actions should be taken by the insurer in advance as precautionary measures.
A clear distinction should be made between the assessment of the current financial position and the projections, stress testing and scenario analyses used to assess an insurer’s financial condition for the purposes of strategic risk management, including maintaining solvency. The insurer’s continuity analysis should help to ensure sound, effective and complete risk management processes, strategies and systems. It should also help to assess and maintain on an ongoing basis the amounts, types and distribution of financial resources needed to cover the nature and level of the risks to which the insurer is or may be exposed to and to enable the insurer to identify and manage all reasonably foreseeable and relevant material risks. In doing so, the insurer assesses the impact of possible changes in business or risk strategy on the level of economic capital needed as well as the level of regulatory capital requirements.
Such continuity analysis should have a time horizon needed for effective business planning (for example, 3 to 5 years), which is longer than typically used to determine regulatory capital requirements. It should also place greater emphasis than may be considered in regulatory requirements on new business plans and product design and pricing, including embedded guarantees and options, and the assumptions appropriate given the way in which products are sold. The insurer’s current premium levels and strategy for future premium levels are a key element in its continuity analysis. In order for continuity analysis to remain meaningful, the insurer should also consider changes in external factors such as possible future events including changes in the political or economic situation.
Through the use of continuity analysis an insurer should be better able to link its current financial position with future business plan projections and ensure its ability to maintain its financial condition in the future. This may help the insurer to further embed its ERM framework into its ongoing and future operations.
An internal model may also be used for the continuity analysis, allowing the insurer to assess the capital consequences of strategic business decisions in respect of its risk profile. For example, the insurer may decide to reduce its capital requirement through diversification by writing different types of business in order to reduce the capital that is needed to be held against such risks, potentially freeing up resources for use elsewhere. This process of capital management may enable the insurer to change its capital exposure as part of its long-term strategic decision making.
As a result of such strategic changes, the risk profile of an insurer may alter, so that different risks should be assessed and quantified within its internal model. In this way, an internal model may sit within a cycle of strategic risk and capital management and provide the link between these two processes.
An insurance group should analyse its ability to continue in business and the risk management and financial resources it requires to do so. The insurance group’s analysis should consider its ability to continue to exist as an insurance group, potential changes in group structure and the ability of its legal entities to continue in business.
An insurance legal entity’s continuity analysis should assess the ongoing support from the group including the availability of financial support in adverse circumstances as well as the risks that may flow from the group to the insurance legal entity. The insurance legal entity and the insurance group should both take into account the business risks they face including the potential impact of changes in the economic, political and regulatory environment.
In their continuity analysis, insurance groups should pay particular attention to whether the insurance group will have available cash flows (eg from surpluses released from long-term funds or dividends from other subsidiaries) and whether they will be transferable among legal entities within the group to cover any payments of interest or capital on loans, to finance new business and to meet any other anticipated liabilities as they fall due. Insurance groups should outline what management actions they would take to manage the potential cash flow implications in stressed conditions (eg reducing new business or cutting dividends).
The insurance group’s continuity analysis should also consider the distribution of capital in the insurance group after stress and the possibility that subsidiaries within the insurance group may require re-capitalisation (either due to breaches of local regulatory requirements, a shortfall in economic capital, or for other business reasons). The assessment should consider whether sufficient sources of surplus and transferable capital would exist elsewhere in the insurance group and identify what management actions may need to be taken (eg intra-group movements of resources, other intra-group transactions or group restructuring).
The insurance group should also apply reverse stress testing to identify scenarios that could result in failure or cause the financial position of the insurance group to fall below a predefined level and the actions necessary to manage this risk.
The supervisor requires, as necessary, insurers to evaluate in advance their specific risks and options in possible recovery scenarios.
The supervisor may require an insurer to produce a recovery plan that identifies in advance options to restore the financial position and viability if the insurer comes under severe stress (see Application Paper on Recovery Planning). In deciding whether it is necessary to require a recovery plan, and the form, content and level of detail of such recovery planning, the supervisor should take into account, for example, the insurer’s complexity, systemic importance, risk profile and business model. A recovery plan is intended to serve the insurer as an aid to sound risk management. Additionally, if the insurer comes under severe stress, a plan may serve the supervisor as valuable input to any necessary supervisory measures.
The supervisor should require the insurer to provide the necessary information to enable the supervisor to assess the robustness and credibility of any recovery plan required. If the supervisor identifies material deficiencies in the plan, it should provide feedback and require the insurer to address these deficiencies.
The supervisor should require the insurer to review any recovery plan required on a regular basis, or when there are material changes to the insurer’s business, risk profile or structure, or any other change that could have a material impact on the recovery plan, and to update it when necessary.
- develop a recovery plan that identifies in advance options to restore the financial position and viability;
- review and update the recovery plan on a regular basis, or when there are material changes; and
- take actions for recovery if the IAIG comes under severe stress.
The group-wide supervisor should consider the IAIG’s nature, scale, and complexity when setting recovery plan requirements, including the form, content and detail of the recovery plan and the frequency for reviewing and updating the plan.
Recovery planning is the responsibility of the IAIG. The IAIG should be able to take timely actions for recovery, in particular when any pre-defined criteria are met that trigger the activation of the recovery plan.
A recovery plan developed by the IAIG should cover all material legal entities within the group.
A recovery plan should serve as a guide for the IAIG to plan and manage severe stress scenarios, although the actual nature and timing of recovery actions will depend on the circumstances.
- it has a robust governance structure and sufficient resources to support the recovery planning process, which includes clear allocation of responsibilities; and
- recovery planning is integrated into the IAIG’s overall governance processes.
- discontinue or divest certain portfolios, business lines, legal entities, or other services; and/or
- continue operating certain lines of insurance business while restructuring or running off its discontinued business lines in an orderly fashion.
- a description of the legal entities covered by the plan, including their legal structures, interdependencies, core business lines and main risks;
- a description of functions and/or services that are significant for the continuation of the IAIG (for example, shared services, such as information technology services and outsourced functions);
- pre-defined criteria with quantitative and qualitative trigger points, governance, escalation mechanisms and supporting processes;
- a range of severe stress scenarios, including both idiosyncratic and market-wide stress
- credible options to respond to severe stress scenarios, including actions to address capital shortfalls and liquidity pressures, and to restore the financial condition of the IAIG, taking into account intra-group transactions;
- assessment of the necessary steps, costs, resources and time needed to implement the recovery actions, including the risks associated with the implementation of the actions; and
- strategies for communication with stakeholders.
Pre-defined criteria should be well-defined and aligned with contingency plans. They should include qualitative and quantitative criteria, such as a potential breach of a prescribed capital requirement (PCR). Criteria may also include triggers based on: liquidity, market conditions, macro-economic conditions, and the insurer's operational conditions.
- strengthening the IAIG’s capital position, such as recapitalisations;
- capital conservation, such as cost containment and suspension of dividends and of payments of variable remuneration;
- reorganisation of corporate structure and divestitures, such as sales of legal entities or portfolios;
- voluntary restructuring of liabilities, such as debt-to-equity conversion; and
- securing sufficient diversified funding and adequate availability of collateral in terms of volume, location and quality.
As a recovery plan may not be able to cover every possible scenario, the IAIG may take, or the group-wide supervisor may require the IAIG to take, measures for recovery other than those contemplated in the IAIG’s recovery plan.
The group-wide supervisor should regularly review the recovery plan, including the predefined criteria, the assumptions and severe stress scenarios underlying the plan, to assess its credibility and likely effectiveness. Where necessary, the group-wide supervisor should provide feedback and require the IAIG to address any material deficiencies.
The group-wide supervisor requires the Head of the IAIG to have and maintain group-wide management information systems that are able to produce information relevant to the recovery plan on a timely basis.
The IAIG may rely on an existing information system, so long as it fulfils the objectives of producing information relevant to the recovery plan on a timely basis.
It is important that the IAIG has available the information necessary for executing recovery actions when needed. Some of this information may be similar to the information needed for resolution; however, recovery may also require other information (see ComFrame material under ICP 12 Exit from the Market and Resolution).
The supervisor undertakes reviews of the insurer's ERM framework, including the ORSA. Where necessary, the supervisor requires strengthening of the insurer’s ERM framework, solvency assessment and capital management processes.
The output of an insurer’s ORSA should serve as an important tool in the supervisory review process by helping the supervisor to understand the risk exposure and solvency position of the insurer.
The insurer's ERM framework and risk management processes (including internal controls) are critical to solvency assessment. The supervisor should therefore assess the adequacy and soundness of an insurer’s framework and processes by receiving regularly the appropriate information, including the ORSA report.
- What are the roles and responsibilities within the ERM framework?
- Is the insurer within its stated risk appetite
- What governance has been established for the oversight of outsourced elements of the ERM framework?
- What modelling and stress testing (including reverse stress testing) is done?
- Has the model risk management been applied in the ERM framework?
- How does the insurer maintain a robust risk culture that ensures active support and adjustment of the insurer’s ERM framework in response to changing conditions?
The supervisor should review an insurer's internal controls and monitor its capital adequacy, requiring strengthening where necessary. Where internal models are used to calculate the regulatory capital requirements, particularly close interaction between the supervisor and insurer is important. In these circumstances, the supervisor may consider the insurer’s internal model, its inputs and outputs and the validation processes, as a source of insight into the risk exposure and solvency position of the insurer.
The supervisor should monitor the techniques employed by the insurer for risk management and capital adequacy assessment and take supervisory measures where weaknesses are identified. The supervisor should not take a one-size-fits-all approach to insurers’ risk management but rather base their expectations on the nature, scale and complexity of its business and risks. In order to do this, the supervisor should have sufficient and appropriate resources and capabilities. For example, the supervisor may have a risk assessment model or programme with which it can assess insurers' overall condition (eg risk management, capital adequacy and solvency position) and ascertain the likelihood of insurers breaching supervisory requirements. The supervisor may also prescribe minimum aspects that an ERM framework should address.
- a description of the relevant material categories of risk that the insurer faces;
- the insurer’s risk appetite and risk limits structure;
- the insurer’s overall financial resource needs, including its economic capital and regulatory capital requirements, as well as the capital available to meet these requirements; and
- projections of how such factors will develop in future.
The supervisor should be flexible and apply their skills, experience and knowledge of the insurer in assessing the adequacy of the risk appetite statement. The supervisor may be able to assess the quality of a particular risk appetite statement by discussing with the Board and Senior Management how the insurer’s business strategy is related to the risk appetite statement, as well as how the risk appetite had an impact on the insurer’s decisions. This includes reviewing other material, such as strategy and planning documents and Board reports in the context of how the Board determines, implements, and monitors its risk appetite so as to ensure that risk-taking is aligned with the Board-approved risk appetite statement.
The supervisor should be provided access to the material results of stress testing, scenario analysis and risk modelling and their key underlying assumptions to be reported to them and have access to other results, if requested. Where the supervisor considers that the calculations conducted by an insurer should be supplemented with additional calculations, it should be able to require the insurer to carry out those additional calculations. The supervisor should also consider available reverse stress tests performed by insurers where they wish to assess whether appropriate action is being taken to manage the risk of business failure.
While insurers should carry out stress testing, scenario analysis and risk modelling that are appropriate for their businesses, the supervisor may also develop prescribed or standard tests and require insurers to perform them when warranted. One purpose of such testing may be to improve consistency of testing among a group of similar insurers. Another purpose may be to assess the financial condition of the insurance sector to economic, market or other stresses that apply to a number of insurers simultaneously (such as pandemics or major catastrophes). Such tests may be directed to be performed by selected insurers or all insurers. The criteria the supervisor uses for scenarios for standard tests should reflect the jurisdiction’s risk environment.
Forward-looking stress testing, scenario analysis and risk modelling of future capital positions and cash flows whether provided by the insurer’s own continuity analysis or in response to supervisory requirements is a valuable tool for the supervisor in assessing the financial condition of insurers. Such testing informs the discussion between the supervisor and insurers on appropriate planning, comparing risk assessments against stress test outcomes, risk management and management actions. The supervisor should consider the dynamic position of insurers and form a high-level assessment of whether the insurer is adequately capitalised to withstand a range of standardised and bespoke stresses.
- scope of risk categories of the internal model
- the insurer’s prioritisation of risks in its risk appetite; and
- the insurer’s use of the outputs in making major management decisions on capital planning for meeting regulatory capital requirements.
By reviewing the insurer’s ORSA continuity analysis, the supervisor may be able to learn about the robustness of an insurer’s future financial condition and the information on which the insurer bases decisions and its contingency planning. Such information should enable the supervisor to assess whether an insurer should improve its ERM framework by taking additional countervailing measures and off-setting actions, either immediately, as a preventive measure, or including them in future plans. Objectives of such supervisory measures may be to reduce any projected financial inadequacies, improve cash flows and/or increase an insurer’s ability to restore its capital adequacy after stress events.
Publicly disclosing information on risk management may improve the transparency and comparability of existing solvency requirements. There should be an appropriate balance regarding the level of information to disclose about an insurer's risk management against the level of sufficient information for external and internal stakeholders which is useful and meaningful. Therefore, the requirements for public disclosure of information on risk management, including possible disclosure of elements of a solvency and financial condition report, should be carefully considered by the supervisor taking into account the proprietary nature of the information.
Where an insurer's risk management and solvency assessment are not considered adequate by the supervisor, the supervisor should take appropriate measures. This could be in the form of further supervisory reporting or additional qualitative and quantitative requirements arising from the supervisor's assessment. Additional quantitative requirements should only be applied in appropriate circumstances and be subject to a transparent supervisory framework. Otherwise, if routinely applied, such measures may undermine a consistent application of standardised approaches to regulatory capital requirements.
- How well is the group’s ERM framework tailored to the group?
- Are decisions influenced appropriately by the group’s ERM framework outputs?
- How responsive is the group’s ERM framework to changes in individual businesses and to the group structure?
- How does the framework bring into account intra-group transactions; risk mitigation; and constraints on fungibility of capital, transferability of assets, and liquidity?
The group-wide supervisor should review the risk management and financial condition of the insurance group. Where necessary, the group-wide supervisor should require strengthening of the insurance group’s risk management, solvency assessment and capital management processes, as appropriate to the nature, scale and complexity of risks at group level. The group-wide supervisor should inform the other involved supervisors of any action required.
The group-wide supervisory review and assessment of the insurance group’s ERM framework should consider the framework’s suitability as a basis for group-wide solvency assessment. The arrangements for managing conflicts of interest across an insurance group should be a particular focus in the supervisory review and assessment of an insurance group’s ERM framework.
The supervisory assessment of the group’s ERM framework may affect the level of capital that the insurance group is required to hold for regulatory purposes and any regulatory restrictions that are applied. For example, the group-wide supervisor may require changes to the recognition of diversification across the insurance group, the allowances made for operational risk and the allocation of capital within the insurance group.
Although it is not a requirement in general for an insurance legal entity or an insurance group to use internal models to carry out its ORSA, the supervisor may consider it appropriate in particular cases that the ORSA should use internal models in order to achieve a sound ERM framework. The quality of an insurance group’s ORSA is dependent on how well integrated its internal capital models, the extent to which it takes into account constraints on fungibility of capital and its ability to model changes in its structure, the transfer of risks around the insurance group and insurance group risk mitigation. These factors should be taken into account by the group-wide supervisor in its review of the insurance group’s ORSA.
The supervisor may wish to specify criteria or analyses as part of the supervisory risk assessments to achieve effective supervision and consistency across insurance groups. This may, for example, include prescribed stress tests that apply to insurance groups.