After years of uncertainty, Solvency II, the risk based insurance capital regime for insurers, will come into force on 1 January 2016. Even more comprehensive than banking's Basel III, it requires an enormous amount of work over the next twelve months or so to ensure that companies can meet its capital, risk management and reporting requirements. Most think that it is a step forward from the existing ‘one-size fits all’ regime of Solvency I, but there are still concerns that it is excessively onerous and bureaucratic.
Introducing the ORSA
What's new in Solvency II is the Own Risk and Solvency Assessment (ORSA), a development paralleled by the USA’s National Association of Insurance Commissioners (NAIC) who also require ORSAs. This is all part of a coordinated global approach to ORSAs, driven through the International Association of Insurance Supervisors (IAIS). It means that national and regional standards are converging. An important driver of the introduction of ORSAs was the collapse of AIG in 2008, an event that took regulators completely by surprise.
Insurers have always accepted that a robust regulatory capital requirement is essential for customer protection, whilst feeling that sensitive implementation is essential to ensure it doesn't get in the way of efficient management of the firm. The ORSA addresses this dilemma through an annual report to the regulator which includes the Board's own view of the capital needed to run the business in future irrespective of the regulatory requirements. The aim is to demonstrate to the regulator that the Board understands the business, the risks and challenges it faces, and that it has adequate capital to achieve its strategic plans. Thus the ORSA requires a description of the risks based on the business model, assets and liabilities with a strategic, forward-looking perspective, written from the standpoint of the Board. It cannot be outsourced.
There is no pre-defined process, but EIOPA, the European regulator of insurance regulators, has indicated that the report should comprise:-
- Summary of current business strategy and risk appetite
- Current risk profile against risk appetite
- Required capital regulatory (SCR) and economic capital
- Available funds to meet the capital requirement
- Expected future risk, capital and solvency profile – with a capital plan and contingency planning as required
- Potential risk, capital and solvency profile under various stressed conditions
- An independent review of the ORSA
The place of reputational, behavioural and organisational risks in the ORSA
Historically, quantifiable regulatory requirements (such as for capital) have tended to eclipse unquantifiable factors.
However, research into corporate failures of the last few decades, such as the FSA’s McDonnell Report (2003), the Airmic/Cass Business School Report 'Roads to Ruin' (2011) and Reputability's report 'Deconstructing Failure' (2013), has revealed the potentially fatal weakness of this approach. Individual and collective human behaviour plays a key role in corporate failure. These unquantifiable weaknesses, now widely called ‘behavioural’ and ‘organisational’ risks are regularly found to be the root causes of crises and of a subsequent reputational collapse.
Regulators are recognising these new insights with alacrity. Reputational, behavioural and organisational risks are explicitly dealt with in the latest Financial Reporting Council Guidelines to boards on risk, and the importance of hard-to-quantify risks is increasingly recognised by global regulators including the Basel Committee on Banking Supervision and the IAIS.
In the insurance sector, IAIS, EIOPA and the NAIC have highlighted examples of risks they expect to see covered in the ORSA. Insurance, market, liquidity and counterparty risks are obvious to all, but the lists also include ‘operational risks’, with both the NAIC and EIOPA making clear that while risks such as reputational, strategic and operational risks can be hard to quantify, they must nonetheless be evaluated.
The range of ‘operational risks’ has also been clarified. It is now reasonably clear that, as regards the European ORSA, ‘operational risks’ include:
- non-quantifiable risks in general,
- reputation risks
- risks from organisational complexity, and
- risks from human behaviour, whether individual or collective.
Implications for Insurers
Since the extent to which behavioural or organisational risks both cause crises and tip them into reputational catastrophes has only recently been recognised, ignorance has kept these risks out of risk registers. Nowadays there remain two main reasons why it is difficult to get these risks onto risk registers and into ORSAs.
First, it has often been personally dangerous, even for risk professionals, to bring these risks to the attention of their leaders. This is because the ultimate source of many of these risks is often the company’s leadership - both Board and Executive. Fortunately, recent regulatory requirements to leaders to deal with these risks are beginning to address this problem.
However, the second reason, a serious practical problem of cognitive bias, remains. This makes behavioural and organisational risks notoriously difficult for insiders to find, recognise and understand. These risks are most easily seen by outsiders with sectoral experience who are trusted with insiders’ knowledge and given the authority to identify risks of these kinds and explaining them to insiders. Given sufficient independence, such trusted outsiders can also be relied on explain any painful truths to leaders without putting the risk team in danger of reprisals. We have developed tools systematically to find these risks and help insiders, at all levels, to understand their implications.
The ORSA is an important development that has the potential to become a valuable tool for management as well as supervisors when, in 2016, it becomes a regulatory requirement throughout the EU. As part of the exercise, insurers will need to make an objective assessment of their behavioural and organisational risks.
Will insurers have the tools to accomplish this task? Or will the behavioural and organisational risk gap remain as a result of self-delusion? Market history shows this is a residual risk that could have devastating consequences for firms, for the reputation of regulators and for the stability of the market as a whole.
Regulators should also put this risk on their own risk register. The painful lessons of the AIG debacle should not be forgotten.
Professor Derek Atkins