Sadly cannot find the link to the guide, but I have summarised it on an as-read basis below - bearing in mind AEGON is part of this body, it carries appropriate weight on an EU-wide basis;
VvV ORSA Approach
- Essential ORSA elements
- 3 lines of defense,
- Risk appetite framework,
- Risk identification and business scenarios analysis,
- Risk & capital profile
- They will split it into static (RSR-type content) and dynamic (FCR and ERM-type content)
- Will need to consider all risks “that may lead to a material reduction in...own funds or the protection offered to policyholders”, and stress testing should be used in considering all risks
- Ticklist for content;
· Description of risk areas
· Description of ORSA process
· Description of responsibilities
· Overview of strategy, identified risk and scenarios
· Stress test results
· Financial condition and overall solvency needs
· Strategy for raising funds (if required)
· Independent assessment result and description
· Content and frequency of management reporting
- Some confusion on the governance aspect (perhaps in translation), but they advocate a management report to be pre-approved at Risk Committee level, then Ex Com level, and finally with Audit Committee.
- Lot of focus on “Embedding ORSA” – input for decision making, not reporting output [I suspect the ICA and FCR already do this for UK firms, less so the KRI monitoring at the ops level.
- Bit crazy on Risk Profile definition, which I would call inherent/residual risk rating (i.e a component of the formula for calculating a risk profile) – no aggregates of data to be used as divisors, as per IFRSA's approach for risk based monitoring in Ireland.
- Risk Profile component ticklist is however a little clearer;
- Description that helps entries stand up in isolation
- What could cause it to crystallise, and consequence
- Impact and Likelihood, on inherent and residual basis
- Control detail
- Management choice of the 4 T’s (Tolerate, Treat, Transfer or Terminate)
- Detail quantitative data collection required (as if Actuarial are not already doing this!) as asset book profile, yield curves etc, but then also expect to see Risk Profile factored ub.
- They nicely detail how the Base Case (which is deterministic, or best estimate) should translate into scenario analysis (stochastic) and stress tests (in extremis scenarios) - great for the non-actuaries!
- Specify that a written policy should be developed for scenario analysis including
- Who determines them, and what constitutes one?
- What triggers a scenario construction? (external events, NPD etc)
- Who administers/validates
- What is done with recommendations for management on capital requirements
- Specify that guidance should be developed in house for stress testing including;
- Governance, challenge and regular review
- Should only support, not direct, business decisions – limitations to be documented
- Sensitivity analysis of single risk drivers
- Reverse stress testing
- FCR generally covers their requirements on Capital Management, though they expect strategic planning to start with a capital adequacy check for last period
- Advocates a Risk Response and a Capital Response (Tolerate risk, but prepare to deploy more capital). I love this idea, and will examine the practicalities in near future, in particular if one wanted to tolerate a risk without deloying capital.
- Not convinced by their plan to separate ORSA into tw parts, Static and Dynamic. Static ORSA is no more than an organisation description and mapping of ERM Framework., while Dynamic ORSA (10 pages to answer the following);
- How well does RM Framework function
- What are key risks at any point in time
- What is overall risk profile
- What is overall capital profile
- (Is this the QAR!)
- ORSA triggers for full or partial reruns are requested (they suggest things such as; acquisition, divestiture, market drops, regulation changes [oh sweet irony!], solvency environment shifts etc).
- For a partial ORSA trigger, a KRI breach could be a real life example, or for a full ORSA, a stress test breach. From that exercise, the most significant KRIs realistically would qualify as full ORSA triggers as well.
All in all, the thinking seems rather confused, as this cannot be kept simple as they suggest with they level and type of content they recommend as good practice, and splitting it into "dynamic" and "static" seems a touch desparate – this just will not be a simple document.