GFSC Guidance Note Solvency 2: Own Risk and Solvency Assessment

Version: 1 Publication Date: 22 December 2025 www.gfsc.gi GFSC Guidance Note Solvency 2: Own Risk and Solvency Assessment (ORSA)

Gibraltar Financial Services Commission Guidance Note on Solvency 2: Own Risk and Solvency 2 Assessment Table of Contents

1. Introduction..................................................................................................................................... 3
2. ORSA supervisory report ................................................................................................................. 3
3. The ORSA policy............................................................................................................................... 3
4. Board sign-off and embedding of the ORSA.................................................................................... 4
5. Business strategy............................................................................................................................. 4
6. Risks................................................................................................................................................. 5
7. Capital and solvency........................................................................................................................ 5
8. Stress testing ................................................................................................................................... 6
9. Groups............................................................................................................................................. 6
10. Internal model................................................................................................................................. 7
11. Standard formula............................................................................................................................. 7

Gibraltar Financial Services Commission Guidance Note on Solvency 2: Own Risk and Solvency 3 Assessment

1. Introduction 1.1. This Guidance Note is addressed to all insurance undertakings and reinsurance undertakings, as defined in the Financial Services (Insurance Companies) Regulations 20201 (the ‘Insurance Companies Regulations’), including in the context of provisions relating to groups, mutuals and third-country branches. Insurance undertakings and reinsurance undertakings are collectively referred to as ‘insurers’ or ‘firms’ within this Guidance Note, which sets out the Gibraltar Financial Services Commission’s (‘GFSC’s’) expectations of firms regarding their own risk and solvency assessment (‘ORSA’), including the ORSA report, the firm’s policy regarding its ORSA, and the associated processes. 1.2. This Guidance Note should be read together with the GFSC’s Guidance Note on ‘Solvency 2: applying EIOPA Set 2, System of Governance, and ORSA Guidelines’, 2 the Insurance Companies Regulations and the Financial Services (Solvency 2)(Technical Standards) Regulations 20253 (the ‘Solvency 2 Technical Standards’). 1.3. By clearly and consistently explaining its expectations of firms in relation to the particular areas addressed, the GFSC seeks to advance its statutory objectives.
2. ORSA supervisory report 2.1. It is fundamental to the ORSA that it is forward looking. The GFSC expects firms to find ways to estimate their future solvency position while assessing their current risk profile and how it is likely to change with the proposed business strategy. The ORSA should contemplate those risks to which the firm may become exposed in the future. 2.2. The GFSC expects all insurance firms to consider stress testing as a tool for assessing the risks to which they are exposed and to assist in quantifying their potential impact. 2.3. It is important that the ORSA supervisory report has an identifiable and analytical framework. The GFSC finds that good ORSA reports often: • include a clear summary; • highlight the key outcomes of the process; • are not too long; and • clearly signpost supporting documentation.
3. The ORSA policy 3.1. The ORSA policy is expected to be a standalone document or a distinct part of the ORSA report. The GFSC expects an ORSA policy to be sufficiently detailed, rather than generic. The ORSA policy is expected to include the process and procedures required by the ORSA framework. Examples of good practice include: • a clear scope which states whether the ORSA is for a group, solo entity or both; • a clear business structure that covers all aspects of the business, including the group structure and any key intra-group or third party outsourcing arrangements; 1 Financial Services (Insurance Companies) Regulations 2020 – Regulation 3 2 GFSC Guidance Note on Solvency 2: applying EIOPA Set 2, System of Governance, and ORSA Guidelines 3 Financial Services (Solvency 2)(Technical Standards) Regulations 2025

Gibraltar Financial Services Commission Guidance Note on Solvency 2: Own Risk and Solvency 4 Assessment • a description of how the ORSA incorporates the strategic and business planning processes; • a description showing how the ORSA incorporates the risk profile, approved risk tolerance limits and overall solvency needs; • the timing and frequency of the ORSA framework (including, for example, its detailed elements such as stress tests, sensitivity analyses and reverse stress tests) and the ORSA report, including the triggers for an ad hoc ORSA; • information on data quality standards; • the structure of the ORSA report, including details of the key ORSA records; • a description of the roles and responsibilities of all those involved with the ORSA, including those of the board; • details of how the board owns the ORSA framework and process; and • a requirement for the board to approve the ORSA policy at least annually. 3.2. Where any of the above is not included within the ORSA policy, the GFSC expects it to be included elsewhere in the ORSA report. 4. Board sign-off and embedding of the ORSA 4.1. The Board plays a crucial role in owning the ORSA process, actively steering the process and embedding outcomes of the process into the overall decision-making framework. The GFSC expects the ORSA report to evidence the board sign-off, and the key conclusions and management actions agreed. The report will be expected to provide details of how the different elements of the ORSA assessment have been considered (i.e. if a breach is within risk appetite) and how the output of the assessment supports strategic decisions. 4.2. Although the detail may not necessarily form part of the report, the GFSC expects firms to have good supporting evidence which demonstrates any board or committee discussion and sign-off, and underlying material used during these assessments. A log of key decisions, documents used, and a list of follow-up actions for named individuals are examples of useful evidence of these processes. 4.3. To demonstrate embedding of the ORSA, some firms have introduced high-level management information as part of the ORSA framework (an ‘ORSA dashboard’) which follows a similar structure to the ORSA report but with up-to-date information presented visually, with tables, charts and key messages. This has enabled the board to revisit key decisions taken periodically, analyse the current and future risk profile, assess material risk drivers, and challenge the firm’s solvency assessment and strategy. Firms are encouraged to use methods such as these. 5. Business strategy 5.1. Central to the concept of the ORSA is that it may be used to demonstrate strong linkages between business strategy, risk, capital, and stress testing. In addition, firms are expected to be able to demonstrate that they have considered fully the impact of internal and external risks when presenting their strategy. 5.2. Good examples include a high-level summary of firms’ most recent performance as well as a three-to-five-year forecast. The forward-looking quantitative information may include some granular data (e.g. class of business breakdown) and may be followed by a reasonable rationale on the strategies the firm is pursuing to meet its stated objectives. The analysis of different scenarios is important to identify how perceived risks are likely to impact the firm’s strategy and support the firm’s development of a proactive intervention framework, such as proposed controls and management actions.

Gibraltar Financial Services Commission Guidance Note on Solvency 2: Own Risk and Solvency 5 Assessment 5.3. The GFSC expects firms to provide sufficient information, broken down by line of business, to demonstrate the overall direction of the group from a strategic and risk perspective. The assumptions of the business strategy should be included at a level of detail that allows the future drivers of capital projections to be understood. 5.4. Where firms have strategic mitigation in place to reduce volatility, the GFSC expects explicit reference to this within their business strategy. 4 6. Risks 6.1. The GFSC expects the ORSA to include an assessment of the risks it faces or may face in the future. Key risks would not be limited to quantifiable risks and would include non-quantifiable risks such as reputational, strategic, conduct, outsourcing and group risks.5 6.2. The GFSC expects firms to identify the key risks to their strategy and show how these drive current and future risk profiles, as against firms’ stated risk appetite and tolerances. For example, within insurance risk, the GFSC expects firms to consider how capital is distributed through the different classes and how it is likely to look in the future. Where necessary, the ORSA would highlight proposed management actions upon a perceived risk that may fall outside its appetite. 6.3. Following the identification of key and emerging risks, the GFSC expects the assessment to include the identification of key controls and risk owners and to demonstrate that management actions to mitigate those risks are discussed and agreed. Where a firm decides to accept a material risk, the GFSC expects the report to explain why it was considered appropriate. 6.4. For groups, the GFSC expects firms to consider group-specific risks (such as leverage, dividend sustainability, access to funding, and liquidity) as well as group-wide risks (those risks associated with businesses owned by the group) including the risks from non-regulated, non￾financial and non-EEA entities. 6.5. The ORSA report does not necessarily need to replicate the risk register or include all of the risks that the risk register contains. However, where the risk register is not included in its entirety as part of the ORSA report, the GFSC expects it to be submitted as an attachment to the report. 7. Capital and solvency 7.1. The GFSC expects the assessment of firms’ solvency over the business planning period to form part of the ORSA process and report. In addition to articulating current regulatory (solvency capital requirement (‘SCR’) and minimum capital requirement (‘MCR’)) and own view of capital, the report is expected to highlight why firms believe capital buffers to be appropriate, set a capital contingency plan in case it breaches the required capital level, and include an assessment of the impact of any stress testing. The GFSC expects key aspects of the 4 For example, quota share reinsurance might have been utilised for reasons of capital capacity and excess of loss reinsurance to reduce the volatility of large losses. 5 Firms should also identify potential risks arising from uncertainties connected to the calculation of their technical provisions, and consider whether these could impact continuous compliance with regulations 66 to 80 of the Insurance Companies Regulations. See also Guideline 11 of the EIOPA ORSA Guidelines.

Gibraltar Financial Services Commission Guidance Note on Solvency 2: Own Risk and Solvency 6 Assessment methodology used and any deviations from the standard formula or internal model calculations to be explained. 7.2. The report is expected to state clearly the quality of own funds and how this is likely to change over the business planning period. Dividend policy is a key point in this assessment. 7.3. The GFSC expects group reports to explain the derivation of the group solvency position, and any diversification benefit. This will include the capital position of any key subsidiaries, as well as the management actions the entities and the group could take if needed, and an assessment of the availability and transferability (fungibility) of own funds. 8. Stress testing 8.1. The GFSC expects the ORSA to include a sufficiently wide range of plausible stress tests6 derived from the strategy and key risks, both firm-specific and market-wide, identified during the process, to include a summary of the outputs from these tests and to describe how they affect firms’ solvency positions before and after proposed management actions. The stress testing is expected to explore vulnerabilities in a firm’s business model. 8.2. The GFSC expects firms to apply reverse stress testing as part of their ORSA process. The ORSA report should define what constitutes business failure and then detail what events could drive that outcome. 8.3. Firms are expected to perform sensitivity tests as part of stress testing. Within this assessment, firms are expected to identify key model assumptions and parameters used, given changes in parameters and its impact on capital. 8.4. The GFSC expects firms to consider the quality and volatility of own funds with consideration of the capital’s loss absorbing capacity under different scenarios. 9. Groups 9.1. Where a group has received approval from the GFSC to submit a single ORSA report which covers a number of entities,7 the GFSC expects it to describe how the boards of each of the individual entities are involved in the process and sign-off. The report is expected to cover each of the entities to a suitable level of detail. 9.2. Conversely, where a group chooses to provide individual ORSA reports for each entity in the group, alongside a group ORSA covering just the group functions, the GFSC expects the documents to describe how the individual ORSAs link to the overarching group ORSA. 9.3. The GFSC expects group ORSAs to cover the business strategy, risk, capital and stress testing of the group as well as a consideration of the strategies of group businesses and any risks they may present. 6 The GFSC expects firms to model scenarios that are on the edge of plausibility in order to consider possible outcomes up to at least 1 in 200 severity. 7 Regulation 233 of the Insurance Companies Regulations.

Gibraltar Financial Services Commission Guidance Note on Solvency 2: Own Risk and Solvency 7 Assessment 10. Internal model 10.1. The GFSC expects, in line with Guideline 10 of the EIOPA Guidelines on own risk and solvency assessment,8 that all internal model firms’ ORSA reports will confirm and evidence the continued adequacy of the model to calculate the solvency capital requirement, and will confirm that all risks identified by the firm are included in the internal model. Any risks which are not accounted for in the internal model are expected to be included in the ORSA along with a justification for their exclusion from the model. 11. Standard formula 11.1. The GFSC expects firms using the standard formula to explain clearly within the ORSA report where the firm’s own risk profile deviates from the standard formula assumptions, and conclude whether the standard formula is appropriate for the risks in the business and is representative of its risk profile. The GFSC expects firms to consider any material deviations of the risk profile from the standard formula, and to demonstrate how the ORSA framework will be used by the firm to monitor, on an ongoing basis, the appropriateness of the standard formula. 8 EIOPA Guidelines on own risk and solvency assessment (ORSA) EIOPA-BoS-14/259 EN

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2025 Gibraltar Financial Services Commission