LogoRegulatory Alerts
2019-11-22

Report on the Implementation of Own Risk and Solvency Assessment with Recommendations

The Croatian Financial Services Supervisory Agency (Hanfa) issued this November 2019 report to evaluate and enhance the Own Risk and Solvency Assessment (ORSA) process across insurance and reinsurance companies. It mandates that companies implement three core assessments—total solvency requirements, continuous regulatory compliance, and risk profile alignment—while strengthening management oversight, documentation, and strategic decision-making. The document provides specific quantitative and qualitative recommendations to ensure ORSA reports accurately reflect company-specific risk profiles, anticipatory perspectives, and stress test outcomes rather than merely replicating standard formula calculations.

Croatian Financial Services Supervisory Agency logo

Croatia

Croatian Financial Services Supervisory Agency

Click to view thumbnail

November 2019. Report on the Implementation of Own Risk and Solvency Assessment with Recommendations

CONTENTS

  1. INTRODUCTION ... 2 1.1. KEY AREAS OF THE ORSA SUPERVISORY REPORT ... 2 1.2. REGULATION RELATED TO THE ORSA PROCESS ... 3
  2. ANALYSIS OF THE ORSA REPORT BY HANFA ... 4
  3. ORSA PROCESS ... 8 3.1. INTERNAL ORGANIZATION OF THE ORSA PROCESS ... 9 3.2. DOCUMENTATION RELATED TO THE ORSA PROCESS ... 9 3.3. EXTRAORDINARY ORSA ... 9
  4. ASSESSMENT OF TOTAL SOLVENCY REQUIREMENTS (UPS) ... 11 4.1. DIFFERENCE BETWEEN UPS AND SCR ... 16 4.2. DEFINITION OF THE ANTICIPATORY PERSPECTIVE ... 18 4.3. IDENTIFICATION AND MANAGEMENT OF RISKS ... 19 4.4. METHODS AND ASSUMPTIONS ... 21 4.5. MANAGEMENT MEASURES AFTER COMPLETED STRESS TESTS ... 25
  5. DIFFERENCE BETWEEN THE RISK PROFILE AND THE ASSUMPTIONS UNDERLYING SCR ... 26
  6. ASSESSMENT OF CONTINUOUS COMPLIANCE WITH REGULATORY CAPITAL REQUIREMENTS AND TECHNICAL PROVISIONS REQUIREMENTS ... 30 6.1. PREPARATION OF PROJECTIONS ... 33
  7. INVOLVEMENT OF MANAGEMENT, KEY FUNCTIONS, AND ORSA RESULTS IN STRATEGIC DECISION-MAKING ... 35
  8. CONCLUSION ... 39 GLOSSARY ... 42

SUPERVISION AND ANALYSIS BY HANFA Through the publication of this report, Hanfa aims to maintain communication with insurance and reinsurance companies. This report describes the analysis and supervision regarding the ORSA process, through which Hanfa presents its observations and assessments, as well as expectations in significant areas. The provided information serves as support and enhancement for companies in their daily operations and ORSA process.

1. INTRODUCTION Own Risk and Solvency Assessment (hereinafter: ORSA) is an integral part of the risk management system of insurance and reinsurance companies and is a confidential internal assessment of material and relevant risks, appropriate to the nature, scale, and complexity of the operations of insurance/reinsurance companies and insurance groups (hereinafter: companies). ORSA is a risk assessment process to which companies are exposed or may be exposed, linked to the current business plan and the adequacy of capital resources.

1.1. KEY AREAS OF THE ORSA SUPERVISORY REPORT

  1. assessment of total solvency requirements (hereinafter: UPS) of the company, taking into account its specific risk profile, approved limits on permitted risks, and business strategy,
  2. assessment of continuous compliance with regulatory capital requirements and technical provisions requirements,
  3. assessment of the significance of how the company's risk profile deviates from the assumptions underlying the required solvency capital.

LIMITATIONS OF THE REPORT This report primarily relates to the ORSA process and three assessments that must be implemented. This report does not relate to specific capital requirements!

1.2. REGULATION RELATED TO THE ORSA PROCESS To improve the ORSA process that companies are required to conduct in accordance with the Insurance Act (NN, No. 30/15, 112/18), the Croatian Financial Services Supervisory Agency (hereinafter: Hanfa) issues this document, which contains the analysis and recommendations for implementing the ORSA process and preparing the ORSA report. Companies are required to follow the provisions of the Act and Commission Delegated Regulation (EU) 2015/35 of October 10, 2014, supplementing Directive 2009/138/EU of the European Parliament and of the Council on the taking up and pursuit of insurance and reinsurance activities (Solvency II), when conducting their ORSA process, while additionally taking into account EIOPA Guidelines on Own Risk and Solvency Assessment (EIOPA-BoS-14/259) and Hanfa's general report and recommendations following below. EIOPA guidelines relating to the ORSA process at the individual level apply mutatis mutandis to group ORSA. ORSA serves companies in making business decisions, defining and redefining business strategy. The ORSA process identifies, assesses, and monitors all existing and potentially material significant risks, reporting them to company management and other interested parties.

2. ANALYSIS OF THE ORSA REPORT BY HANFA The ORSA process is a newer segment of the anticipatory risk approach. Hanfa's task as the supervisory authority is to evaluate the quality of ORSA documentation, assess whether companies have appropriately evaluated their risks and solvency needs, considering the nature, scale, and complexity of risks inherent to their activities, and overall evaluate the ORSA process, including an assessment of used assumptions and methods, results, and actions taken during and after the implementation of various procedures within the ORSA process. The ORSA report by which companies report on their internal ORSA process does not have a prescribed or pre-defined structure. Companies independently, within the legal framework and predefined basic elements, formulate the report according to their organizational capacities. Over the past three years, Hanfa has communicated with companies regarding the formal and substantive content of ORSA reports through individual meetings, issuing written recommendations, and conducting other supervisory activities to improve the ORSA process and report content. Based on the results of a three-year analysis of ORSA reports, Hanfa has gained confidence in the progress of the ORSA process at the market level.

Analysis of ORSA reports has identified certain areas requiring significant improvements. For example, a significant number of companies base their UPS assessment on the same calculation as the required solvency capital according to regulatory requirements (hereinafter: SCR). Weaknesses have been identified in the following areas for a large number of companies, indicating significant room for improvement.

Improvements are also needed in presenting material risks, especially future ones, and the link between the risk profile and the company's business strategy. Hanfa has identified the following most successfully implemented areas:

  • Presentation of projections for capital requirements and own funds
  • Presentation of risks not included in the standard formula
  • Presentation of calculation results and projections for SCR, MCR, and own funds

In almost all companies, significant progress in the process compared to the 2017 ORSA report is clearly visible. Most companies have taken into account Hanfa's instructions and recommendations issued at meetings and/or through written communication on the ORSA process. After completing the analysis of received ORSA reports, Hanfa held individual meetings with representatives of all companies. The purpose of the meetings was as follows:

  • More detailed explanation of the company's own ORSA process and report, business strategy, and business model
  • Issuance of instructions and recommendations to improve the ORSA process and report
  • Encouraging companies to more actively use ORSA results in business decision-making and defining business strategy Companies had the opportunity to clarify parts of the ORSA process not clearly shown in the ORSA report, and Hanfa provided its review of previous procedures and instructions for future ORSA reports to enhance the ORSA process. After conducting the meetings, Hanfa sends individual recommendations to each company consisting of:
  • A general part detailing the expected content of the ORSA report
  • A specific review of certain deficiencies in the previous year's ORSA report with recommendations for improvement The purpose of the held meetings and issuance of instructions/recommendations is their implementation to continuously improve the process and increase the quality of ORSA reports.

3. ORSA PROCESS Within the ORSA process, companies are expected to:

  • Regularly and consistently conduct the ORSA process at least once a year to assess the adequacy of the risk management system and current and estimated future solvency position,
  • Internally document the process and assessment results,
  • Submit an ORSA supervisory report to Hanfa at least once a year, and as needed more frequently (extraordinary ORSA supervisory report). In addition, an important item of the ORSA report is presenting management's role in ORSA by establishing procedures with appropriate applicable techniques adapted to the organization and risk management system, as well as the nature, scale, and complexity of company risks, and reviewing obtained results. Company management should be aware of all significant risks to which the company is or may be exposed, regardless of whether these risks are included in the required solvency capital calculation and are measurable. Alongside company management, key functions also play an important role in the process. In addition to participating in preparing the ORSA report, key functions are essential for:
  • Assessing continuous compliance with regulatory capital requirements,
  • Assessing continuous compliance with technical provisions requirements,
  • The entire risk management process. The powers and responsibilities of key functions should be clearly stated in the ORSA report. One important aspect of the ORSA process is preparing business strategy and taking into account ORSA results. Within the ORSA report, companies should state ORSA process results on the basis of which strategic decisions were made. When the ORSA process is quality-integrated within a company, it guides business planning. Hanfa emphasizes the importance of management taking responsibility for the ORSA process and actively participating in it. Active participation by management implies deciding on appropriate methods for stress testing, approving the company's risk profile, preparing long-term projections, clarifying necessary measures, and critically reviewing assessment results. ORSA is not just another report in a series; ORSA is a process! There are no two identical reports because the ORSA process is unique and specific to each company.

3.1. INTERNAL ORGANIZATION OF THE ORSA PROCESS HANFA ANALYSIS Analysis of previous ORSA reports showed that in most companies, the key risk management function is responsible for coordinating the ORSA process and preparing reports. Hanfa believes it is appropriate for one function to coordinate the ORSA process. However, if one function is responsible for coordination, it does not mean it is the only one responsible for the ORSA process. Companies determine the most appropriate time for preparing the ORSA report through internal policies and procedures, considering the business model and strategy. However, consistent application of such a decision is simultaneously required. For this reason, Hanfa supports preparing ORSA reports and implementing the ORSA process in the middle or end of the calendar year, but also at other times if circumstances require.

3.2. DOCUMENTATION RELATED TO THE ORSA PROCESS HANFA ANALYSIS In the ORSA process, companies are required to prepare the following documentation:

  • ORSA policy,
  • Minutes for each ORSA,
  • Internal report for each ORSA,
  • Supervisory report on ORSA.

3.3. EXTRAORDINARY ORSA The Insurance Act specifies that ORSA should be conducted at least once a year and again in case of material changes in risks to which companies are or may be exposed. Hanfa believes it is appropriate to define what material changes within the risks to which companies are or may be exposed require preparing a new ORSA report. In this way, companies will more easily define when a new assessment or ORSA report is required. Furthermore, Hanfa considers it appropriate to determine qualitative and quantitative approaches in assessing whether material changes have occurred. Therefore, ORSA should contain information on who and when makes the decision to conduct a new assessment. HANFA ANALYSIS In previous implementations of ORSA reports, there have been no examples of extraordinary ORSA implementation. Below, Hanfa lists examples of potential changes that may lead to a new assessment. A change denotes a quantitative amount/percentage as one of the criteria for preparing a new assessment. Companies should independently determine what amount/percentage of change will trigger a new assessment depending on the risk profile, business complexity, and significance of the impact of individual risks on capital requirements. Below are additional circumstances that may lead to a new assessment:

  • Mergers, acquisitions, and takeovers
  • Portfolio transfers
  • Decisions related to external factors such as stock market declines, fraud, natural disasters, interest rate drops, or reputational damage
  • Events having a material impact on own funds
  • Introduction of new products
  • Entering a new market. Changes in total solvency requirements Change in individual risk Risk level exceeding a certain risk appetite or risk tolerance Decline in solvency ratio Net change in charged gross premium Decisions resulting in expected costs Growth in cost requirements A new assessment does not necessarily mean preparing a complete new ORSA report, especially when dealing with extraordinary circumstances requiring quick response. Since the new assessment is taken into account in strategic decision-making, such an assessment should contain everything necessary to be useful for decision-making and clearly and explicitly describe the change and its effects.

4. ASSESSMENT OF TOTAL SOLVENCY REQUIREMENTS (UPS) UPS represents a key area of the ORSA process and the first of three assessments within ORSA. The company's own assessment, considering future strategy based on UPS risk profile, is independent of the SCR calculation. The assessment can be made on a different evaluation basis than Solvency II rules and may use different assumptions or techniques/methods. UPS should include at least the following:

  • Required capital relating to significant risks (considering identified risk profile through baseline scenario and projections)
  • Own funds (source, quality, and structure through baseline scenario and projections)
  • Impact of using different valuations (if applicable). The purpose of assessing total solvency requirements implies management's awareness of the capital needed for uninterrupted operations in accordance with the risk profile, risk tolerance, and business strategy. Management decides how this assessment will be conducted.

Before conducting UPS, risk must be assessed. Risk assessment consists of three parts:

  • Identification of risks
  • Assessment of risk materiality
  • Determination of risk reduction strategy. Companies should identify all material risks to which they are or may be exposed, including risks not covered by regulatory capital requirements, as well as future/developing risks. For this purpose, business strategy and model, internal and external environment, and existing/possible new events should be appropriately considered. The assessment of materiality of identified risks should include:
  • Criteria used in assessing materiality
  • Assessment of probability and impact of identified risks
  • Assessment of "quantitative" and "qualitative" risks
  • Tolerances and risk limits. Companies may use certain risk reduction techniques to reduce gross exposure to some risks. The result of the risk assessment in the ORSA report covers both gross and net exposure to risks, but net exposures are taken as key input data for UPS. Companies should recognize risks arising from used risk reduction techniques. Furthermore, UPS should contain the following:
  • Amount of required capital and amount of own funds in a specific time period
  • Explanation of causes for possible growth or decline in required capital and own funds during the observed time period
  • Justification of set solvency ratio limits and links with risk appetite.

Chart 1. 12,50% -> Percentage of companies that did not adequately explain the UPS assessment in the ORSA report 87,50% -> Percentage of companies that prepared a quality explanation of UPS in the ORSA report EXPLANATION OF UPS ASSESSMENT HANFA ANALYSIS Analysis of ORSA reports showed that two companies (12.5% of all companies) did not adequately explain the UPS assessment (Chart 1.). Namely, although companies conduct UPS assessments, in some companies it is visible that the UPS assessment is not sufficiently explained. Furthermore, Hanfa observed that companies often do not conduct UPS assessments based on the risk profile but rather on the SCR calculation, raising the question of whether company management is adequately involved in the ORSA process.

HANFA RECOMMENDATIONS Hanfa's recommendation is that companies, along with quantitative data (amounts and percentages), provide a qualitative explanation of the UPS assessment. In cases where companies use additional assumptions in calculating UPS, it is recommended that they be explained in detail and that companies state the reasons for including them in the calculation. If companies use statistical trends, expert consultations, or other alternative methods for certain risks, these need to be further explained and clear calculations prepared. It is recommended that companies prepare a detailed analysis of each risk module and graphically display the structure of the most significant risk modules. The UPS assessment is not, and should not be, identical to the SCR calculation based on the standard formula or internal model.

Along with required internal capital/UPS, companies should define own funds. Below are recommendations for defining own funds: For risks not covered by own funds, companies should state other resources to cover identified risks and ensure these resources are available, effective, and sufficient. Examples of such resources may include:

  • Appropriate liquidity plan to reduce liquidity risk
  • Existence of backup installations in IT area in case of operational risk
  • Appropriate asset and liability management (ALM) policy due to certain asset-liability mismatches.

4.1. DIFFERENCE BETWEEN UPS AND SCR When determining required internal capital, if companies define that UPS is defined as the required capital for permanent coverage of SCR (i.e., if UPS equals SCR), companies should state reasons and justify them in the ORSA report. Below, Hanfa lists the key differences between UPS and SCR:

  • UPS covers all material risks of the company
  • UPS covers the company's risk profile, which does not need to be linked with the standard formula
  • UPS is calibrated based on the company's risk tolerance, which may differ from the 99.5% interval measure used in SCR calculation
  • UPS should cover a time period appropriate in light of the business plan and strategy, which may be longer than 12 months
  • UPS can be based on different values from those specified in Solvency II regulation, e.g., contract limits and discounting curves. HANFA ANALYSIS Analysis of ORSA reports showed that companies state their own UPS is based on risk profile, risk tolerance, and business strategy. However, three companies (18.75% of all companies) do not use their own risk profile as the starting point for UPS calculation (Chart 2.). Furthermore, six companies (37.5% of all companies) state they use the standard formula for calculating total solvency requirements (Chart 2.).

Chart 2. 81,25% -> Percentage of companies using risk profile as the basis for UPS 37,50% -> Percentage of companies using the standard formula USING RISK PROFILE AND STANDARD FORMULA HANFA RECOMMENDATION Companies should not equate UPS with the SCR calculation based on the standard formula. If companies state that UPS is largely consistent with SCR, it is recommended to support such a conclusion with analysis of risk profile, risk tolerance, and business strategy. If companies use SCR calculation rather than their own risk profile as the starting point, there is a possibility they may not identify and appropriately cover all risks to which they are exposed, and the solvency assessment may not correspond to their actual solvency needs.

4.2. DEFINITION OF THE ANTICIPATORY PERSPECTIVE Companies should ensure that the UPS assessment is anticipatory with a medium- or long-term perspective. HANFA ANALYSIS Analysis of ORSA reports showed that all companies use a business planning period of three to five years. However, four companies (25% of all companies) should more strongly introduce an anticipatory approach. This implies more detailed explanations and application of the anticipatory approach throughout the entire ORSA report. Hanfa believes that a period of at least three years is necessary for the assessment to be sufficiently anticipatory. HANFA RECOMMENDATION For companies conducting life insurance business with traditional products, it is recommended to base their assessment on a five-year period. For the assessment to be appropriate, companies should also consider developing risks, emerging risks, and new relevant risks.

4.3. IDENTIFICATION AND MANAGEMENT OF RISKS Within the ORSA report, companies should prepare quantification of capital needs and a qualitative description explaining material risks regardless of whether they can be quantified. HANFA ANALYSIS Analysis of ORSA reports showed that companies state they have identified risks different from those included in the SCR calculation, e.g., liquidity risk and reputational risk. However, Hanfa observed that two companies (12.5% of all companies) do not adequately describe identified risks not covered by the standard formula. Furthermore, analysis of ORSA reports showed that improvement is needed in 11 companies (68.75% of all companies) regarding the description of risk monitoring and management methods. RECOMMENDATIONS

Share