SS19/16 – Solvency II: ORSA

1.1

This supervisory statement (SS) is addressed to all UK firms that fall within the scope of the Solvency II Directive (‘the Directive’),¹ and the Society of Lloyd’s. It sets out the Prudential Regulation Authority’s (PRA’s) expectations of firms regarding their own risk and solvency assessment (ORSA), including the ORSA report, the firm’s policy regarding its ORSA, and the associated processes.

1.2

This SS should be read together with SS41/15, ‘Solvency II: applying EIOPA Set 2, System of Governance, and ORSA Guidelines’,² the PRA’s rules in the Solvency II Sector of the PRA Rulebook, and the PRA’s insurance approach document.³

1.3

This SS expands on the PRA’s approach to insurance supervision as set out in its insurance approach document. By clearly and consistently explaining its expectations of firms in relation to the particular areas addressed, the PRA seeks to advance its statutory objectives of ensuring the safety and soundness of the firms it regulates, and contributing to securing an appropriate degree of protection for policyholders.

1.4

For non-life firms, this supervisory statement should be read together with the SS26/15 ‘ORSA and the ultimate time horizon – non-life firms’.⁴

2.1

It is fundamental to the ORSA that it is forward looking. The PRA expects firms to find ways to estimate their future solvency position while assessing their current risk profile and how it is likely to change with the proposed business strategy. The ORSA should contemplate those risks to which the firm may become exposed in the future.

2.2

The PRA expects all insurance firms to consider stress testing as a tool for assessing the risks to which they are exposed and to assist in quantifying their potential impact.

2.3

It is important that the ORSA supervisory report has an identifiable and analytical framework. The PRA finds that good ORSA reports often:

• include a clear summary;
• highlight the key outcomes of the process;
• are not too long; and
• clearly signpost supporting documentation.

3.1

The ORSA policy is a standalone document and not, for example, part of the ORSA report. The PRA expects a separate ORSA policy⁵ to be sufficiently detailed, rather than generic. The ORSA policy is expected to include the process and procedures required by the ORSA framework. Examples of good practice include:

• a clear scope which states whether the ORSA is for a group, solo entity or both;
• a clear list of all entities captured by the ORSA (as well as a list of entities which have been excluded);
• a description of how the ORSA incorporates the strategic and business planning processes;
• a description showing how the ORSA incorporates the risk profile, approved risk tolerance limits and overall solvency needs;
• the timing and frequency of the ORSA framework (including, for example, its detailed elements such as stress tests, sensitivity analyses and reverse stress tests) and the ORSA report, including the triggers for an ad hoc ORSA;
• information on data quality standards;
• the structure of the ORSA report, including details of the key ORSA records;
• a description of the roles and responsibilities of all those involved with the ORSA, including those of the board;
• details of how the board owns the ORSA framework and process; and
• a requirement for the board to approve the ORSA policy at least annually.

4.1

The Board plays a crucial role in owning the ORSA process, actively steering the process and embedding outcomes of the process into the overall decision-making framework. The PRA expects the ORSA report to evidence the board sign-off, and the key conclusions and management actions agreed. The report will be expected to provide details of how the different elements of the ORSA assessment have been considered (ie if a breach is within risk appetite) and how the output of the assessment supports strategic decisions.

4.2

Although the detail may not necessarily form part of the report, the PRA expects firms to have good supporting evidence which demonstrates any board or committee discussion and sign-off, and underlying material used during these assessments. A log of key decisions, documents used, and a list of follow-up actions for named individuals are examples of useful evidence of these processes.

4.3

To demonstrate embedding of the ORSA, some firms have introduced high-level management information as part of the ORSA framework (an ‘ORSA dashboard’) which follows a similar structure to the ORSA report but with up-to-date information presented visually, with tables, charts and key messages. This has enabled the board to revisit key decisions taken periodically, analyse the current and future risk profile, assess material risk drivers, and challenge the firm’s solvency assessment and strategy. Firms are encouraged to use methods such as these.

5.1

Central to the concept of the ORSA is that it may be used to demonstrate strong linkages between business strategy, risk, capital, and stress testing. In addition, firms are expected to be able to demonstrate that they have considered fully the impact of internal and external risks when presenting their strategy.

5.2

Good examples include a high-level summary of firms’ most recent performance as well as a three to five year forecast. The forward-looking quantitative information may include some granular data (eg class of business breakdown) and may be followed by a reasonable rationale on the strategies the firm is pursuing to meet its stated objectives. The analysis of different scenarios is important to identify how perceived risks are likely to impact the firm’s strategy and support the firm’s development of a proactive intervention framework, such as proposed controls and management actions.

5.3

The PRA expects firms to provide sufficient information to demonstrate the overall direction of the group from a strategic and risk perspective.

6.1

The PRA expects the ORSA to include an assessment of the risks it faces or may face in the future. Key risks would not be limited to quantifiable risks and would include non-quantifiable risks such as reputational, strategic, and group risks.

6.2

The PRA expects firms to identify the key risks to their strategy and show how these drive current and future risk profiles, as against firms’ stated risk appetite and tolerances. For example, within insurance risk, the PRA expects firms to consider how capital is distributed through the different classes and how it is likely to look in the future. Where necessary, the ORSA would highlight proposed management actions upon a perceived risk that may fall outside its appetite.

6.3

Following the identification of key and emerging risks, the PRA expects the assessment to include the identification of key controls and risk owners and to demonstrate that management actions to mitigate those risks are discussed and agreed. Where a firm decides to accept a material risk, the PRA expects the report to explain why it was considered appropriate.

6.4

For groups, the PRA expects firms to consider group-specific risks (such as leverage, dividend sustainability, access to funding, and liquidity) as well as group-wide risks (those risks associated with businesses owned by the group) including the risks from non-regulated, non-financial and non-EEA entities.

7.1

The PRA expects the assessment of firms’ solvency over the business planning period to form part of the ORSA process and report. In addition to articulating current regulatory (solvency capital requirement (SCR) and minimum capital requirement (MCR)) and own view of capital, the report is expected to highlight why firms believe capital buffers to be appropriate, set a capital contingency plan in case it breaches the required capital level, and include an assessment of the impact of any stress testing. The PRA expects key aspects of the methodology used and any deviations from the standard formula or internal model calculations to be explained.

7.2

The report is expected to state clearly the quality of own funds and how this is likely to change over the business planning period. Dividend policy is a key point in this assessment.

7.3

The PRA expects group reports to explain the derivation of the group solvency position, and any diversification benefit. This will include the capital position of any key subsidiaries, as well as the management actions the entities and the group could take if needed, and an assessment of the availability and transferability (fungibility) of own funds.

8.1

The PRA expects the ORSA to include a sufficiently wide range of plausible stress tests derived from the strategy and key risks identified during the process, to include a summary of the outputs from these tests and to describe how they affect firms’ solvency positions before and after proposed management actions.

8.2

The PRA expects firms to apply reverse stress testing as part of their ORSA process. The ORSA report should define what constitutes business failure and then detail what events could drive that outcome.

8.3

Firms are expected to perform sensitivity tests as part of stress testing. Within this assessment, firms are expected to identify key model assumptions and parameters used, given changes in parameters and its impact on capital.

8.4

The PRA expects firms to consider the quality and volatility of own funds with consideration of the capital’s loss absorbing capacity under different scenarios.

9.1

Where a group has received approval from the PRA to submit a single ORSA report which covers a number of entities,⁶ the PRA expects it to describe how the boards of each of the individual entities are involved in the process and sign-off. The report is expected to cover each of the entities to a suitable level of detail.

9.2

Conversely, where a group chooses to provide individual ORSA reports for each entity in the group, alongside a group ORSA covering just the group functions, the PRA expects the documents to describe how the individual ORSAs link to the overarching group ORSA.

9.3

The PRA expects group ORSAs to cover the business strategy, risk, capital and stress testing of the group as well as a consideration of the strategies of group businesses and any risks they may present.

10.1

The PRA expects, in line with Guideline 10 of the EIOPA Guidelines on own risk and solvency assessment,⁷ that all internal model firms’ ORSA reports will confirm and evidence the continued adequacy of the model to calculate the solvency capital requirement, and will confirm that all risks identified by the firm are included in the internal model. Any risks which are not accounted for in the internal model are expected to be included in the ORSA along with a justification for their exclusion from the model.

11.1

The PRA expects firms using the standard formula to explain clearly within the ORSA report where the firm’s own risk profile deviates from the standard formula assumptions, and conclude whether the standard formula is appropriate for the risks in the business and is representative of its risk profile. The PRA expects firms to consider any material deviations of the risk profile from the standard formula, and to demonstrate how the ORSA framework will be used by the firm to monitor, on an ongoing basis, the appropriateness of the standard formula.