A robust enterprise risk management process can help insurers meet many states' requirements that insurers perform their own risk and solvency assessments, or ORSAs, next year, but the requirements also could cause some headaches for insurers.

The solvency assessment, which grew out of the financial crisis of 2008 to allow regulators to better assess insurers' financial condition, will require insurers to document internal processes for regulators. Some of those processes might contain propriety information, which raises confidentiality concerns.

An ORSA is an internal process by an insurer or insurer group “to assess the adequacy of its risk management and current and prospective solvency positions under normal and severe stress scenarios,” according to the National Association of Insurance Commissioners, which promulgated a model law that 20 states have adopted in whole or part so far (see map, page 33).

The requirement will apply to any U.S. insurer that writes more than $500 million direct written and assumed premiums a year, and/or insurance groups that collectively write more than $1 billion in direct written and assumed premiums annually, the NAIC said on its website.

The ORSA will require those insurers to “analyze all reasonably foreseeable and relevant material risks,” such as underwriting, credit, market, operational and liquidity risks, and report its results to state regulators, the NAIC said.

“This is a concept that PCI and the rest of the industry worked with NAIC in adopting and drafting the model law,” said Steve Broadie, vice president of financial policy at the Chicago-based Property Casualty Insurers Association of America. “We think it's a positive product.”

A regulator involved with pilot ORSAs said insurers are stepping up to the plate.

“My sense is there has been a lot of positive feedback and there's good momentum going forward,” said Danny Saenz, senior associate commissioner of the Texas Department of Insurance and head of the NAIC's ORSA (E) subgroup. There were “noticeable improvements” in reports delivered to regulators in the 2013 pilot program compared with those of a year earlier, he said.

“We know it's an evolutionary process,” Mr. Saenz said. “We hope through dialogue between the regulators and the industry, we'll be able to work with them on improving the processes and the reports themselves.”

On its website, the NAIC stresses that an ORSA is not a “one-off exercise” but rather a “continuous evolving process” and should be a component of an insurer's ERM framework. It said the results and content of an ORSA report will vary from company to company and “demonstrate the results of management's self-assessment.”

“The fact that we have an ERM program that's very robust includes many of the requirements of the ORSA risk management requirements,” said Teri Molloy, vice president and controller of Johnston, Rhode Island-based insurer FM Global. “The challenges are really going through all of your existing policies and procedures and documenting them.”

She said the insurer is still in the documentation phase, “but because we have that strong ERM program, we're in good shape.”

However, even insurers with advanced ERM processes are concerned about some aspects of an ORSA, notably providing acceptable documentation and protecting the confidentiality of sensitive information provided to regulators. There also is some concern about regulators using the ORSA as a prescriptive exercise in which regulators would dictate the risk assessment.

“Most companies and our members already have some sort of risk management process in place,” said Phil Carson, assistant general counsel of the American Insurance Association in Washington. “They're used to evaluating their system on a regular basis and reporting to the management and board. Now you're talking about taking confidential business decisions and releasing it to someone else.”

“One of the things we've been concerned about is that the "O' remains in ORSA, that this remains an insurer's own risk assessment,” said PCI's Mr. Broadie “We're going to have to continue to watch to make sure this continues to be based on what the insurer is doing itself and not a prescribed check-the-box approach.”

“Many well-prepared insurers have either completed dry runs or they participated in one of the pilots,” said Carl Groth, a managing director in KPMG L.L.P.'s actuarial and insurance risk practice in New York. “On the other hand, some companies don't have multiyear time horizons for business planning purposes, which is required or at least implied by ORSA. That's making companies change or improve underlying business process.”

Some companies have struggled “with deciding upon a capital framework and developing a view on how their risk and capital assessments should be used to influence targets and performance management,” he said.

“Group solvency and prospective solvency requirements of ORSA may pose challenges for many insurers,” said Tom McIntyre, a principal in KPMG's actuarial and insurance risk practice in Tyson's Corner, Virginia. “Communicating results from complex new models is often difficult.”

“ORSA is an admission by external stakeholders that we only have a limited view of companies of what they're doing from the outside,” said Sridhar Manyem, a credit analyst at Standard & Poor's Corp. in Hightstown, New Jersey. The assessment puts an “onus on insurers to show, "I know the risk I'm taking, and here are the steps I'm taking to manage those risks, especially prospectively.' “

Documentation presents a challenge, since insurers must anticipate what regulators want, he said.

Mr. Manyem said insurers will have to reveal some of their future strategic plans to regulators as part of the process.

“Confidentiality of the information that we give is on the forefront of our minds,” said FM Global's Ms. Molloy. “If it got into the wrong hands, that wouldn't be good for any insurance company. The regulators are used to confidential information, so I have to believe that they have protections in place.”