Last Updated 12/21/2023

Issue: Enterprise risk management (ERM) has attracted much attention in the last several years, particularly following the great global financial crisis. In today’s uncertain world of complex and interrelated risks, an increasing number of financial institutions, including insurance companies, have implemented or are developing an ERM system.

Overview: Managing risks is paramount for insurers who have implemented, are developing, or further enhancing their ERM systems. The accurate and deep understanding of the extent and composition of risk-taking and the great risk control gained by ERM can deliver significant strategic advantages. These advantages can be translated as increased efficiencies and ultimately important tangibles, reduced earnings volatility, stronger capital position, and higher profitability. The success of ERM depends on how well it integrates into the framework already proven to be effective risk management tools, such as Asset Liability Management (ALM), which cuts across different risk categories (underwriting, asset, and operational risks). All departments within an insurance company, including finance, actuarial, strategy, etc., are critical in the implementation of ERM. Each department first mainly embeds ERM into the daily operations within their departments; then, the department connects across the organization's risk management infrastructure to become part of the overall decision-making.

Company size and complexity are among the key determinants for ERM adoption, with larger companies facing multiple risks more likely to develop a holistic risk management framework. Insurers active in a number of markets and offering complex products need specialists to deal with different risks, and they predictably move toward developing strong ERM systems. External institutional pressures, particularly from the regulatory community, have also been driving ERM implementation. The regulators intend to foster effective risk management at the enterprise (group) level for all insurers. Other external factors for ERM adoption originate from the market through the stock market and credit rating agencies, which have added ERM as a criterion in their credit analysis and their overall assessment of insurance companies' financial strength.

Status: The current solvency surveillance framework includes examination and analysis of insurers' ERM as outlined in the Exam and Analysis Handbooks. In October 2011, the IAIS adopted an Insurance Core Principle (ICP 8) on Risk Management and Internal Controls, which heightens the need for standards and provides guidance on ERM. During 2011, the Group Solvency Issues (E) Working Group determined that ERM, as well as ORSA (Own Risk and Solvency Assessment) requirements, were appropriate and beneficial for inclusion in the U.S. solvency framework. In 2012, the NAIC ORSA Guidance Manual and the Risk Management and ORSA Model Act (Model #505) were adopted.

The NAIC ORSA Guidance Manual provides information for insurers on performing its ORSA and documenting risk policies and procedures. NAIC Model #505 went into effect on Jan. 1, 2015 and requires insurers above a specified premium threshold to maintain a risk management framework, complete an ORSA, and file a confidential annual ORSA Summary Report with their lead state supervisor. Model #505 is a standard for accreditation of the state departments. Most of the adopting states required an ORSA Summary Report to be filed by the end of 2015. The rest required the first filing to be made by the end of 2016 or 2017, depending on the state.

As of June 2022, Group Solvency Issues (E) Working Group is considering the integration of cybersecurity risk into the insurers’ ERM. This may include consideration of the level of information provided to the board and/or senior management and the appropriateness of the insurer’s risk identification and assessment process.