On 25 November 2016, the Prudential Regulation Authority (PRA) published supervisory statement SS19/16: Solvency II: ORSA which sets out the PRA’s expectations of firms regarding their own risk and solvency assessment (ORSA). SS19/16 should be read with SS41/15 Solvency II: applying EIOPA Set 2, System of Governance and ORSA Guidelines, the Solvency II section of the PRA Rulebook and the PRA’s insurance approach document. For non-life firms, SS19/16 should be read with SS26/15 ORSA and the ultimate time horizon – non-life firms.
SS19/16 sets out the following PRA expectations:
- ORSA supervisory report. Firms are expected to find ways to estimate their future solvency position while assessing their current risk profile and how it is likely to change with the proposed business strategy. The ORSA should contemplate potential future risks. The PRA describes good practice for the contents of ORSA reports. This includes: a clear summary, highlighted key outcomes of the ORSA process, brief reports, clear signposting.
- The ORSA policy. The ORSA policy is a standalone document which the PRA expects to be sufficiently detailed and to include the process and procedures required by the ORSA framework. The policy document should include the process and procedures required by the ORSA and cover such things as: scope (i.e. whether solo entity, group or both), how the ORSA covers strategic business planning, timing and frequency, data quality, details of board ownership and the requirement for board approval).
- Board sign-off and embedding of the ORSA. The PRA expects the ORSA report to evidence board sign-off, key conclusions and management actions agreed. The report should detail of how different elements of the ORSA assessment have been considered. The PRA expects firms to have good supporting evidence which demonstrates board or committee discussion and sign-off. Examples include a log of key decisions, documents used and a list of follow-up actions.
- Business strategy. Firms are expected to demonstrate that they have considered fully the impact of internal and external risks when presenting their strategy. The PRA expects firms to provide sufficient information to demonstrate the overall direction of the group from a strategic and risk perspective.
- Risks. The ORSA should include an assessment of current or potential future risks. Firms should identify key risks and show how these drive current and future risk profiles. Key risks include non-quantifiable risks such as reputational, strategic and group risks. The assessment should include the identification of key controls and risk owners and demonstrate that management actions to mitigate those risks have been discussed and agreed. Where firms accept material risks the PRA expects the report to explain why. For groups, firms are expected to consider group-specific risks as well as group-wide risks including the risks from non-regulated, non-financial and non-EEA entities.
- Capital and Solvency. The assessment of firms’ solvency over the business planning period should form part of the ORSA process and report. Key aspects of the methodology used and any deviations from the standard formula or internal model calculations should be explained. The report should state clearly the quality of own funds and how this is likely to change over the business planning period. The PRA expects group reports to explain the derivation of the group solvency position and any diversification benefit.
- Stress testing. The ORSA should include a sufficiently wide range of plausible stress tests; a summary of the outputs from these tests; and describe how they affect firms’ solvency positions before and after proposed management actions. The PRA expects firms to apply reverse stress testing as part of their ORSA process. Firms should perform sensitivity tests as part of stress testing. Firms should consider the quality and volatility of own funds with consideration of the capital’s loss absorbing capacity under different scenarios.
- Groups. Where a group submits a single ORSA covering a number of entities, it is expected to describe how the boards of each individual entity are involved in the process and sign-off. Conversely, where a group chooses to provide individual ORSA reports for each entity alongside a group ORSA, the PRA expects the documents to describe how the individual ORSAs link to the overarching group ORSA. Group ORSAs should cover group business strategy, risk, capital and stress testing as well as a consideration of group business strategies.
- Internal Model. The PRA expects, in line with EIOPA Guideline 10, all internal model firms’ ORSA reports to confirm and evidence that the model continues to be adequate in calculating the SCR and to confirm that all risks identified are included in the internal model. Any risks not accounted for in the internal model are expected to be included in the ORSA together with a justification for their exclusion.
- Standard formula. Firms using the standard formula are expected to explain clearly within the ORSA report where its risk profile deviates from standard formula assumptions and conclude whether the standard formula is appropriate and representative of its risk profile. The PRA expects firms to consider any material deviations from the standard formula, and to demonstrate how the ORSA framework will be used to monitor on an ongoing basis the appropriateness of the standard formula.