Public companies have the Sarbanes Oxley Act of 2002 (SOX), financial services organizations face the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) and the Solvency II Directive (Solvency II), healthcare providers have the Health Insurance Portability and Accountability Act (HIPPA) and now, insurance companies have Own Risk and Solvency Assessment (ORSA). The implementation of ORSA is the endeavor by the National Association of Insurance Commissioners to modernize the regulatory framework used by state insurance departments to regulate the U.S. insurance industry and enhance the capability of insurance companies to weather economic storms similar to those that battered the broader financial services industry and contributed to the global financial crisis.
U.S.-based insurance companies have embarked on a new journey as they prepare to produce and file their first ORSA Summary Report in 2015. The filing of this report marks a key milestone of the Solvency Modernization Initiative. For some insurance companies, the ORSA journey has yet to begin, while other organizations already have a clear roadmap and a strategy to reach their destination in an organized and orderly manner. Many recognize that the unknown is proving to be a significant challenge. What is the key differentiator? The answer lies in the strength and maturity of an organization’s current risk management structure and practices. St. John’s University recently teamed with Protiviti to conduct a survey of more than 100 industry executives to assess the state of readiness of insurance organizations as they continue with their preparation for their initial ORSA Summary Report, as well as to determine ORSA’s impact on different areas of their risk management processes.
In this report we will detail the five key findings from this survey, which include: Insurance offerings could change; ORSA will change risk oversight, improve ERM, and help with the integration of risk and strategy; Many organizations need new controls and policies; More education and training is needed at the board and executive levels; In risk reporting, there’s some disagreement between management and the board.