Risk Management and Governance Lou Felice Health and Solvency Policy Advisor NAIC

Recap and Going Forward Touching on ERM and Governance in Existing U.S. Solvency Regulation RBC Reserves Analysis Exams ORSA Coming On Line Corporate Governance Standards / Best Practices Being Developed

Risk Management Framework - RBC Use of the Capital Requirement RBC has some influence on insurers’ risk management (e.g. Reserves reduced for reinsurance, but not for collateral); addressed mainly through other supervisory tools SII is designed to provide incentives for risk management Capital add on may be required by regulator, but it is not part of the RBC capital amount SII capital add on increases SCR

Risk Management Framework – PBR Reserves Governance Guidance in Valuation Manual (VM-G) – All Applicable to the PBR function Guidance for the Board of Directors Best practices for oversight, review and interaction with senior management v Guidance for Senior Management Oversight of actuarial valuation function:risk tolerance ; assumptions; to mitigation strategies; adequate expertise and resources Guidance for Actuary Adequate review, testing of assumptions, cooperation with internal / external auditors and regulators

Risk Management Framework - Analysis Continuous monitoring/qualitative assessments using regulator only data – assess: Changes in business plan Material transactions, including group transactions Implications for reputation/contagion risks Impacts of major economic and insurance events, and Stress testing In depth assessments of (potentially) troubled insurers More frequent/extensive: Insurer reporting Regulator analyses/exams Authorities for regulatory actions include Conservation/rehabilitation/liquidation in the domiciliary state Suspending or revoking license to write in the state

Risk Management Framework – Analysis (ORSA) ORSA process is one element of insurer’s broader ERM framework Links the insurer’s risk identification, measurement and prioritization processes with capital management and strategic planning Each insurer’s ORSA process will be unique, reflecting its business, strategy and approach to ERM Regulators will use the ORSA Summary Report to gain a high-level understanding of the process Summary Report may be provided in any combination as long as all insurance legal entities within the group are represented Summary Report will be supplemented by the insurer’s internal risk management materials Summary Report, at a minimum, should discuss: Section 1 – Description of Insurer’s Risk Management Framework Section 2 – Insurer’s Assessment of Risk Exposure Section 3 – Group Risk Capital and Prospective Solvency Assessment

Risk Management Framework – Financial Exams Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Understand the Company and Identify Key Functional Activities to be Reviewed Identify and Assess Inherent Risks in Activities Identify and Evaluate Risk Mitigation Strategies/Controls Determine Residual Risk Establish/Conduct Exam Procedures Update Prioritization and Supervisory Plan Draft Exam Report and Management Letter Based on Findings Phase 7 Planning

Risk Management Framework - Financial Exams To provide a clear methodology for assessing residual risk and how it translates into examination procedures; To allow the assessment of risk-management processes in addition to those which relate to financial statement line items; and To utilize examination findings to establish, verify or revise company’s priority score. © 2009 The National Association of Insurance Commissioners All Rights Reserved

Risk Management Framework - Exams Identify and understand internal controls that the insurer has in place for each risk Consider whether the controls appear to be designed appropriately to mitigate each risk If not, no need to test controls If so, test the controls for operating effectiveness Not required if testing will be inefficient Conclude whether the internal controls effectively mitigate each inherent risk Strong, Moderate or Weak © 2009 The National Association of Insurance Commissioners All Rights Reserved

Risk Management Framework – Financial Exams Review Existing Control Documentation SOX Workpapers Internal Audit Workpapers External Audit Workpapers Model Audit Rule Requirements Utilize where relevant to exam © 2009 The National Association of Insurance Commissioners All Rights Reserved

Solvency Modernization Initiative (SMI): ORSA

US Solvency Framework US Own Risk & Solvency Assessment (ORSA) ORSA Manual developed with industry comments Two primary goals: Foster effective level of ERM, thru which each insurer identifies and quantifies material and relevant risks using techniques appropriate to the nature, scale and complexity of the insurer’s risks, in a manner adequate to support risk and capital decisions Provide a group-level perspective on risk and capital as a supplement to the existing legal entity view ORSA Exemption Individual insurer’s annual direct written and unaffiliated assumed premium, including international direct and assumed premium but excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, is less than $500,000,000; and Insurance group’s (all insurance legal entities within the group) same annual premium is less than $1,000,000,000 Insurer specific waiver granted by Commissioner based upon unique circumstances including, but not limited to, type and/or volume of business written

ORSA Model adopted effective 1/1/15 ORSA Guidance Manual Section 1-Description of insurers ERM Section 2-Insurer assessment of risk exposure Section 3-Group risk capital and prospective solvency assessment

ORSA Current Status ORSA Pilot Project Summer 2012 Feedback to industry ORSA Subgroup report to E Committee Make a few modifications to the guidance manual Post observations to NAIC website Referrals to FAH and FEH-Subgroup to continue to provide guidance to these groups No Part B Accreditation Standards at this time 2013 ORSA Pilot

ORSA-What to Expect No two ORSAs will be the same, nor should they Regulatory guidance will be high level Regulators need to learn by reviewing Staffing? ERM expert? ERM or actuarial consultant? As you learn, you will begin to see what you believe are best practices, and begin to set expectations Will result in interaction, but hopefully not mandates with some exceptions Internationally active insurers ORSAs (or result) may be treated differently

ORSA-What is Included in Manual Section 1-Description of insurers ERM Risk Culture and Governance Risk Identification and Prioritization Risk Appetite, Tolerances and Limits Risk Management and Controls Risk Reporting and Communications

ORSA-What to Expect Section 2-Insurer assessment of risk exposure This section typically identifies where the insurer believes its major risks lie (e.g. interest rate risk, equity risk, catastrophe risk, terrorism risk, certain lines of business, certain investment risks, etc.) May also identify financing risk (debt covenants, rating agency requirements, unused debt or unused liquidity) Typically contains some amount of discussion on how each of the risks are mitigated. In some cases the information may be very quantitative (e.g. limits), in other cases more qualitative (e.g. reinsurance limits, hedging program discussion and limits, and other more specific mitigators for more specific risks. Less of a sales opportunity and less need to be examined that section 1 since it will likely tend to be more specific and factual. Maybe the single most important part of the ORSA to the extent company can articulate how well the mitigators and stresses are used and relate to the major risks of the company. Particularly helpful where there is a particular area of concern that the regulator may have (e.g. low interest rate environment, concentration risk, etc.) Helpful because it demonstrates the rigor and thoughtfulness of the company. Likely would need to be explained by the company to make sure there is a good understanding. Role of the examiner vs. analyst to avoid duplication

ORSA-What is Included in Manual Section 3-Group risk capital and prospective solvency assessment Combines outcomes of sections 1 and 2 Testing available capital Description of methods and assumptions used Basis of accounting (e.g. GAAP, economic) Time Horizon (e.g. for economic) Value at risk (Var), Tail-value at risk (TVAR), Probability of Ruin AA solvency, 99.X%, 1-year VAR, TVAR or CTE, X% of RBC, etc Aggregation or diversification

ORSA-What to Expect Section 3-Group risk capital and prospective solvency assessment Perhaps the most useful section, particularly to the analysis process Provides a new window (to rating agency capital) that was always desired but rarely provided to regulators. Typically some comparison to SAP RBC. Provides even more useful data for the more sophisticated companies in the form of an economic capital. Some of the largest companies will likely submit an assessment that may share Solvency II type of methods (1 year 99.5% Var approach) or methods looked for by rating agencies (e.g. AA rating from S&P) May identify the capital by areas of risk. May discuss liquidity in addition to capital in similar fashion. Should include how the capital changes under different stresses. Particularly helpful where there is concern regarding sensitivity of the business plan to ratings. Similar to section 2, demonstrates the rigor and thoughtfulness of the company. May need to be explained by the company to make sure there is a good understanding. Role of the examiner vs. analyst to avoid duplication

Solvency Modernization Initiative (SMI): Corporate Governance © 2011 National Association of Insurance Commissioners All Rights Reserved

What is Corporate Governance? CG address insurer insolvencies Rules and practices ensuring: Accountability fairness and Transparency © 2011 National Association of Insurance Commissioners All Rights Reserved

What is Corporate Governance? Rules and practices ensuring: Accountability fairness and Transparency Between insurers and stakeholders. © 2011 National Association of Insurance Commissioners All Rights Reserved

FSAP- 2009 CG Recommendations Topic Recommendation Suitability of Persons Specific requirements in relation to individuals’ fitness and propriety should be adopted. Corporate Governance Consider issuing more guidance on good and bad practices in corporate governance for insurers Internal Controls Consider the scope for issuing guidance on good and bad practices in internal control. Make a formal requirement for insurers to have an internal audit function. Enforcement or Sanctions The insurance laws should be changed to provide the supervisory authority with powers to fine individual directors and senior managers of insurers Risk Assessment and Management The relevant laws, regulations or standards should be changed to include a requirement that an insurer have in place comprehensive risk management policies and systems capable of promptly identifying, measuring, assessing, reporting and controlling their risks. Insurance Activity: Board Approval Requirement The relevant laws or regulation should explicitly provide that an insurer must have in place strategic underwriting and pricing policies approved and reviewed regularly by the Board. Corporate Governance As examiners gain experience, the NAIC and/or departments should consider issuing more guidance on good and bad practices in corporate governance for insurers. This would help examiners and firms to develop a clearer expectation of what constitutes effective governance for insurance business, including for groups. Internal Controls As examiners gain experience, the NAIC and/or departments should consider the scope for issuing guidance on good and bad practices in internal control. They should also make it a formal requirement for insurers to have an internal audit function. Such a function is now widely considered as an important part of a good control framework—similarly to audit committees, where there are now extensive requirements of all but the smaller insurers. Enforcement or Sanctions The insurance laws should be changed to provide the supervisory authority with powers to fine individual directors and senior managers of insurers, and to bar them from acting in responsible capacities in the future. Risk Assessment and Management The relevant laws, regulations or standards should be changed to include a requirement that an insurer have in place comprehensive risk management policies and systems capable of promptly identifying, measuring, assessing, reporting and controlling their risks. Insurance Activity: Board Approval Requirement The relevant laws or regulation should explicitly provide that an insurer must have in place strategic underwriting and pricing policies approved and reviewed regularly by the Board.

Corporate Governance Working Group- Formed Formed at the 2009 Winter NM Part of a broader Solvency Modernization Initiative Considering changes to improve Corporate Governance practices and regulator assessment http://www.naic.org/committees_e_isftf_corp_governance.htm © 2011 National Association of Insurance Commissioners All Rights Reserved

CGWG Charges Charges Outline high-level corporate governance principles. Determine the appropriate methodology to evaluate adherence with such principles, giving due consideration to development of a model law. Analyze the requirements, regulatory initiatives and best practices of the states, other countries and regulators, and the insurance industry, to assist in principle development. Develop additional regulatory guidance including detailed best practices for the corporate governance of insurers Review the current IAIS principles and standards related to corporate governance. Critically review and provide input and drafting to the IAIS Governance and Compliance Subcommittee, and on other IAIS papers as assigned by the parent Task Force. From this work, identify future initiatives to improve our regulatory solvency system. Consider the development of insurance regulatory education for members of insurers’ Boards of Directors.

Corporate Governance Working Group ICP 5: Suitability of Persons ICP 7: Corporate Governance ICP 8: Risk Management and Internal Controls Study of existing requirements related to corporate governance US- Non-Insurance US- Insurance IAIS- ICPs Comparative Analysis © 2011 National Association of Insurance Commissioners All Rights Reserved

Corporate Governance Working Group September 28, 2012 - Exposure Proposed Responses to a Comparative Analysis of Existing U.S. Corporate Governance Requirements Summary available at: http://www.naic.org/documents/committees_e_isftf_corp_governance _exposures_proposed_responses_comparative_analysis.pdf © 2011 National Association of Insurance Commissioners All Rights Reserved

Example of Proposed Enhancement to CG EXAMPLE TOPIC Describe your organization’s governance structure, including a description of the Board and various committees ultimately responsible for governing the organization. a. Discuss the rationale for the current Board size and structure, explaining why the organization believes it to be appropriate; Annual reporting of CG practices

Example of Proposed Enhancement to CG Develop a more Common Methodology for both analyst and examiners to use in the assessment of Corporate Governance.

Other Proposed Enhancements to CG Internal Audit- Large Insurers Referrals to other NAIC working groups Requiring an element of CG be included in Model #385 for Accreditation purposes.