ORSA Compliance-

Content

5 Steps You Need to Take in 2014

Risk Culture & Governance

Risk Identification & Prioritization
Risk Appetite & Tolerance Statement
Risk Monitoring, Controls & Action Plans
Risk Reporting & Communication

A publication of

LogicManager Copyright 2005-2014

Enterprise Risk
Management

Vendor
Management

Regulatory
Compliance

IT Governance
and Security

Financial
Reporting

Business
Continuity

Audit
Management

Performance
Management

Policy
Management

LogicManager's All-in-One
ERM Software
All the content you need & all connected.
Leadership: More than 2000 organizations use
our risk management solution.
Insight: Put your risk picture together.
Cloud Computing: No up-front investment and
no long-term commitment required.

Request a Demo

Chapter 1
Risk Culture & Governance

RMORSA Regulation
With the adoption of the Risk Management and Own Risk and Solvency Assessment
Model Act (RMORSA) by The National Association of Insurance Commissioners (NAIC)
insurers are required to take a broader approach to risk management. The new ORSA
requirement is one component of the NAICs initiative to bring the US into regulatory
alignment with the International Association of Insurance Supervisors Core Principle
16, Enterprise Risk Management.

Starting in 2015 insurers will be required to submit an annual ORSA summary report
to their state commissioner that details an insurers risk management, capital
management, and strategic planning along with the associated relationships between
the three. The first section of the ORSA summary report is a detailed description of
the insurers ERM framework.

One of the primary goals behind the implementation of RMORSA is

to foster an effective level of ERM for all insurers. This includes
identifying, assessing, monitoring, prioritizing, and reporting on all
material and relevant risks.

Insurers have the opportunity to leverage much of their existing risk

management capabilities in becoming compliant with ORSA as much
of the ORSA requirements center around an ERM framework.

It is also important to note that the ORSA Guidance Manual

stipulates that insurers with appropriately developed ERM
frameworks may not require the same scope or depth of review as
organizations with less defined processes.

3 Lines of Defense
For any organization, risk is an essential part of creating business value and as such it needs to be managed in a way
that is beneficial to the bottom line of the organization. A risk governance structure needs to be put in place to collect
risk information at the activity level, where most operational risks materialize and to aggregate this information to a
level senior management and the NAIC care about.

A best practice approach thats been endorsed by the Institute of Internal Auditors (The IIA) is a 3 lines of defense
structure; Operational Management, or process owners, are expected to take ownership and accountability for the
risks faced by their business area as a primary line of defense.

First line of Defense

Specifically, the IIA recognizes that this front line has the primary task of
identifying, assessing, and mitigating risks on a day-to-day basis.

Process Owners

Questions to ask yourself to determine if the process of owners of your

organization are operating effectively as a first line of defense:

Are each of your operational managers assigned a subset of your

organizations overall risk library, and can they suggest additions to
that subset?

Do they have the ability to document control procedures in a way that

ties them directly to their subset of risks?

And finally, are there adequate supervisory functions in place to notify

managers when a control breakdown or unexpected event takes place
in upstream or downstream process areas?

The second line of defense is the risk management function, which provides oversight and
facilitates the implementation of effective risk management. The compliance function is also
considered a second line of defense, however when compared with a risk management
function, compliance is responsible for a specific subset of risks related to applicable laws
and mandates. Whereas the first line of defense is process specific, the second line of
defense is cross-functional or systemic. It serves the critical role of ensuring that mitigations
and risk analysis are taking place as intended, but cannot independently report on an
enterprise picture of risk without input from process owners. The responsibilities of an
enterprise risk manager can include: Providing a risk management framework, identifying
emerging risks and issues, setting standards, Criteria and Tolerance levels, and providing
consulting and mentoring to process owners.

Second line of Defense

Risk Managers

Internal Audit and

Senior Management

Third line of Defense

The third line of defense, internal audit and senior management, offers independent
assurance that risk management is operating effectively. ORSA mandates that a Chief Risk

Officer sign off on each ORSA report. As such, the CRO and risk committee will be largely
responsible for their organizations compliance with ORSA. With clearly defined strategic
objectives set by senior management, the risk managers role is then to close the gap
between strategic level risk and all the operational risks faced at the front line of
organizations.

Tone From The Top

Board of Directors

Risk Managers

Positive

Risk Managers

Risk
Process
Owners

Culture

Process
Owners

Roles and responsibilities need to be clearly defined and articulated so that there is accountability at all risk levels in your
organization. Setting the right tone for your ERM program starts at the top with your board of directors and senior executives.
Getting their support and approval of your ERM program exudes a positive risk culture to the rest of the organization. This will
lead to better engagement in risk management processes at all levels of the organization. The more integrated ERM is in
everyones job descriptions the easier risk assessments will become and the more valuable they will be.

Chapter 2
Risk Identification & Prioritization

Just discussing high level concerns with senior executives may have been sufficient
2-5 years ago, but with the implementation of ORSA insurers are now required to
detail how they identify and categorize all relevant and material risks. This means

that more business value and better decision making are expected from risk
assessments. Formalized risk assessments allow risk managers to leverage existing
activities in an objective, quantifiable, repeatable manner to show how risks and
activities at the process level are impacting strategic objectives.

Formalized Risk Assessment Process

The most effective way to collect risk data is to identify risk by root cause. It is impossible to get a clear risk
picture of strategic objectives without breaking them down into root cause, actionable, silo-specific activities.
Identifying the root cause of a risk provides information about what triggers a loss, where an organization is
vulnerable and where resolving systemic risks can lead to efficiency gains.

Strategic Objectives

Risk Assessments

Root
Cause

Root Cause

Root-cause concept
Root Cause 1
Outcome 1

Mitigation
Activity 2

Root Cause 2

Root Cause 3

Mitigation
Activity 1

Outcome 2

Mitigation
Activity 3

However, orienting process owners to root cause is often easier said than done. Typically, management tends to think in
terms of outcomes or events they want to avoid or achieve, and the effects of such events. While there are a limitless set
of outcomes, as risk managers we need to operate at the root cause level in order to design effective mitigation activities.

Root Cause

5 Root-cause categories
External
Risks caused by outside people, entities and environments

People
Risks involving people who work for the organization

Process
Risks arising from the organization's execution of business operations

Relationships
Risks caused by the organization's connection with third parties

Systems
Risks due to data or information assets

Root Cause

Most assessments jump to the What could go wrong aspect of risk identification which is
often just a detailed effect or symptom. Understanding the root cause requires identifying

Prompt root-cause

the drivers of the WHY of the risk. You can begin to implement this root-cause approach in
a facilitated session or you can use a system to prompt assessors on the root causes of their
concerns, which helps implement this solution on an enterprise scale.

Root Cause
As a first step, consider prompting process owners and business areas to select the root

Prompt root-cause

cause category of their concern. Beginning with a root-cause risk library enables
organizations to track the selection of root-cause risks across multiple business areas,
which helps identify systemic risks throughout the organization and areas of upstream
and downstream dependencies.

Risk Assessments

Use a common numerical scale and criteria

throughout your organization

High-medium-and low scales make it difficult and time-consuming to

Best Practice favors a 1-10 scale, with 10 having the most unfavorable

quantify, aggregate, and objectively rank information. You should use

consequences to the organization, split into 5 buckets to provide a high and low

at least a 1-5 scale.

of each bucket. Using a 1-10 scale makes the math easy and having the 5
buckets gives process owners doing the assessments flexibility to select the
high or low of a bucket.

Giving people more flexibility in their assessments will give you better accuracy
and more ability to determine what your top risks really are.

Risk Assessments

Carry out assessments on same standards

and assumptions
1-2
Insignificant
Financial
Legal
Operational
Regulatory
Strategic

3-4
Minor
Financial
Legal
Operational
Regulatory
Strategic

5-6
Moderate
Financial
Legal
Operational
Regulatory
Strategic

7-8
Serious

7-8
Serious
Financial
Legal
Operational
Regulatory
Strategic

9 - 10
Major
Financial
Legal
Operational
Regulatory
Strategic

9 - 10
Major

There are multiple ways of expressing severity, both qualitatively and

quantitatively. Severity should be outlined for financial, legal,
operational, regulatory, and strategic dimensions, among others. Each
bucket should have a variation of criteria applicable to that level of
severity.

For example:
If we are looking at the Impact criteria:

9-10 Major

Financial: Negative impact on

net income $15 million to $20
million
Financial: Alternative financing
(debt), sale or restructuring of
the organization could be
required
Operational: Inability to remain
competitive (e.g., lagging
customer service, operational
inefficiencies)
Regulatory: Regulatory
penalties are required

Financial: Negative impact on net

income over $20 million
Financial: Catastrophic impact on
financial statements (e.g., critical
contractual ratios are no longer met)
Operational: Long-term impairment
of critical functions make the
organization vulnerable to forced
sale or merger
Regulatory: Regulatory agencies
seize control of assets or are granted
absolute decision-making authority

In Financial terms, a specific dollar amount considered to be

catastrophic to your organization. In Regulatory terms, agencies shut
you down or take over.
7-8 Serious
In Financial term, the next level down that is painful but survivable.
In Regulatory terms, penalties are required

Only one of the criteria listed for an impact level has to be met in order
to rate a risk factor at that level. This way, any qualitative criterion can

be given a score to become quantitative and comparable across the

enterprise.

Risk Assessments

Carry out assessments with the same

standards and assumptions
Additionally, you need defined evaluation criteria for these scales. Often, one persons 9 is another persons 7. You should
provide a clear definition on what each of the 5 buckets are in unambiguous terms.

Strategic Objectives

Objectively aggregate risk information to a

strategic high level
Now that assessment scores are
numerical and comparable, you
can create simple formulas to
automatically calculate the
inherent and residual indexes of
risks, and risks across your
organization can be sorted and
objectively ranked. For ORSA
reports, aggregate risks relating
to the same strategic goal or
other cross-functional topic, like
risk category frameworks,
providing an overall assessment
score for leadership, with
actionable underlying data for
when direction is given.

Chapter 3
Risk Appetite & Tolerance

How Do You Make Risk

Appetite Actionable?

As a mandatory component of RMORSA an organization-wide risk appetite

statement provides direction for your organization. A risk appetite statement
should be reflective of your organizations strategic objectives, stakeholder
expectations, and key aspects of the business. Once your organization has
documented your risk appetite, with the Boards approval, the question
becomes how do you measure if your organization is adhering to it?

The answer is to implement risk tolerances.

Risk Appetite and Risk Tolerance

Risk
Environment

In the chart shown, the organizations projected path of performance is plotted in green. This line and the immediate area around it
represents the risk appetite, or goal of the organization. If the organization was to pursue or retain all risks in their environment, their
performance could fall anywhere between the grey lines. Most organizations are uncomfortable taking on all available risk, and new
laws and regulations require companies to implement more narrow tolerances (Purple area).

Operating within risk tolerances provides management greater assurance that the company remains within its risk appetite, which in
turn, provides a higher degree of comfort that the company will achieve its objectives.

Risk
Tolerance

Risk Appetite and Risk Tolerance

Risk Appetite

Doesnt accept risks that could result in

a significant loss of its revenues base

Risk Tolerance

Doesnt accept risks that would cause

revenue from its top 10 customers to
decline by more than 1%

In other word, while risk appetite is a higher level statement that considers broadly the levels of risk that management
deems acceptable, risk tolerance sets acceptable levels of variation around risk and can be more readily measured.

For example a company that says it does not accept risks that could result in a significant loss of its revenue base is
expressing appetite. When the same company says that it does not wish to accept risks that would cause revenue from
its top 10 customers to decline by more than 1% it is expressing tolerance.

Prioritize Resources by Cut Level

View Risk Trends by Tolerance Range

Because all risk assessment are conducted on standardized criteria, you can discuss with your board or senior management to determine a uniform

tolerance, or cut level, throughout the organization based on the resulting assessment indexes. This will help you prioritize resources to the risks that
need stronger coverage.

Everyday process owners are making operational decisions about risk far

When risk tolerances are aligned with both overall risk appetite and

from the organizations risk appetite statement. Process owners must look at

strategic goals, they will improve risk mitigation effectiveness and

their assessments and if a risk exceeds or is below the range of set tolerance,

contribute to achieving your strategic goals. Aligning your tolerances with

they must adjust mitigation activities, procedures, or controls to get within

risk appetite and strategic goals can be challenging but by trending risks

the risk tolerance or escalate the issue.

over time, you can get a more accurate picture of where you are and where
you need to be to reach your goals.


Chapter 4
Risk Monitoring, Controls &

ORSA requires Transparency

Into If And How Risks Are Being

Managed
Once you have identified the root cause of risks and objectively assessed
them, ORSA requires transparency into if and how risks are being managed by
insurers as they execute their business strategy. To do this an organization

Action Plans

must have adequate mitigation and monitoring activities in place.

Develop Risk Tolerances over Time

As risks are reassessed periodically, you can focus on emerging risks that become out of tolerance and spend less time

on risks that have decreasing indexes. This allows you to allocate resources to the issues and areas that will yield the
greatest benefits to the organization.

Actual

Tolerance

Increase Organization Efficiency

Systemic risk identification will detect

areas of upstream and downstream
dependencies throughout your
organization, such as when one area
of the organization is unknowingly
causing strain on other areas.
Additionally, this method could also
identify areas that would benefit
from centralized controls, so the extra
work of maintaining separate controls
is eliminated, increasing organization
efficiency.

Prioritize Activities

Collect Business
Measures

Most organizations need a greater understanding of how the

Conduct Risk
Assessments

business measures that they rely on daily are tied to their risks.
If a risk or activity changes, organizations have no way of
knowing how, or even if, these changes will affect their
metrics. By conducting risk assessments and linking risks to
activities, organizations can start prioritizing which activities
need to be monitored.

Prioritize
Activities to be
Monitored

Link Risks to
Activities

Operational Risk Management

If risks are formally linked to anything, it is often Internal Audit or SOX controls, but all of operational
controls, activities, policies and procedures need to be taken into consideration too. Most of the risk
management disasters we hear about were a result of poor operational risk management. Risk managers
are responsible for risk monitoring effectivenessknowing what to monitor and how to determine if your
activities are effective or not.

Boards and CEOs, public and private, are depending on risk managers to monitor key risk indicators (KRIs) at
the business process level and have the proven capability to escalate up to the board as appropriate.

Monitor Business Metrics

Collecting business metrics enables you to track the progress of your mitigation activities over time. You can set targets and tolerance
levels around these metrics. Warning signs appear as metrics begin to move out of tolerance, allowing you to take action before a negative
outcome materializes. Metrics need to be forward looking so that you can detect emerging trends long before they have significantly
affected your organization.

Tolerance
levels

Risk Monitoring Example

Situation: Online Banking System experiences significant downtime and the issue is
not resolved in a timely manner.

What They Found: The necessary expertise is not available during down time to
work on the issues.
Typical Solution: Provide Cross-training program to more individuals, giving the
appearance that a preventative measure has been put in place.

Testing:

Business Metrics:

Often, organizations get caught up in testing the compliance or occurrence of

Collecting business metrics enables you to track the progress of your mitigation

the control, such as, Has every new IT hire completed the training within the

activities over time.

first 6 months?
In this situation, if the bank was tracking system uptime, they would have seen
Testing provides a high level view of whether a control is effective, usually in

that there was no improvement from the control activity put in place, and

the form of pass or fail. Testing does not necessarily provide you with

reinvestigated to realize that the system was going down during peak usage times,

actionable steps to take to improve a mitigation activity. Over time,

like lunch, when the subject matter expert was away from their desk! They could

organizations lose sight of why the activity was implemented in the first place,

then institute effective activities, like adding more memory to the system.

in this case to improve system uptime.

Chapter 5
5
Key
Principles
Risk Reporting & Communication

DASHBOARD #1: ROOT CAUSE

View Organizations Overall Risks
Using a common set of standards and assumptions means your organizations risks can be brought together and displayed on a single heatmap, where
upper right corner issues are most critical. This heatmap shows all of an organizations risks based on business process level observations. The information
stays current and changes in assessments are immediately reflected.

DASHBOARD #1: ROOT CAUSE

View Risk by Strategic Imperative Customer Satisfaction
Viewing risks by a theme, such as an initiative or concern, enables organizations to take action by measuring
progress toward a goal and adding context to what needs to be done.

DASHBOARD #2: ENTERPRISE VIEW

View by Strategic Goals
Due to the limitations of spreadsheets, risk managers often have to choose between presenting actionable data that is too granular for the board, or
presenting a high level summary, such as a top 10 risk report, which lacks the context of how risk within business processes relate to the objectives that the
senior leadership and board requires. However, a common risk taxonomy allows organizations to gather business activity level data and aggregate it to a high
level thats better understood and more actionable for senior leadership.

Strategic
Goals

Not sure

DASHBOARD #2: ENTERPRISE VIEW

Drill-down to Activity Level when Necessary
For the top risks across the organization, often risk managers provide the more detailed underlying data, such as which business areas are
involved, what their individual risk profile of the risk is, what the mitigation strategy is, and how the risk is being monitored.

DASHBOARD #3: ERM PROGRESS

Percentage of risks formally identified & assessed
Risk management is a process and the key to successfully monitoring the effectiveness of any process is measurement. The following are examples of measures
that will quantify and measure the value your ERM program is providing:
The first measure is Efficiency: Risk assessments are done for each business process or business unit. The chart shows the number of risks identified (red) and
number of risk assessed (blue) for each business process or business unit area. This tells the board how many of the risks in the enterprise have been collected
and evaluated.

Transparency:
Assurance
of
Risk
Coverage
DASHBOARD #3: ERM PROGRESS
Percentage of risks mitigated
The next critical value measure is Transparency: Risk management doesnt stop at just risk identification and assessment. Its also critical to show the state
of ERM in terms of how many of those risks identified and evaluated are covered by mitigation activities. Notice the gap between the red bar measuring
number of risks identified and assessed and the green bar measuring the number covered by mitigation activities. Notice each quarter the gap is getting
smaller between the 2 bars. This shows how the State of ERM has evolved over the past several quarters.

DASHBOARD #3: ERM PROGRESS

Percentage of KEY risks mitigated
You can filter this gap by using a cut level, focusing only on risks on a residual basis above a tolerance threshold, for this example, simply above the average. Now the board
can have a meaningful discussion of what level of risk they are willing to accept or how many resources they wish to allocate to getting stronger mitigation activities in place
to address this gap. This is matching risk tolerance to risk appetite that is actionable since discrete risks are connected to discrete controls with ownership.

DASHBOARD #3: ERM PROGRESS

Performance Management
You can also do this same focus by now filtering out low risks to only show the above average risks and corresponding mitigation activities that
directly impact each of the organizations strategic objectives. As risks are reassessed periodically, you can focus on emerging risks that become out of
tolerance and spend less time on risks that have decreasing indexes.

Enterprise Risk
Management

Vendor
Management

Regulatory
Compliance

IT Governance
and Security

Financial
Reporting

Business
Continuity

Audit
Management

Performance
Management

Policy
Management

LogicManager's All-in-One
ERM Software
All the content you need & all connected.
Leadership: More than 2000 organizations use
our risk management solution.
Insight: Put your risk picture together.
Cloud Computing: No up-front investment and
no long-term commitment required.

Request a Demo