The groundwork for RMORSA was laid with International Association of Insurance Supervisors' (IAIS') Core Principle 16 - Enterprise Risk Management - and much of the ORSA requirements can be fulfilled with the adoption of an ERM framework:
- Risk Culture and Governance
- Risk identification and Prioritization
- Risk Appetite and Tolerances
- Risk Management and Controls
- Risk Reporting and Communication
Before you scoff at the scope of these requirements, consider that the ORSA Guidance Manual stipulates that insurers with appropriately developed ERM frameworks "may not require the same scope or depth of review" as organizations with less defined processes. In this blog series, each of the core elements will be examined with an emphasis on preparing your organization for ORSA compliance. Today's post will explore the first key principle: Risk Culture and Governance.
As defined by the NAIC, Risk Culture and Governance provides defined roles, responsibilities, and accountability in risk-based decision making. In effect, the principle builds off of a 2010 SEC mandate requiring corporate boards to document their role overseeing enterprise risk. This rule extends the board's role in risk oversight from C-level risks, activities and decisions to now having accountability at the business process level. Boards are explicitly given a choice between either having effective risk management, or disclosing their ineffectiveness to the public. If they do neither, it is now considered fraud or negligence. Enforcement actions by the SEC have doubled in recent years, so it's likely your board has already established risk management as a priority, but what does this mean for your organization?
The first practical issue is that it is no longer sufficient to rely on the audit function as a hub for risk management. Risk responsibility has always been the responsibility of process owners, and ORSA is now mandating better oversight under the guidance of a risk management function. For many organizations, the critical first step has been taken by establishing executive responsibility in a Chief Risk Officer (a CRO is actually required to sign off on the ORSA assessment), but without the appropriate tools to make risk management actionable, accountability beyond the CRO is never properly defined. Front line managers hear "Risk Responsibility" and take the same action they would for other lofty strategic initiatives - that is to say, they take no action at all.
To engage process owners in a Risk Culture, each business area must take ownership for a subset of the enterprise risks. Risk managers, in effect, do not own the risks to the organization; on the contrary, they own the ERM process. Their primary role is to lay the groundwork for risk assessments, aggregate risk intelligence for board reports, and create actionable initiatives for business areas in need of oversight.
Engaging process owners has the dual effect of permeating an enterprise-wide risk culture, while also creating a sense of shared responsibility. The structure defined above also creates three levels of defense, a concept adopted and well-articulated by The Institute of Internal Auditors. The operational risks are owned by the process owners. The risk management function provides guidance and strategic alignment. And finally, Internal Audit ensures adherence to the proper policies and regulatory standards.
Risk Culture and Governance cannot be accomplished overnight, but significant progress can be made by adopting and articulating the best practices outlined above. For more information on how you can engage process owners, implement a standardized risk assessment process, and report this information to the board, download our complementary eBook, "Presenting Risk Management to the Board."