We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

NAIC references the RIMS Risk Maturity Model for ORSA Guidance

Vote 0 Votes

The RIMS Risk Maturity Model, co-developed by LogicManager CEO, Steven Minsky, and the RIMS Risk Management Society, has been adopted by yet another governance body in an attempt to formalize how organizations achieve risk management competency.

The NAIC specifically identifies the Risk Maturity Model (RMM) as an effective tool for evaluating the state of an organizations program, and indicates that Insurers should strive to meet a 'Repeatable' level of Enterprise Risk Management maturity in each principle to comply with the Own Risk and Solvency Assessment requirements.

Additionally, scores of Non-Existent, Ad-Hoc, and even Initial may result in increased oversight.

Ultimately, it will be up to the company to determine what, if any, action it takes in response to such discussions, but an assessment of Non-existent, Ad hoc or Initial maturity levels may impact the supervisory plan of the insurer (e.g. may result in increased intensity and scope of ongoing supervisory work).

The ORSA Summary Report

The ORSA Summary Report is a board-focused briefing on the Enterprise Risk Management activities of an insurer, similar to the risk management disclosures mandated by the SEC and other regulatory bodies. Designed to assist the board in meeting its fiduciary duty, the NAIC's ORSA Summary Report should include a summary of the organization's risk management methodology, and an examination of key risk classifications (credit risk, market risk, etc. - for more, see LogicManager's NAIC Risk Framework plugin), as well as an overview of the monitoring activities in place for self-governance.

How to Implement the RIMS Risk Maturity Model

In order to effectively and efficiently adopt the RMM without increasing the costs associated with ERM programs, an insurer should instead seek to adopt a risk-based approach to its already existing governance functions.

Many insurers have the components required by RM ORSA (IT governance, credit risk monitoring, etc.), but have no ability to standardize the information for effective, enterprise-wide oversight: Standardized assessment criteria; a risk management process that walks through the steps of Identifying, Mitigating, and Monitoring risk; and a means of aggregating the wide variety of metrics associated with risk and opportunity management.

LogicManager offers a risk-based GRC software platform that accelerates your ability to manage cross functional information for ORSA, ERM, or other governance requirements. Read more in our eBook on implementing an ORSA framework.


| Leave a comment

Is the NAIC recognizing RIMS Risk Maturity Model as the best model from which to evaluate an ERM framework, or is the NAIC acknowledging that the RIMS Risk Maturity Model is one possible model from which to evaluate an ERM framework?


This blog is actually referencing an exposure draft of NAIC guidance (as of 3/18/14) that was significantly revised prior to final adoption. In subsequent drafts, utilization of the RIMS Risk Maturity Model was less direct. Therefore, the final version of the guidance does not "adopt" or require utilization of the RMM, although it continues to be referenced and utilized. See the following link for the final guidance adopted for use in regulatory analysis:


Bruce, you're correct that the guidance was changed to suggest models equivalent to the RMM, but I believe the NAIC is clear in requiring regulators to assess an insurer's maturity, and they have approved and recommend the RMM to meet this requirement.

The RMM is the most studied of the Risk Maturity Models you'll find, as the following independent study can attest, organize can realize great benefits from its sincere adoption.


Karen, the RMM is the only guideline referenced explicitly, but more the later. The RMM was specifically ID'd due to its correlation with bottom line firm value.


Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives