ERM for solvency purposes is the coordination of risk management, strategic planning, capital adequacy, and financial efficiency in order to enhance sound operation of the insurer and ensure the adequate protection of policyholders. Capital adequacy measures the insurer’s assessment of residual risk of its business, after overlaying the mitigating financial effect of the insurer’s established risk management system. Any decision affecting risk management, strategic planning or capital would likely necessitate a compensating change in one or both of the other two. Successful implementation of ERM for solvency purposes results in enhanced insight into an insurer’s risk profile and solvency position that promotes an insurer’s risk culture, earnings stability, sustained profitability, and long-term viability, as well as the insurer’s ability to meet obligations to policyholders. Collectively practiced in the industry, ERM for solvency purposes supports the operation and financial condition of the insurance sector. These aspects of ERM should therefore be encouraged from a prudential standpoint.

The ERM framework for solvency purposes (ERM framework) is an integrated set of strategies, policies and processes, established by the insurer for an effective implementation of ERM for solvency purposes.

• Risk identification (including group risk and relationship between risks);
• Quantitative techniques to measure risk;
• Inter-relationship of risk appetite, risk limits and capital adequacy;
• Risk appetite statement;
• Asset-liability management, investment, underwriting and liquidity risk management policies;
• Own risk and solvency assessment (ORSA); and
• Recovery planning.

The ERM framework should be integrated within the insurer’s risk management system (see ICP 8 Risk Management and Internal Controls).

The ERM framework should enhance an insurer’s understanding of material risk types, their characteristics, interdependencies, and the sources of the risks, as well as their potential aggregated financial impact on the business for a holistic view of risk at enterprise level. Senior Management should exhibit an understanding of the insurer’s enterprise risk issues and show a willingness and ability to address those issues. A fundamental aspect of ERM is the development and execution of a consistent, transparent, deliberate, and systematic approach to manage risks, both individually and in aggregate, on an ongoing basis to maintain solvency and operation within the risk appetite and risk limits. ERM should be embedded in an insurer’s corporate culture to ensure that the whole organisation contributes to risk awareness, feedback loops and coordinated responses to risk management needs.

The objective of ERM is not to eliminate risk. Rather, it is to manage risks within a framework that includes self-imposed limits. In setting limits for risk, the insurer should consider its solvency position and its risk appetite. Risk limits should be set after careful consideration of strategic objectives, business plans and circumstances and should take into account the projected outcomes of scenarios run using a range of plausible future business assumptions which reflect sufficiently adverse scenarios. A risk limits structure is used to establish guardrails on an insurer’s risk profile to optimise its returns without endangering the ability of the insurer to meet its commitments to policyholders.

Some insurers may utilise internal models as part of their ERM process in order to generate sophisticated risk metrics to inform management actions and capital needs. Internal models may enhance risk management and embed risk culture in the insurer. They may provide a common measurement basis across all risks (eg same methodology, time horizon, risk measure, level of confidence) and strengthened risk-based strategic decision-making across the organisation. Such an approach typically adopts a total balance sheet approach whereby the impact of the totality of material risks is fully recognised on an economic basis. A total balance sheet approach reflects the interdependence between assets, liabilities, capital requirements and capital resources, and identifies the capital allocation sufficient to protect the insurer and its policyholders, as well as to improve capital efficiency.

The insurer should have adequate governance and internal controls in place for models used in the ERM framework. The calculation of risk metrics should be transparent, supportable, and repeatable.

An insurer should have contingency plans that describe in advance the necessary actions and resources to limit business disruption and losses resulting from an adverse financial event (such as risk exposures exceeding risk limits), or an operational event (such as a natural disaster). Contingency planning may include a recovery plan, when deemed necessary.

The scope of risk identification and analysis of risk interdependencies should cover, at least: insurance risk, market risk, credit risk, concentration risk, operational risk and liquidity risk. Other risks may be included, such as conduct risk, legal risk, political risk, reputational risk, strategic risk and group risk.

An insurer should consider the sources of different risks and their impacts and assess the relationship between risk exposures. By doing so, an insurer can better identify both strengths and weaknesses in governance, control functions and business units. The insurer should use and improve risk management policies, techniques and practices and change its organisational structure to make these improvements where necessary. The insurer should also assess external risk factors which, if they were to crystallise, could pose a significant threat to its business.

In assessing the relationship between risk exposures, consideration should be given to correlations between the tails of risk profiles. For example, risks that show no strong dependence under normal economic conditions (such as catastrophe risks and market risks) could be more correlated in a stress situation.

Assessments of risk exposures should consider macroeconomic exposures. For example, an insurer should consider interdependencies between guarantees and options embedded in its products, the assets backing those products, financial markets and the real economy.

Sources of risks may include catastrophes, downgrades from rating agencies or other events that may have an adverse impact on the insurer’s financial condition and reputation. These events can result, for example, in an unexpected level of claims, collateral calls or policyholder terminations and may lead to serious liquidity issues. The ERM framework should adequately address the insurer’s options for responding to such events.

Group risk is the risk that the financial condition of a group or a legal entity within the group may be adversely affected by a group-wide event, an event in a legal entity, or an event external to the group. Such an event may either be financial or non-financial (such as a restructuring).

Group risk may arise, for example, through contagion, leveraging, double or multiple gearing, concentrations, large exposures and complexity. Participations, loans, guarantees, risk transfers, liquidity, outsourcing arrangements and off-balance sheet exposures may all give rise to group risk. Many of these risks may be borne by stand-alone insurance legal entities and are not specific to being a legal entity that is part of a group. However, the inter-relationships among legal entities within a group including aspects of control, influence and interdependence alter the impact of risks on the legal entities and should therefore be taken into account in managing the risks of an insurance legal entity within the insurance group and in managing the risks of that insurance group as a whole.

The ERM framework of an insurance group should address the direct and indirect interrelationships between legal entities within the insurance group. The more clearly-defined and understood such relationships are, the more accurately they can be allowed for in the group-wide solvency assessment. For example, legally enforceable capital and risk transfer instruments between legal entities within a group may help with the effectiveness of its ERM framework for group-wide solvency assessment purposes. To be effective, the management of insurance group risk should take into account risks arising from all parts of an insurance group, including non-insurance legal entities (regulated or unregulated) and partly-owned entities.

Assumptions that are implicit in the solvency assessment of an insurance legal entity may not apply at an insurance group level because of separation of legal entities within the insurance group. For example, there may be few, if any, constraints on the fungibility of capital and the transferability of assets within an individual insurance legal entity. However, such constraints may feature much more prominently for an insurance group and may restrict the degree to which benefits of diversification of risks across the group can be shared among legal entities within the insurance group. Such constraints should be taken into account in both the insurance group’s and the insurance legal entity’s ERM frameworks.

The level of risk is a combination of the impact that the risk will have on the insurer and the probability of that risk materialising. The insurer should assess regularly the level of risk it bears by using appropriate forward-looking quantitative techniques (such as risk modelling, stress testing, including reverse stress testing, and scenario analysis). An appropriate range of adverse circumstances and events should be considered, including those that pose a significant threat to the financial condition of the insurer, and management actions should be identified together with the appropriate timing of those actions. Risk measurement techniques may also be used in developing long-term business and contingency plans.

Different approaches to measuring risk may be appropriate depending on the nature, scale and complexity of a risk and the availability of reliable data on the behaviour of that risk. For example, a low frequency but high impact risk where there is limited data (such as catastrophe risk) may require a different approach from a high frequency, low impact risk for which there is substantial amounts of experience data available. Stochastic risk modelling may be appropriate to measure some risks (such as non-life catastrophe), whereas relatively simple calculations may be appropriate in other circumstances.

The measurement of risks should be based on a consistent economic assessment of the total balance sheet as appropriate to ensure that appropriate risk management actions are taken. In principle, an insurer’s ERM framework should take into consideration the distribution of future cash flows to measure the level of risks. The insurer should be careful not to base decisions purely on accounting or regulatory measures that involve non-economic considerations and conventions although the constraints on cash flows that they represent should be taken into account.

An insurance group should clarify whether data used in risk assessments is based on a consolidated, aggregated or other method. The insurance group should take into account the implications and inherent risks of the selected methodology when developing its ERM framework. For example, intra-group transactions may be eliminated in consolidation and thus may not be reflected in the consolidated financial statement of the insurance group at the top level. In using the consolidation basis for the ERM framework, the insurance group may be able to account, and take credit, for diversification of risk. Conversely, using another aggregation method may facilitate a more granular recognition of risk.

Measurement of risks undertaken at different valuation dates should be produced on a broadly consistent basis overall, which may make variations in results easier to explain. Such analysis also aids the insurer in prioritising its risk management.

Regardless of how sophisticated they are, models cannot exactly replicate the real world. Risks associated with the use of models (modelling and parameter risk), if not explicitly quantified, should be acknowledged and understood as the insurer implements its ERM framework, including by the insurer’s Board and Senior Management.

Models may be external or internal. External models may be used to assess catastrophes or market risks. Internal models may be developed by an insurer to assess specific material risks or to assess its risks overall.

Internal models can play an important role in facilitating the risk management process and the supervisor should encourage insurers to make use of such models for parts or all of their business, where it is appropriate.

An insurer may consider that the assessment of current financial resources and the calculation of regulatory capital requirements would be better achieved through the use of internal models, where permitted.

If used, an internal model may provide an important strategic and operational decision-making tool and should be used to enable the insurer to integrate its risk and capital management processes. In particular, the internal model used for ORSA should be consistent with models for other processes within the ERM framework. These include: assessment of the risks faced within the insurer’s business; construction of risk limits structure; and the determination of the economic capital needed, where appropriate, to meet those risks.

To be effective, an internal model should address all the identified risks within its scope, and their interdependencies, and assess their potential impact on the insurer’s business given the possible situations that could occur. The methods by which this analysis could be conducted range from simple stress testing of events to more complex stochastic modelling, as appropriate.

The insurer’s internal model should be calibrated on the basis of defined modelling criteria that the insurer believes will determine the level of capital appropriate and sufficient to meet its business plan and strategic objectives. These modelling criteria may include the basis for valuation of the assets and liabilities, the confidence level, risk measure and time horizon, as well as other business objectives (for example, aiming to achieve a certain minimum investment rating).

In constructing its internal model, an insurer should adopt risk modelling techniques and approaches that are appropriate to its risk strategy and business plans. An insurer may consider various inputs to the modelling process, such as economic scenarios, asset portfolios and liabilities from in-force or past business, and regulatory constraints on the transfer of assets.

An internal model used to determine economic capital may enable the insurer to allocate sufficient financial resources to ensure it continues to meet its policyholder liabilities as they fall due, at a confidence level appropriate to its business objectives. To fully assess policyholder liabilities in this way, all liabilities that should be met to avoid putting policyholder interests at risk need to be considered, including any liabilities for which a default in payment could trigger the winding up of the insurer.

If an insurer uses its own internal model as part of its risk and capital management processes, the insurer should validate it and review it on a regular basis. Validation should be carried out by suitably experienced individuals in a different department or persons other than those who created the internal model, in order to facilitate independence. The insurer may wish to consider an external review of its internal model by appropriate specialists; for example, if the internal review cannot be performed with sufficient independence, an external review may be warranted.

Where a risk is not readily quantifiable (for instance some operational risks or where there is an impact on the insurer’s reputation), the insurer should make a qualitative assessment that is appropriate to that risk and sufficiently detailed to be useful for risk management. The insurer should analyse the controls needed to manage such risks to ensure that its risk assessments are reliable and consider events that may result in high operational costs or operational failure. Such analysis should inform the insurer’s judgments in assessing the size of the risks and enhancing overall risk management.

It may be appropriate for internal models to be used for a group even where the use of an internal model is not an approach appropriate at the insurance legal entity level due to, for example, lack of sufficient data.

Stress testing measures the financial impact of stressing one or more factors which could severely affect the insurer. Scenario analysis considers the impact of a combination of circumstances to reflect historical or other scenarios which are analysed in the light of current conditions. Scenario analysis may be conducted deterministically using a range of specified scenarios or stochastically, using models to simulate many possible scenarios, to derive statistical distributions of the results.

Stress testing and scenario analysis should be carried out by the insurer to validate and understand the limitations of its models. They may also be used to complement the use of models for risks that are difficult to model or where the use of a model may not be appropriate from a cost-benefit perspective. For example, these techniques can be used to investigate the effect of proposed management actions.

Scenario analysis may be particularly useful as an aid to communicate risk management issues to the Board, Senior Management, business units and control functions. As such, scenario analysis can facilitate the integration of the insurer’s ERM framework within its business operations and establish a sound risk culture.

Reverse stress testing may help identify scenarios that could result in failure or cause the financial position of an insurer to fall below a predefined level. While some risk of failure is always present, such an approach may help to ensure adequate focus on the management actions that are appropriate to avoid undue risk of business failure. The focus of such reverse stress testing is on appropriate risk management actions rather than the assessment of its financial condition and so may be largely qualitative in nature although broad assessment of associated financial impacts may help in deciding the appropriate action to take.

Stress testing is intended to serve the insurer as an aid to sound risk management, including by identifying residual macroeconomic exposure.

• savings-oriented products (or protection-oriented products with a savings component) that offer unmatched guarantees on policyholders’ premium payments, often combined with embedded options for policyholders;
• products embedding features such as automatic asset sales triggered by asset value decreases or that require dynamic hedging; and
• derivatives contracts such as financial guarantee products including credit default swaps (CDS) that are not used to hedge risk.

• the nature, scale and complexity of: the insurer, its activities, business model and products, including the characteristics of the guarantees it provides;
• the characteristics of any automatic asset reallocation mechanisms;
• the use of dynamic hedging and the extent to which such guarantees are matched or hedged; and
• its activity in derivatives markets.

The risks identified and the techniques that are appropriate and adequate for measuring them (including stress testing, scenario analysis, risk modelling and reverse stress testing) may differ at insurance group and insurance legal entity level. Where an insurance legal entity’s ERM framework is an integral part of the insurance group’s ERM framework, the techniques used to measure risks at group level should consider those that are appropriate and adequate at the insurance legal entity level.

An insurer's ERM framework should reflect how its risk management coordinates with strategic planning and its management of capital (regulatory capital requirement and economic capital).

As an integral part of its ERM framework, an insurer should also reflect how its risk management links with corporate objectives, strategy and current circumstances to maintain capital adequacy and solvency and to operate within the risk appetite and risk limits described in the risk appetite statement.

An insurer’s ERM framework should use reasonably long time horizon, consistent with the nature of the insurer’s risks and the business planning horizon, so that it maintains relevance to the insurer's business going forward. This can be done by using methods (such as scenario models) that produce a range of outcomes based on plausible future business assumptions which reflect sufficiently adverse scenarios. The analysis of these outcomes may help the Board and Senior Management in strategic business planning.

Risks should be monitored and reported to the Board and Senior Management, in a regular and timely manner, so that they are fully aware of the insurer's risk profile and how it is evolving and make effective decisions on risk appetite and capital management.

Where internal models are used for business forecasting, the insurer should perform back-testing, to the extent practicable, to validate the accuracy of the model over time.

• reflect the insurer’s risk limits structure;
• play a role in mitigating risk; and
• impact the insurer’s capital requirements.

An insurer’s risk appetite statement should include qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate.

• complement quantitative measures;
• set the overall tone for the insurer’s approach to risk taking; and
• articulate clearly the motivations for taking on or avoiding certain types of risks, products, jurisdictional/regional exposures, or other categories.

Risk appetite may not necessarily be expressed in a single document. However the way it is expressed should provide the insurer’s Board with a coherent and holistic, yet concise and easily understood, view of the insurer’s risk appetite.

The supervisor should require risk capacity of the insurer to include the consideration of regulatory capital requirements, economic capital, liquidity and operational environment.

The risk appetite statement should give clear guidance to operational management on the level of risk to which the insurer is prepared to be exposed and the limits of risk to which they are able to expose the insurer. It should also be communicated across and within the insurer to facilitate entrenching the risk appetite into the insurer’s risk culture.

An insurer should consider how to embed these limits in its ongoing operations. This may be achieved by expressing limits in a way that can be measured and monitored as part of ongoing operations. Stress testing may provide an insurer with a tool to help ascertain whether the limits are suitable for its business.

An insurance legal entity’s risk appetite statement should define risk limits taking into account all of the group risks it faces to the extent that they are relevant and material to the insurance legal entity.

When creating a risk limits structure at the insurance legal entity level, the entity’s Board and Senior Management should take into account risk limits at the group level.

• the investment and liability strategies allow for the interaction between assets and liabilities;
• the liability cash flows will be met by the cash inflows; and
• the economic valuation of assets and liabilities will change under a range of different scenarios.

The insurer’s ALM policy should recognise the interdependence between all of the insurer’s assets and liabilities and take into account the correlation of risk between different asset classes as well as the correlations between different products and business lines, recognising that correlations may not be linear. The ALM policy should also take into account any off-balance sheet exposures that the insurer may have and the contingency that risks transferred may revert to the insurer.

Different strategies may be appropriate for different categories of assets and liabilities. One possible approach to ALM is to identify separate homogeneous segments of liabilities and obtain investments for each segment that would be appropriate if each liability segment was a stand-alone business. Another possible approach is to manage the insurer’s assets and liabilities together as a whole. The latter approach may provide greater opportunities for profit and management of risk than the former. If ALM is practised for each business segment separately, this is likely to mean that the insurer may not benefit as much from the benefits of scale, hedging, diversification and reinsurance.

However, for some types of insurance business it may not be appropriate to manage risks by combining liability segments. It may be necessary for the insurer to devise separate and self-contained ALM policies for particular portfolios of assets that are ring-fenced or otherwise not freely available to cover obligations in other parts of the insurer.

Assets and liabilities may be ring-fenced to protect policyholders. For example, non-life insurance business is normally ring-fenced from life insurance business, and likewise, participating business is separated from non-participating. Supervisory requirements or the insurer’s ERM framework may require some liabilities to be closely matched with the supporting assets. For example, equity-linked or indexed-linked benefits may be closely matched with corresponding assets, and annuities’ cash outflows may be closely matched with cash inflows from fixed income instruments.

Some liabilities may have particularly long durations, such as certain types of liability insurance and whole-life policies and annuities. In these cases, assets with sufficiently long duration may not be available to match the liabilities, introducing a significant reinvestment risk, such that the present value of future net liability cash flows is particularly sensitive to changes in interest rates. There may also be gaps in the asset durations available. An ALM policy should address the risks arising from duration or other mismatches (for example, by holding adequate capital or having appropriate risk mitigation in place). The ERM framework should reflect the insurer’s capacity to bear ALM risk, according to the insurer’s risk appetite and risk limits structure.

The group-wide ALM policy should take into account any legal restrictions that may apply to the treatment of assets and liabilities within the jurisdictions in which the group operates.

An investment policy may set out the insurer’s strategy for optimising investment returns and specify asset allocation strategies and authorities for investment activities and how these are related to the ALM policy.

The investment policy should address the safe-keeping of assets including custodial arrangements and the conditions under which investments may be pledged or lent.

Credit risk should be considered in the investment policy.

• type of asset;
• credit rating;
• issuer/counterparty or related entities of an issuer/counterparty;
• financial market;
• sector; and
• geographic area.

It is important for the insurer to understand the source, type and amount of investment risk. For example, it is important to understand who has the ultimate legal risk or basis risk in a complex chain of transactions. Similar questions arise where the investment is via external funds, especially when such funds are not transparent.

A number of factors may shape the insurer’s investment strategy. For insurers in many jurisdictions concentration risk arising from the limited availability of suitable domestic investment vehicles may be an issue. By contrast, international insurers’ investment strategies may be complex because of a need to manage or match assets and liabilities in a number of currencies and different markets. In addition, the need for liquidity resulting from potential large-scale payments may further complicate an insurer’s investment strategy.

Where appropriate, the investment policy should outline how the insurer deals with inherently complex financial instruments such as derivatives, hybrid instruments that embed derivatives, private equity, hedge funds, insurance linked instruments and commitments transacted through special purpose entities. Complex or less transparent assets may present operational risks that are difficult to assess reliably, especially in adverse conditions.

An effective investment policy and ERM framework should provide for appropriately robust models reflecting relevant risks of complex investment activities (including underwriting guarantees for such complex securities). There should be explicit procedures to evaluate non-standard risks associated with complex structured products, especially new forms of concentration risk that may not be obvious.

For complex investment strategies, the insurer’s investment policy and ERM framework may incorporate the use of stress testing and contingency planning to handle hard-to-model risks such as liquidity and sudden market movements. Trial operation of procedures may also be appropriate in advance of ‘live’ operation.

• the potential exposure cannot be reliably measured;
• closing out of a derivative is difficult considering the illiquidity of the market;
• the derivative is not readily marketable as may be the case with over-the-counter instruments;
• independent (ie external) verification of pricing is not available;
• collateral arrangements do not fully cover the exposure to the counterparty;
• the counterparty is not suitably creditworthy; and
• the exposure to any one counterparty exceeds a specified amount.

A counterparty risk appetite statement sets out the level of risk the insurer is willing to accept that a counterparty will be unable to meet its obligations as they fall due. This may impact the insurer’s financial position through, for example, reductions in fair value or impairment of investments, loss of reinsurance cover, open market exposures or the loss of securities that have been loaned.

In deciding whether it is necessary to require a counterparty risk appetite statement, the supervisor should take into account the size of the insurer’s counterparty exposures, both in absolute terms and relative to the insurer’s portfolio, according to the characteristics outlined in Guidance 16.6.4, as well as the complexity and form of these exposures. Particular attention should be paid to financial sector counterparties, as these counterparties may be more likely to contribute to the build-up of systemic risk. Attention should also be paid to off-balance sheet exposures or commitments, as these may be more likely to materialise during stress.

• the terms on which contracts are written and any exclusions;
• the procedures and conditions that need to be satisfied for risks to be accepted;
• additional premiums for substandard risks; and
• procedures and conditions that need to be satisfied for claims to be paid.

Control of expenses associated with underwriting and payment of claims is an important part of managing risk especially in conditions of high general rates of inflation. Inflation of claim amounts also tends to be high in such conditions for some types of risk. Insurers should have systems in place to control their expenses. These expenses should be monitored by the insurer on an ongoing basis.

• the insurer’s reinsurance programme provides coverage appropriate to its level of capital, the profile of the risks it underwrites, its business strategy and risk appetite; and
• the risk will not revert to the insurer in adverse circumstances.

• product classes the insurer is willing to write;
• relevant exposure limits (eg geographical, counterparty, economic sector); and
• a process for setting underwriting limits.

The underwriting policy should address the potential impact on the insurer’s financial position from material correlations between macroeconomic conditions and the insurance portfolio (for example by assessing the potential impact stemming from certain insurance products with embedded guarantees and options).

• how an insurer analyses emerging risks in the underwritten portfolio; and
• how emerging risks are considered in modifying underwriting practices.

The underwriting policy should describe interactions with the reinsurance strategy and associated credit risk, and should include details of the reinsurance cover of certain product classes or particular risks.

• market liquidity in normal and stressed conditions, quality of assets and its ability to monetise assets in each situation
• characteristics of insurance contracts that may affect policyholder behaviour around lapse, withdrawal or renewal;
• adverse insurance events that may trigger short-term liquidity needs, including catastrophes;
• non-insurance activities such as margining or posting collateral for derivatives contracts, securities lending or repurchase agreements; and
• contingent sources of liquidity (including committed lines of credit or future premium income) and whether these would be available in stressed conditions.

An insurer should have well-defined processes and metrics in place, which may be simple or more advanced depending on its activities, to assess its liquidity position at different time horizons on a regular basis. An insurer’s liquidity analysis should cover both normal and stressed market conditions. The insurer should assess the results of such analysis in light of its risk appetite.

Upon the supervisor’s request, the insurer should report its liquidity risk management processes and analysis, including key assumptions or metrics.

An insurance group’s assessment should result in a coherent view of liquidity risk across legal entities within the group. For example, where an individual legal entity relies on the head of the group for funding, this should be accounted for in both the individual legal entity’s and the head of the group’s liquidity analysis.

When analysing its liquidity position, an insurance group may use different scenarios and analyses on a legal entity level and group-wide level where appropriate. Such scenarios should take into account that circumstances may differ between individual legal entities and the group as a whole.

Some insurers are required to establish more detailed liquidity risk management processes as compared to those processes set out in Standard 16.8. More detailed liquidity risk management processes are intended to help the insurer with its risk management. Additionally, the measures may provide the supervisor with a view on vulnerabilities that may cause funding shortfalls in stress.

• derivatives, particularly any collateral or margin that needs to be posted for mark-to-market declines in the value of the contract;
• securities financing transactions, including repurchase agreements and securities lending
• insurance products that contain provisions that allow a policyholder to withdraw cash from the policy with little notice or penalty; and
• insurance products covering natural catastrophes.

Liquidity stress testing is a forward looking risk management tool to reveal vulnerabilities in the insurer’s liquidity profile and provide information on its ability to meet liabilities as they fall due. A portfolio of unencumbered highly liquid assets may provide a source of liquidity for the insurer to meet its liabilities as they fall due. A contingency funding plan, describing the strategies for addressing liquidity shortfalls in stress situations, may assist the insurer in addressing an unforeseen stress situation, where its liquid assets are insufficient or unexpectedly become illiquid. A liquidity management report could assist the insurer and the supervisor to address shortcomings in the insurer’s risk management by laying out details of its liquidity risk management in an accessible format.

In deciding whether it is necessary to require more detailed liquidity risk management processes, and the intensity of such processes, the supervisor should take into account the nature, scale and complexity of the insurer’s activities that lead to increased liquidity risk exposure as well as the risk amplification effects related to the size of the insurer. Increased liquidity risk exposure may depend on, for example, the magnitude of potential collateral or margin calls from derivatives or other transactions, the use of securities financing transactions or the characteristics of insurance contracts that may affect policyholder behaviour around lapse, withdrawal or renewal.

The supervisor may increase or decrease the intensity of these requirements by, for example, varying the frequency, scope and granularity of liquidity stress testing, the proportion of various types of highly liquid assets allowed in the portfolio or the form and level of detail in the contingency funding plan and liquidity risk management report.

Where an insurer is required to establish more detailed liquidity risk management processes, the supervisor should assess the effectiveness of their implementation, including the interaction with existing control mechanisms. Additionally, the supervisor should evaluate the quality and quantity of the assets that the insurer includes in its portfolio of highly liquid assets in light of the liquidity characteristics of its activities. The supervisor may develop its own, general, criteria for highly liquid assets.

The insurer should document the main outcomes, rationale, calculations and action plans arising from its ORSA.

ORSAs should be largely driven by how an insurer is structured and how it manages itself. The performance of an ORSA at the insurance legal entity level does not exempt the group from conducting a group-wide ORSA.

Where appropriate, the effectiveness of the ORSA should be validated through internal or external independent overall review by a suitably experienced individual.

The Board should adopt a rigorous process for setting, approving, and overseeing the effective implementation by Senior Management of the insurer’s ORSA.

The ORSA should explicitly state which risks are quantifiable and which are non-quantifiable.

The insurer should consider in its ORSA all material risks that may have an impact on its ability to meet its obligations to policyholders, including in that assessment a consideration of the impact of future changes in economic conditions or other external factors. The insurer should undertake an ORSA on a regular basis so that it continues to provide relevant information for its management and decision making processes. The insurer should regularly reassess the sources of risk and the extent to which particular risks are material. Significant changes in the risk profile of the insurer should prompt it to undertake a new ORSA. Risk assessment should be done in conjunction with consideration of the effectiveness of applicable controls to mitigate the risks.

In deciding whether it is necessary to require scenario analysis or stress testing as part of the ORSA, and the frequency, scope and type of such scenario analysis or stress testing, the supervisor should take into account, for example, the nature, scale and complexity of the insurer, its business model and products and the size of the insurer’s exposures, both in absolute terms and relative to the insurer’s portfolio. For macroeconomic exposure, relevant factors may include the characteristics of the guarantees the insurer provides and the extent to which such guarantees are matched or hedged, the characteristics of any (automatic) asset reallocation mechanisms, the use of dynamic hedging, the insurer’s activity in derivatives markets or other drivers of volatility in the sources or uses of cash. For counterparty exposure, particular attention should be paid to financial sector counterparties, as these may be more likely to contribute to the build-up of systemic risk, and to off-balance sheet exposures or commitments, as these may be more likely to have an impact during stress.

• include all reasonably foreseeable and relevant material risks arising from every legal entity within the insurance group and from the widest group of which the insurance group is part;
• take into account the fungibility of capital and the transferability of assets within the group; and
• ensure capital is not double counted.

Similarly, an insurance legal entity’s ORSA should include all additional risks arising from the widest group to the extent that they impact the insurance legal entity.

In the insurance legal entity’s ORSA and the insurance group’s ORSA, it may be appropriate to consider scenarios in which a group splits or changes its structure in other ways. Assessment of current capital adequacy and continuity analysis should include consideration of relevant possible changes in group structure and integrity in adverse circumstances and the implications this could have for group risks, the existence of the group and the support or demands from the group to or on its insurance legal entities.

Given the level of complexity at insurance group level compared with that at an insurance legal entity level, additional analysis and information is likely to be needed for the group’s ORSA in order to address comprehensively the range of insurance group level risks. For example, it may be appropriate to apply a contagion test by using stress testing to assess the impact of difficulties in each legal entity within the insurance group on the other insurance group entities.

In conducting its group-wide ORSA, the group should be able to account for diversification in the group. Moreover, the group should be able to demonstrate how much of the diversification benefit would be maintained in a stress situation.

It is important that an insurer has regard for how risk management and capital management relate to and interact with each other. Therefore, an insurer should determine the overall financial resources it needs, taking into account its risk appetite, risk limits structure and business plans, based on an assessment of its risks, the relationship between them and the risk mitigation in place. Determining economic capital may help an insurer to assess how best to optimise its capital base, whether to retain or transfer risk and how to allow for risks in its pricing.

Although the amounts of economic capital and regulatory capital requirements and the methods used to determine them may differ, an insurer should be aware of, and be able to analyse and explain, these differences. Such analysis helps to embed supervisory requirements into an insurer's ORSA and risk and capital management, so as to ensure that obligations to policyholders continue to be met as they fall due.

As part of the ORSA, the insurer should perform its own assessment of the quality and adequacy of capital resources both in the context of determining its economic capital and in demonstrating that regulatory capital requirements are met having regard to the quality criteria established by the supervisor and other factors which the insurer considers relevant.

If an insurer suffers losses that are absorbed by its available capital resources, it may need to raise new capital to meet ongoing regulatory capital requirements and to maintain its business strategies. It cannot be assumed that capital will be readily available at the time it is needed. Therefore, an insurer’s own assessment of the quality of capital should also consider the issue of re-capitalisation, especially the ability of capital to absorb losses on an ongoing basis and the extent to which the capital instruments or structures that the insurer uses may facilitate or hinder future re-capitalisation. For example, if an insurer enters into a funding arrangement where future profits are cashed immediately, the reduced future earnings potential of the insurer may make it more difficult to raise capital resources in the future.

For an insurer to be able to recapitalise in times of financial stress, it is critical to maintain market confidence at all times, through its solvency and capital management, investor relationships, robust governance structure/practices and fair conduct of business practices. For example, where an insurer issues preferred stock without voting rights, this may affect the robustness of the governance structure and practice of that insurer. The voting rights attached to common stock can provide an important source of market discipline over an insurer’s management. Other insurers may issue capital instruments with lower coupons and fees, sacrificing the economic value of the existing shareholders and bondholders.

When market conditions are good, many insurers should be readily able to issue sufficient volumes of high quality capital instruments at reasonable levels of cost. However, when market conditions are stressed, it is likely that only well capitalised insurers, in terms of both the quality and quantity of capital resources held, will be able to issue high quality capital instruments. Other insurers may only be able to issue limited amounts of lower quality capital and at higher cost. Therefore, the supervisor should make sure that insurers have regard for such variations in market conditions and manage the quality and quantity of their capital resources in a forward looking manner. In this regard, it is expected that high quality capital instruments (such as common shares) should form the substantial part of capital resources in normal market conditions as that would enable insurers to issue capital instruments even in stressed situations. Such capital management approaches also help to address the procyclicality issues that may arise, particularly in risk-based solvency requirements.

An insurance group should determine, as part of its ORSA, the overall financial resources it needs to manage its business given its risk appetite and business plans and demonstrate that its supervisory requirements are met. The insurance group’s risk management actions should be based on appropriate risk limits and consideration of its economic capital, regulatory capital requirements and financial resources. Economic capital should thus be determined by the insurance group as well as its insurance legal entities, and appropriate risk limits and management actions should be identified for both the insurance group and the insurance legal entities.

Key group-wide factors to be addressed in the insurer’s assessment of group-wide capital resources include multiple gearing, intra-group creation of capital and reciprocal financing, leverage of the quality of capital and fungibility of capital and free transferability of assets across group entities.

An insurer should be able to demonstrate an ability to manage its risk over the longer term under a range of plausible adverse scenarios. An insurer’s capital management plans and capital projections are therefore key to its overall risk management strategy. These should allow the insurer to determine how it could respond to unexpected changes in market and economic conditions, innovations in the industry and other factors such as demographic, legal and regulatory, medical and social developments.

Where appropriate, the supervisor should require an insurer to undertake periodic, forward-looking continuity analysis and modelling of its future financial position including its ability to continue to meet its regulatory capital requirements in future under various conditions. Insurers should ensure that the capital and cash flow projections (before and after stress) and the management actions included in their forecasts are approved at a sufficiently senior level.

In carrying out its continuity analysis, the insurer should also apply reverse stress testing to identify scenarios that would be the likely cause of business failure (eg where business would become unviable or the market would lose confidence in it) and the actions necessary to manage this risk.

As a result of continuity analysis, the supervisor should encourage insurers to maintain contingency plans and procedures. Such plans should identify relevant countervailing measures and off-setting actions they could realistically take to restore/improve the insurer’s capital adequacy or cash flow position after some future stress event and assess whether actions should be taken by the insurer in advance as precautionary measures.

A clear distinction should be made between the assessment of the current financial position and the projections, stress testing and scenario analyses used to assess an insurer’s financial condition for the purposes of strategic risk management, including maintaining solvency. The insurer’s continuity analysis should help to ensure sound, effective and complete risk management processes, strategies and systems. It should also help to assess and maintain on an ongoing basis the amounts, types and distribution of financial resources needed to cover the nature and level of the risks to which the insurer is or may be exposed to and to enable the insurer to identify and manage all reasonably foreseeable and relevant material risks. In doing so, the insurer assesses the impact of possible changes in business or risk strategy on the level of economic capital needed as well as the level of regulatory capital requirements.

Such continuity analysis should have a time horizon needed for effective business planning (for example, 3 to 5 years), which is longer than typically used to determine regulatory capital requirements. It should also place greater emphasis than may be considered in regulatory requirements on new business plans and product design and pricing, including embedded guarantees and options, and the assumptions appropriate given the way in which products are sold. The insurer’s current premium levels and strategy for future premium levels are a key element in its continuity analysis. In order for continuity analysis to remain meaningful, the insurer should also consider changes in external factors such as possible future events including changes in the political or economic situation.

Through the use of continuity analysis an insurer should be better able to link its current financial position with future business plan projections and ensure its ability to maintain its financial condition in the future. This may help the insurer to further embed its ERM framework into its ongoing and future operations.

An internal model may also be used for the continuity analysis, allowing the insurer to assess the capital consequences of strategic business decisions in respect of its risk profile. For example, the insurer may decide to reduce its capital requirement through diversification by writing different types of business in order to reduce the capital that is needed to be held against such risks, potentially freeing up resources for use elsewhere. This process of capital management may enable the insurer to change its capital exposure as part of its long-term strategic decision making.

As a result of such strategic changes, the risk profile of an insurer may alter, so that different risks should be assessed and quantified within its internal model. In this way, an internal model may sit within a cycle of strategic risk and capital management and provide the link between these two processes.

An insurance group should analyse its ability to continue in business and the risk management and financial resources it requires to do so. The insurance group’s analysis should consider its ability to continue to exist as an insurance group, potential changes in group structure and the ability of its legal entities to continue in business.

An insurance legal entity’s continuity analysis should assess the ongoing support from the group including the availability of financial support in adverse circumstances as well as the risks that may flow from the group to the insurance legal entity. The insurance legal entity and the insurance group should both take into account the business risks they face including the potential impact of changes in the economic, political and regulatory environment.

In their continuity analysis, insurance groups should pay particular attention to whether the insurance group will have available cash flows (eg from surpluses released from long-term funds or dividends from other subsidiaries) and whether they will be transferable among legal entities within the group to cover any payments of interest or capital on loans, to finance new business and to meet any other anticipated liabilities as they fall due. Insurance groups should outline what management actions they would take to manage the potential cash flow implications in stressed conditions (eg reducing new business or cutting dividends).

The insurance group’s continuity analysis should also consider the distribution of capital in the insurance group after stress and the possibility that subsidiaries within the insurance group may require re-capitalisation (either due to breaches of local regulatory requirements, a shortfall in economic capital, or for other business reasons). The assessment should consider whether sufficient sources of surplus and transferable capital would exist elsewhere in the insurance group and identify what management actions may need to be taken (eg intra-group movements of resources, other intra-group transactions or group restructuring).

The insurance group should also apply reverse stress testing to identify scenarios that could result in failure or cause the financial position of the insurance group to fall below a predefined level and the actions necessary to manage this risk.

The supervisor may require an insurer to produce a recovery plan that identifies in advance options to restore the financial position and viability if the insurer comes under severe stress (see Application Paper on Recovery Planning). In deciding whether it is necessary to require a recovery plan, and the form, content and level of detail of such recovery planning, the supervisor should take into account, for example, the insurer’s complexity, systemic importance, risk profile and business model. A recovery plan is intended to serve the insurer as an aid to sound risk management. Additionally, if the insurer comes under severe stress, a plan may serve the supervisor as valuable input to any necessary supervisory measures.

The supervisor should require the insurer to provide the necessary information to enable the supervisor to assess the robustness and credibility of any recovery plan required. If the supervisor identifies material deficiencies in the plan, it should provide feedback and require the insurer to address these deficiencies.

The supervisor should require the insurer to review any recovery plan required on a regular basis, or when there are material changes to the insurer’s business, risk profile or structure, or any other change that could have a material impact on the recovery plan, and to update it when necessary.

The output of an insurer’s ORSA should serve as an important tool in the supervisory review process by helping the supervisor to understand the risk exposure and solvency position of the insurer.

The insurer's ERM framework and risk management processes (including internal controls) are critical to solvency assessment. The supervisor should therefore assess the adequacy and soundness of an insurer’s framework and processes by receiving regularly the appropriate information, including the ORSA report.

• What are the roles and responsibilities within the ERM framework?
• Is the insurer within its stated risk appetite
• What governance has been established for the oversight of outsourced elements of the ERM framework?
• What modelling and stress testing (including reverse stress testing) is done?
• Has the model risk management been applied in the ERM framework?
• How does the insurer maintain a robust risk culture that ensures active support and adjustment of the insurer’s ERM framework in response to changing conditions?

The supervisor should review an insurer's internal controls and monitor its capital adequacy, requiring strengthening where necessary. Where internal models are used to calculate the regulatory capital requirements, particularly close interaction between the supervisor and insurer is important. In these circumstances, the supervisor may consider the insurer’s internal model, its inputs and outputs and the validation processes, as a source of insight into the risk exposure and solvency position of the insurer.

The supervisor should monitor the techniques employed by the insurer for risk management and capital adequacy assessment and take supervisory measures where weaknesses are identified. The supervisor should not take a one-size-fits-all approach to insurers’ risk management but rather base their expectations on the nature, scale and complexity of its business and risks. In order to do this, the supervisor should have sufficient and appropriate resources and capabilities. For example, the supervisor may have a risk assessment model or programme with which it can assess insurers' overall condition (eg risk management, capital adequacy and solvency position) and ascertain the likelihood of insurers breaching supervisory requirements. The supervisor may also prescribe minimum aspects that an ERM framework should address.

• a description of the relevant material categories of risk that the insurer faces;
• the insurer’s risk appetite and risk limits structure;
• the insurer’s overall financial resource needs, including its economic capital and regulatory capital requirements, as well as the capital available to meet these requirements; and
• projections of how such factors will develop in future.

The supervisor should be flexible and apply their skills, experience and knowledge of the insurer in assessing the adequacy of the risk appetite statement. The supervisor may be able to assess the quality of a particular risk appetite statement by discussing with the Board and Senior Management how the insurer’s business strategy is related to the risk appetite statement, as well as how the risk appetite had an impact on the insurer’s decisions. This includes reviewing other material, such as strategy and planning documents and Board reports in the context of how the Board determines, implements, and monitors its risk appetite so as to ensure that risk-taking is aligned with the Board-approved risk appetite statement.

The supervisor should be provided access to the material results of stress testing, scenario analysis and risk modelling and their key underlying assumptions to be reported to them and have access to other results, if requested. Where the supervisor considers that the calculations conducted by an insurer should be supplemented with additional calculations, it should be able to require the insurer to carry out those additional calculations. The supervisor should also consider available reverse stress tests performed by insurers where they wish to assess whether appropriate action is being taken to manage the risk of business failure.

While insurers should carry out stress testing, scenario analysis and risk modelling that are appropriate for their businesses, the supervisor may also develop prescribed or standard tests and require insurers to perform them when warranted. One purpose of such testing may be to improve consistency of testing among a group of similar insurers. Another purpose may be to assess the financial condition of the insurance sector to economic, market or other stresses that apply to a number of insurers simultaneously (such as pandemics or major catastrophes). Such tests may be directed to be performed by selected insurers or all insurers. The criteria the supervisor uses for scenarios for standard tests should reflect the jurisdiction’s risk environment.

Forward-looking stress testing, scenario analysis and risk modelling of future capital positions and cash flows whether provided by the insurer’s own continuity analysis or in response to supervisory requirements is a valuable tool for the supervisor in assessing the financial condition of insurers. Such testing informs the discussion between the supervisor and insurers on appropriate planning, comparing risk assessments against stress test outcomes, risk management and management actions. The supervisor should consider the dynamic position of insurers and form a high-level assessment of whether the insurer is adequately capitalised to withstand a range of standardised and bespoke stresses.

• scope of risk categories of the internal model
• the insurer’s prioritisation of risks in its risk appetite; and
• the insurer’s use of the outputs in making major management decisions on capital planning for meeting regulatory capital requirements.

By reviewing the insurer’s ORSA continuity analysis, the supervisor may be able to learn about the robustness of an insurer’s future financial condition and the information on which the insurer bases decisions and its contingency planning. Such information should enable the supervisor to assess whether an insurer should improve its ERM framework by taking additional countervailing measures and off-setting actions, either immediately, as a preventive measure, or including them in future plans. Objectives of such supervisory measures may be to reduce any projected financial inadequacies, improve cash flows and/or increase an insurer’s ability to restore its capital adequacy after stress events.

Publicly disclosing information on risk management may improve the transparency and comparability of existing solvency requirements. There should be an appropriate balance regarding the level of information to disclose about an insurer's risk management against the level of sufficient information for external and internal stakeholders which is useful and meaningful. Therefore, the requirements for public disclosure of information on risk management, including possible disclosure of elements of a solvency and financial condition report, should be carefully considered by the supervisor taking into account the proprietary nature of the information.

Where an insurer's risk management and solvency assessment are not considered adequate by the supervisor, the supervisor should take appropriate measures. This could be in the form of further supervisory reporting or additional qualitative and quantitative requirements arising from the supervisor's assessment. Additional quantitative requirements should only be applied in appropriate circumstances and be subject to a transparent supervisory framework. Otherwise, if routinely applied, such measures may undermine a consistent application of standardised approaches to regulatory capital requirements.

• How well is the group’s ERM framework tailored to the group?
• Are decisions influenced appropriately by the group’s ERM framework outputs?
• How responsive is the group’s ERM framework to changes in individual businesses and to the group structure?
• How does the framework bring into account intra-group transactions; risk mitigation; and constraints on fungibility of capital, transferability of assets, and liquidity?

The group-wide supervisor should review the risk management and financial condition of the insurance group. Where necessary, the group-wide supervisor should require strengthening of the insurance group’s risk management, solvency assessment and capital management processes, as appropriate to the nature, scale and complexity of risks at group level. The group-wide supervisor should inform the other involved supervisors of any action required.

The group-wide supervisory review and assessment of the insurance group’s ERM framework should consider the framework’s suitability as a basis for group-wide solvency assessment. The arrangements for managing conflicts of interest across an insurance group should be a particular focus in the supervisory review and assessment of an insurance group’s ERM framework.

The supervisory assessment of the group’s ERM framework may affect the level of capital that the insurance group is required to hold for regulatory purposes and any regulatory restrictions that are applied. For example, the group-wide supervisor may require changes to the recognition of diversification across the insurance group, the allowances made for operational risk and the allocation of capital within the insurance group.

Although it is not a requirement in general for an insurance legal entity or an insurance group to use internal models to carry out its ORSA, the supervisor may consider it appropriate in particular cases that the ORSA should use internal models in order to achieve a sound ERM framework. The quality of an insurance group’s ORSA is dependent on how well integrated its internal capital models, the extent to which it takes into account constraints on fungibility of capital and its ability to model changes in its structure, the transfer of risks around the insurance group and insurance group risk mitigation. These factors should be taken into account by the group-wide supervisor in its review of the insurance group’s ORSA.

The supervisor may wish to specify criteria or analyses as part of the supervisory risk assessments to achieve effective supervision and consistency across insurance groups. This may, for example, include prescribed stress tests that apply to insurance groups.