88 | The South African Insurance Industry Survey 2016

Position Paper 34 describes the accountability of the Board with respect to ORSA as set     ORSA then brings in the requirement to fully integrate risk management and capital
out below:                                                                                  management so that risk management processes feed into capital management
                                                                                            processes and vice versa. This requires an insurance entity to be sufficiently capitalised at
“The ultimate accountability of the ORSA resides with the Board who should approve the      all times, including over the future business planning horizon.
ORSA. When evaluating the ORSA, the Board and Senior Management should assess the
adequacy of the current and future solvency position. In addition the Board and Senior      We are in the second cycle of the mock ORSA report and for 2016, Management
Management are responsible to ensure that the ORSA is embedded in the business and          Information (MI), embedding the ORSA into business decisions and demonstration of the
decision making processes.                                                                  use test are requirements.

The Board and Senior Management should also, through direct review and challenge and        ORSA reporting covers all internal risk and capital management reporting that enables
through reliance on the governance process, conclude on the accuracy and completeness       and delivers an effective ERMF with full integration between risk, capital and solvency.
of the ORSA calculations, assumptions and data used as input to the ORSA.                   The latter should be the top priority for the CRO and a key concern for Board members.

The ORSA should be appropriately evidenced and documented.”                                 So while individual pieces of the regulatory puzzle are being delivered by an organisation,
                                                                                            do they really come together? Regulatory reporting requirements may be owned by
The implications of complying with the above are broad and far-reaching, covering the       the actuarial, finance or the capital function, with the ERMF being owned by the CRO.
entire organisation. These requirements are onerous and while some of the pieces            Is the organisation treating the ORSA as a compliance exercise with the output being
to enable this are covered within the SAM regulations, they are disjointed and don’t        an annual report, or is the ORSA an enabler for effective risk and capital management?
completely fit together to meet the objective of ORSA.                                      Are the underlying processes in place to enable risk reporting required by the ERMF?
                                                                                            Does the risk reporting enable management and the Board to discuss and manage the
How many Boards currently are comfortable with this accountability either in the current    risks, and what is the quality of risk discussions at Executive and Board level? Where
state or can see the clear path to readiness once SAM is live? Currently, how many          business as usual risk reporting is in place, what is the quality of the supporting data
Senior Management teams can clearly articulate this journey for themselves and for their    and does management understand any limitations where data quality may be less than
Boards?                                                                                     ideal? Are processes in place to improve underlying data quality? Is risk reporting looked
                                                                                            at holistically across the organisation or is it siloed by risk type leading to overlap and
BN158 (of 2014) was effective 1 April 2015 and is the precursor to SAM Pillar 2. It sets    confusing reporting, or even gaps in coverage?
out effective governance and a risk management framework for both short- and long-term
insurers.                                                                                   The above are just some problems that may still need to be resolved, for risk and capital
                                                                                            management to be effective, even after a company ticks the regulatory SAM boxes.
It requires insurers to establish and maintain an effective risk management system,
comprising the totality of strategies, policies and procedures for identifying, assessing,  New regulatory guidance is often applied to solve a particular problem (from the
monitoring, managing and reporting all reasonably foreseeable current and emerging          regulator’s point of view). An example is the requirement for Conduct of Business
material risks to which the insurer may be exposed. BN158 (of 2014) sets out policies and   Returns (CBRs) which is a new set of market conduct returns - applicable for all life and
control functions that an insurance company must have.                                      non-life insurers in South Africa, excluding reinsurers and captives.

By now, most insurance companies should have reasonably well-developed ERMFs and            How many companies are integrating CBRs into their current SAM/risk reporting versus
control functions, including risk management. The maturity of the effectiveness of the      setting up separate conduct risk processes, data solutions, etc., and potentially creating
EMRF will depend on the organisation, with some still implementing their frameworks,        more organisational confusion?
some self-assessing the effectiveness, and more mature entities already in a business
as usual cycle that includes Combined Assurance Reviews and continuous improvement          Introducing BCBS (Basel Committee for Banking Supervision) 239
feedback loops.                                                                             BCBS239 sets out principles for effective risk data aggregation and risk reporting.