NAIC Adopts the Risk Maturity Model for ORSA Guidance

The Risk Maturity Model, co-developed by LogicManager CEO, Steven Minsky, and the RIMS Risk Management Society, has been adopted by yet another governance body in an attempt to formalize how organizations achieve risk management competency.

The NAIC specifically identifies the Risk Maturity Model (RMM) as an effective risk analysis tool for evaluating the state of an organizations program, and indicates that Insurers should strive to meet a ‘Repeatable’ level of Enterprise Risk Management maturity in each principle to comply with the Own Risk and Solvency Assessment requirements.

Additionally, scores of Non-Existent, Ad-Hoc, and even Initial may result in increased oversight.

Ultimately, it will be up to the company to determine what, if any, action it takes in response to such discussions, but an assessment of Non-existent, Ad hoc or Initial maturity levels may impact the supervisory plan of the insurer (e.g. may result in increased intensity and scope of ongoing supervisory work).

The ORSA Summary Report

The ORSA Summary Report is a board-focused briefing on the Enterprise Risk Management activities of an insurer, similar to the risk management disclosures mandated by the SEC and other regulatory bodies. Designed to assist the board in meeting its fiduciary duty, the NAIC’s ORSA Summary Report should include a summary of the organization’s risk management methodology, and an examination of key risk classifications (credit risk, market risk, etc. – for more, see LogicManager’s NAIC Risk Framework plugin), as well as an overview of the monitoring activities in place for self-governance.

How to Implement the Risk Maturity Model

In order to effectively and efficiently adopt the RMM without increasing the costs associated with ERM programs, an insurer should instead seek to adopt a risk-based approach to its already existing governance functions.

Many insurers have the component required by RM ORSA (IT governance, credit risk monitoring, etc.), and often times a risk management information system in place. But, have no ability to standardize the information for effective, enterprise-wide oversight.