On 29 July 2011, the NYSID released a proposed circular letter (the “Letter”) announcing its expectations with respect to the establishment and maintenance of an Enterprise Risk Management (“ERM”) function by insurers and health maintenance organizations domiciled in New York. The Letter provides that an effective ERM function should be able to “identify, measure, aggregate, and manage risk exposures within predetermined tolerance levels, across all activities of the insurer or group of insurers”. The evaluation of an insurer’s ERM practices is expected to be performed in connection with the statutory examination of the insurer, but may be conducted as a separate exercise.
The Letter lists the following criteria that the NYSID will look for when evaluating an insurer’s ERM function:
- The ERM function should be objective, headed by a properly credentialed individual and adequately resourced with competent personnel who are able to provide management and the board of directors with ongoing assessments of the insurer’s risk profile.
- An insurer should have a written risk policy that delineates its risk/reward framework, risk tolerance levels and risk limits.
- An insurer’s ERM process of risk identification and quantification should be supported by documentation providing appropriately detailed descriptions and explanations of risks identified, the measurement approaches used, key assumptions made and outcomes of any plausible adverse scenarios that were run. Scenario and stress testing should also be a key component of the ERM function.
- An insurer’s ERM function should have risk and capital management processes in place to monitor the level of its financial resources relative to its economic capital and the regulatory capital requirements.
- An insurer’s board of directors and senior management should begin to contemplate performing its own risk and solvency assessment (“ORSA”) as part of the ERM function to assess the adequacy of its risk management and current and future solvency position.
- An insurer should address as part of its ERM/ORSA all reasonably foreseeable and relevant material risks including, at a minimum: insurance, underwriting, asset-liability matching, credit, market, operational, reputational, liquidity, and any other significant risks associated with group membership.
- If an insurer is part of an affiliated group of companies under common control or management, the insurer’s ERM function should identify, quantify and manage any risks to which the insurer may be exposed by transactions, or affiliation, with the other affiliates within the group.
The Letter states that the NYSID views the ERM function as a “key component of the risk-focused surveillance process” and will incorporate the results of the ERM evaluation into the standard examination process. The inclusion of an insurer’s affiliates within the scope of the ERM exercise reflects a concern on the part of state insurance regulators about potential “contagion” to insurers resulting from the activities of their non-insurance affiliates.