ORSA Review TemplateGroup/Insurer:Group Code/Cocode:Valuation Date:Submission Date:General Instructions:This template is intended to be used to document a review and assessment of the ORSA SummaryReport by the lead/domestic state. Regulators should document the results of their annual review of theORSA and utilize the appendixes to track and communicate feedback to the company and procedures forregulatory follow-up. See VI.E. Group-Wide Supervision – Enterprise Risk Management Process RisksGuidance for additional guidance in completing this template.Prepared/Reviewed By:Date:Date of Last Exam:Date of Next Exam: 2020 National Association of Insurance Commissioners1

Background InformationSummarize and assess background information provided in the report, where available. Key documentationelements are presented below.1. Attestation:2. Entities in Scope:3. Accounting Basis:4. Key Business Goals:5. Changes from Prior Filing(s):6. Planned ERM Enhancements: 2020 National Association of Insurance Commissioners2

Section I – Description of the Insurer’s ERM FrameworkSummarize and assess key information from Section I of the ORSA Summary Report for each of the fiveprinciples of a risk management framework.1. Risk Culture and Governance:2. Risk Identification and Prioritization:3. Risk Appetite, Tolerances and Limits:4. Risk Management and Controls:5. Risk Reporting and Communication:Overall Section 1 Assessment—After reviewing and considering each principle individually, develop an overallassessment of the group’s/insurer’s risk management framework including any concerns or areas requiringfollow-up investigation or communication: 2020 National Association of Insurance Commissioners3

Section II – Insurer Assessment of Risk ExposuresPrepare documentation summarizing a review and assessment of information provided on the reasonablyforeseeable and relevant material risks of the insurer/group.THE FOLLOWING TABLE SHOULD BE COMPLETED FOR EACH KEY RISKRisk Title/DescriptionBranded Risk(s)Controls/MitigationRisk LimitsAssessment (QT/QL)Normal ExposureStress Scenario(s)Stressed ExposureInclusion on GPS/IPSRegulator Review & Assessment:Overall Section 2 Assessment—After reviewing and considering each key risk individually, develop an overallconclusion regarding the group’s/insurer’s process to assess key risk exposures including any concerns or areasrequiring follow-up investigation or communication: 2020 National Association of Insurance Commissioners4

Section III – Assessment of Risk Capital and Prospective SolvencyPrepare documentation summarizing a review and assessment of key elements of the risk capital and prospectivesolvency process as follows.1. Discussion of Capital Metric(s) Used:2. Group Risk Capital (GRC) – By Risk and In Aggregate:3. Impact of Diversification Benefit:4. Available Capital:5. Excess Capital:6. Impact of Stresses on GRC:7. Governance and Validation:8. Prospective Solvency Assessment:Overall Section III Assessment—After reviewing and considering each of the key elements individually,develop an overall assessment of the risk capital and prospective solvency of the insurer/group including anyconcerns or areas requiring follow-up investigation or communication: 2020 National Association of Insurance Commissioners5

Appendix A – Feedback to InsurerFeedback to the insurer on the ORSA Summary Report is critical for the compliance and effectiveness of futurefilings. The purpose of this form is to help the lead/domestic state gather and provide constructive and practicalfeedback to the insurer.Positive Attributes:1.2.3.Constructive Feedback:1.2.3.Requests for Additional Information:1.2.3. 2020 National Association of Insurance Commissioners6

Appendix B – Recommended Exam Procedures/Areas for Follow-up InvestigationIn completing a review of the ORSA Summary Report, the lead state/domestic regulator should consider whethercertain elements could benefit from verification/testing in an examination or additional monitoring and follow-upinvestigation by the financial analyst. Such procedures and issues can be accumulated here for communicationand tracking.Background Information1.2.3.Section I - ERM Framework1.2.3.Section II - Risk Assessment1.2.3.Section III - Risk Capital and Prospective Solvency1.2.3. 2020 National Association of Insurance Commissioners7

Financial Analysis Handbook201820 Annual / 201921 QuarterlyVI.E. Group-Wide Supervision – Enterprise Risk Management Process Risks GuidanceIntroductionThe process for assessing enterprise risk management (ERM) within the group will vary depending upon itsstructure and scale. Approximately 90 percent of the U.S. premium is subject to reporting an annual Own RiskSolvency assessment Assessment (ORSA) Summary Report. However, all insurers are subject to an assessment ofrisk management during the risk-focused analysis and examination, and this review is a responsibility of the leadstate. In addition, all groups are required to submit the Form F - Enterprise Risk Report under the requirements ofthe NAIC Insurance Holding Company System Regulatory Act (#440). In addition, both the ORSA Summary Reportand the Form F are subject to the supervisory review process, which contemplates both off-site and on-siteexamination of such information proportionate to the nature, scale and complexity of the insurer/group’s risks.Those procedures are discussed in the following two sections. In addition, any risks identified throughout theentire supervisory review process are subject to further review by the lead state in either the periodic meetingwith the insurer/group and/or any targeted examination work. When reviewing the ORSA and Form F, the leadstate analyst should consider consistency between the documents, as well as information provided in theCorporate Governance Annual Disclosure.ORSA Summary ReportThe NAIC Risk Management and Own Risk and Solvency Assessment Model Act (#505) requires insurers above aspecified premium threshold, and subject to further discretion, to submit a confidential annual ORSA SummaryReport. Model #505 gives the individual insurer and the insurance group discretion as to whether the report issubmitted by each individual insurer within the group or by the insurancer group as a whole (See the NAIC OwnRisk Solvency Assessment Guidance Manual for further discussion).xLead State: In the case where the insurance group chooses to submit one ORSA Summary Report for thegroup, it must be reviewed by the lead state. The lead state is to perform a detailed and thorough review ofthe information and initiate any communications about the ORSA with the group. The suggestions below setforth some possible considerations for such a review. At the completion of this review, the lead state shouldprepare a thorough summary of its review, which would include an initial assessment of each of the threesections. The lead state should also consider and include key information to share with other domestic statesthat are expected to place significant reliance on the lead state’s review. The lead state should share theanalysis of ORSA with other states that have domestic insurers in the group. The group ORSA review andsharing with other domestic states should occur within 120 days of receipt of the ORSA filing.xNon-Lead State: Non-lead states are not expected to perform an in-depth review of the ORSA, but insteadrely on the review completed by the lead state. The non-lead states’ review of anthe lead state’s ORSA reviewshould be performed only for the purpose of having a general understanding of the work performed by thelead state, and to understand the risks identified and monitored at the group-level so the non-lead state maybetter monitor and communicate to the lead state when its legal entity could affect the group. Any concernsor questions related to information in the ORSA or group risks should be directed to the lead state.xSingle Insurer ORSA: In the case where there is only one insurer within the insurance group, or the groupdecides to submit separate ORSA Summary Reports for each legal entity, the domestic state is to perform adetailed and thorough review of the information, which would include an initial assessment of each of thethree sections and initiate any communications about the ORSA directly with the legal entity. Such a reviewshould also be shared with the lead state (if applicable) so it can develop an understanding of the risks withinthe entire insurance group. Single insurer ORSA reviews should be completed within 180 days of receipt ofthe ORSA filing. 2020 National Association of Insurance Commissioners8

Financial Analysis Handbook201820 Annual / 201921 QuarterlyVI.E. Group-Wide Supervision – Enterprise Risk Management Process Risks GuidanceThroughout a significant portion of the remainder of this document, the term “insurer” is used to refer to both asingle insurer for those situations where the report is prepared by the legal entity, as well as to refer to aninsurance group. However, in some cases, the term group is used to reinforce the importance of the group-wideview. Similarly, throughout the remainder of this document, the term "lead state” is used before the term“analyst” with the understanding that in most situations, the ORSA Summary Report will be prepared on a groupbasis and, therefore reviewed by the lead state.Background InformationTo understand the appropriate steps for reviewing the ORSA Summary Report, regulators must first understandthe purpose of the ORSA. As noted in the ORSA Guidance Manual, the ORSA has two primary goals:1. To foster an effective level of (ERM) at all insurers, through which each insurer identifies, assesses, monitors,prioritizes and reports on its material and relevant risks identified by the insurer, using techniques that areappropriate to the nature, scale and complexity of the insurer’s risks, in a manner that is adequate to supportrisk and capital decisions2. To provide a group-level perspective on risk and capital, as a supplement to the existing legal entity view.In addition, separately, the ORSA Guidance Manual discusses the regulator obtaining a high-level understandingof the insurer’s ORSA, and discusses how the ORSA Summary Report may assist the commissioner in determiningthe scope, depth and minimum timing of risk-focused analysis and examination procedures.There is no expectation with respect to specific information or specific action that the lead state regulator is totake as a result of reviewing the ORSA Summary Report. Rather, each situation is expected to result in a uniqueongoing dialogue between the insurer and the lead state regulator focused on the key risks of the group. For thisreason, as well as others, the lead state analyst may want to consider including in its initialadditional support inthe form of a broader review team as necessary in reviewing of the ORSA Summary Report, subject to theconfidentiality requirements outlined in statute. In reviewing the final ORSA filing prior to the next scheduledfinancial examination, the analyst should consider inviting the lead state examiner or any other individual actingunder the authority of the commissioner or designated by the commissioner with special skills and subject toconfidentialityto participate on the review team. Regardless of which individuals are involved on a review team,the 120-day or 180-day timeliness standards are applicable to the review. Additionally, the lead state analyst andexaminer may want to include them the review team in possible ongoing dialogues with the insurer since thesame team will be part of the ongoing monitoring of the insurer and an ORSA Summary Report is expected to beat the center of the regulatory processes. A joint review such as this prior to the lead state analyst documentingits summary of the ORSA Summary Report may be appropriate.These determinations can be documented as part of each insurer’s ongoing supervisory plan. However, the ORSAGuidance Manual also states that each insurer’s ORSA will be unique, reflecting the insurer’s business model,strategic planning and overall approach to ERM. As regulators review ORSA Summary Reports, they shouldunderstand that the level of sophistication for each group’s ERM program will vary depending upon size, scopeand nature of business operations. Understandably, less complex organizations may not require intricateprocesses to possess a sound ERM program. Therefore, regulators should use caution before using the results ofan ORSA review to modify ongoing supervisory plans, as a variety of practices may be appropriate depending uponthe nature, scale and complexity of each insurer.Collectively, the goals above are the basis upon which the guidance is established. However, the ORSA SummaryReport will not serve this function or have this direct impact until the lead state becomes fairly familiar andcomfortable with evaluating each insurer’s report and its processes. This could take more than a couple of yearsto occur in practice, since the lead state would likely need to review at least one or two ORSA Summary Reportsto fully understand certain aspects of the processes used to develop the report. 2020 National Association of Insurance Commissioners9

Financial Analysis Handbook201820 Annual / 201921 QuarterlyVI.E. Group-Wide Supervision – Enterprise Risk Management Process Risks GuidanceGeneral Summary of Guidance for Each SectionThe guidance that follows is designed to assist the lead state analyst in the review of the ORSA and to allow foreffective communication of analysis results with the non-lead states. It is worth noting that this guidance isexpected to evolve over the years, with the first couple of years focused on developing a general understandingof ORSA and ERM. It should be noted that each of the sections can be informative to the other sections. As anexample, Section II affords an insurer the opportunity to demonstrate the robustness of