people, focused on long term benefits and
offensive, proactive solutions. Neither approach is necessarily bad; staff may need
information in different ways. Therefore,
a program designed to account for different motivating factors aligned with their
preferred perspective and approach.
“Stick” companies comply with all laws
and regulations 100-percent regardless of
the cost or effort, and may, for example, be
unnecessarily duplicating control efforts,
policies, procedures, attestations, and disclosures in order to avoid any fines, fees,
or penalties. Board of directors follow the
letter of each regulatory requirement so
as not to incur corporate or personal loss,
but may miss important business or strategic issues getting too focused on specific
details, being too “in the weeds” of items
that have a regulatory bent.
Threat of loss, serious reputational im-
pact, and rating agency downgrade could
be motivating factors to jump start or
accelerate ERM and ORSA efforts. For
stick companies, effective strategies may
• Outlining clearly for the board and se-
nior managers specific regulatory and
non-regulatory drivers of ERM that
can hurt the company, as noted above.
• Widely showcasing and circulating
public examples of companies that
have gotten penalized or hurt by large,
poorly managed losses.
• Running scenarios and stress testing exercises regularly for the board, managers
and all staff involved in ERM efforts, to
remind them of the “bad things that can
happen” if risk is not properly managed.
• Setting firm deadlines and timeline for
ERM initiatives and project stages, with
penalties (such as visibility on a board–
level report) for individuals and depart-
ments who do not meet the deadlines.
• Making individual managers and staff
personally accountable in their performance reviews for doing timely risk
and control assessments, and managing
their part of the ERM program.
Carrot organizations are different.
They work off a different set of triggers.
They are inspired to produce more when
they can see their efforts will provide
long-term benefits, and may be more creative in interpreting laws.
They may look more to principle than
the firm letter of the law and may appreciate having a broader range of (
beneficial) reasons to support risk management initiatives.
We’ll start with the “sticks.” Historical- ly, regulators have incentivized com- panies and individuals to conform to desired behaviors with threats of
heavy fines. Specific form, rate, disclosure, and financial filing requirements carry serious penalties for noncompliance. State Financial Examinations or audits uncovering regulatory breaches typically carry severe fines
by type of violation at issue. In some extreme cases, the
company’s licensing status may be at risk.
On the federal level, laws affecting the financial services
industry focusing on corporate governance and ethics often establish personal liability against board members for
any wrongdoing. Companies doing business globally may
also face the threat of international sanctions. All of this offers strong incentive to the Board and senior management
to commit time, energy and resources to other compliance efforts.
What are the equivalent “teeth” behind ORSA? For better or worse, unlike past U.S. insurance regulatory mandates, the NAIC’s ORSA reporting requirements provide
no concrete standards or minimum requirements that
companies must implement to have an “acceptable”
or a “strong” ERM program. Instead, the NAIC has
set broad principles-based reporting requirements
that give companies flexibility in creating their own
unique risk program.
This may result in a perception at some enterprises that there may be little bite to the ORSA bark.
Neither the NAIC nor the states have outlined any specific
dollar penalties, fines or fees for failure to file an ORSA
report or conduct risk-based capital analysis for any reason. There are also capitalization thresholds for ORSA
reporting that do not require “smaller” companies to
provide an ORSA report to their home state regulator.
To counter this, state regulators have said that companies
without a strong ERM program may be more likely to be
examined, and face more market conduct scrutiny.
At the end of the day, is this enough of an incentive to
divert company resources from perceived “higher penalty”
At this point in time, companies may be more motivated by
a stick waved by a different source—rating agencies. Major rating agencies have factored enterprise risk management review
processes into their rating methodologies. Failure to implement robust ERM programs may result in ratings downgrades.
A lack of sufficient risk review protocols, and/or failure of
management to take into consideration major corporate risks
across the organization, might result in negative narratives
or publication of deficiencies in governance structure, with
a significant impact to the company’s ability to write desired
lines of business, or attract investors.
Would your company prefer to have a reputation as a risk
management leader, or be known as a company that does not
follow developing industry best practices?