The ISO 31000:2009, Basel III recommendations, the EU Capital Requirement Directives and the Own Risk and Solvency Assessment (ORSA)/Forward Looking Assessment of Own Risk (FLAOR) processes of Solvency II Directives profoundly affect the financing and the insurance of companies in all business sectors and local authorities.

US companies use US National Association of Insurance Commissioners (NAIC) recommendations based on the fundamental principles of ORSA; EU firms refer to FLAOR recommendations; and companies in other countries (e.g., Canada, Japan, China) refer to Solvency II as an international best practice.

This regulatory change began in June 2008 when the American International Group (AIG) faced a financial disaster. The risk maps and risk registers in place, usually under Basel II, were designed to capture incident data to calculate the relative value at risk (VaR) using a stochastic approach (statistics and probability). In this approach, VaR equals unexpected loss. Following the subprime mortgage crisis in 2008, clause 5 of ISO 31000:2009 recommended risk treatment from the point of view of the corporate manager and not from the point of view of the stochastic engineer. It is the cost accounting process of the absolute VaR (VaR = expected loss + unexpected loss) taking into account the risk appetite tolerance threshold.

In March 2012, as part of the NAIC Solvency Modernization Initiative (SMI), the NAIC voted to adopt a significant new addition to US insurance regulation:  ORSA. The manner of the calculations used in an ORSA report was left to the discretion of each insurer. This led to variations in the measurement techniques of ORSA among companies. The insurers were concerned because a hard and fast, one-size-fits-all solution does not exist. The output was specific to the company, and a set of documents should demonstrate the results of the self-assessment and understanding of own-risks.

The Information Technology-Investor Relationship Management (IT-IRM) proposes a standardized, logical process to the ORSA measurement. Our recent Journal article covers how this IT application makes ORSA a logical assessment based on real-time data, making risk controllable and assessable using the same base criteria for economic capital and the same indicators, factors or the causes as the determinants of operational risk.

Read Simon Grima, Robert W. Klein, Ronald Zhao, Frank Bezzina and Pascal Lélé’s recent Journal article:
Strengthening Value and Risk Culture Using a Real-time Logical Tool,” ISACA Journal, volume 3, 2016.

[ISACA Journal Author Blog]

By Philip Hung Cao

Philip Hung Cao (aka #tekfarmer), MSCS, ZTX-I, CCISO, CISM, CCSP, CCSK, CASP, GICSP, PCNSE is a Strategist, Advisor, Contributor, Educator and Motivator. He has 20 years' experience in IT/Cybersecurity industry in various sectors & positions.

Leave a Reply