Insurance Circular Letter No. 14 (2011)

December 19, 2011


All Domestic Insurers and Public Health Law Article 44 Health Maintenance Organizations (“HMOs”) (Collectively, “Insurers”)


Enterprise Risk Management

STATUTORY REFERENCE: N.Y. Ins. Law §§ 201, 301, 310, 1115, Articles 13 and 14.


Given the importance of risk management, the Department of Financial Services (“Department”) expects every insurer to adopt a formal Enterprise Risk Management (“ERM”) function. An effective ERM function should identify, measure, aggregate, and manage risk exposures within predetermined tolerance levels, across all activities of the enterprise of which the insurer is part, or at the company level when the insurer is a stand alone entity.


The Department encourages all insurers to effectively manage enterprise risk. As used in this Circular Letter, enterprise risk means any activity, circumstance, event or series of events involving one or more affiliates of an insurer that, if not remedied promptly, is likely to have a material adverse effect upon the financial condition or liquidity of the insurer or its insurance holding company system as a whole.

The ERM function should be appropriate for the nature, scale, and complexity of those risks. Further, the Department recognizes that a dedicated ERM function may be impractical or too costly for small insurers.

The Department views ERM as a key component of the risk-focused surveillance process. An insurer that maintains an effective ERM function upon which examination teams may rely will assist the Department with performing a more efficient examination.

The Department recently has established evaluation criteria to assess an insurer’s ERM practices. Specifically, the Department has implemented a process of evaluating an insurer’s ability to identify, measure, aggregate, and manage risk exposures within predetermined guidelines across all activities. The Department expects to perform the evaluation in conjunction with the statutory examination, but may also conduct the evaluation as a stand-alone exercise. The evaluation includes obtaining an understanding of the ERM function through interviews, questionnaires, and other documentation to be supplied by the insurer. The Department will also substantiate and validate key components of the insurer’s ERM function.

The insurers that the Department selects for an ERM evaluation will receive advance notice. If the Department intends to conduct the ERM evaluation in conjunction with the statutory examination, the Department will distribute a request for information with the standard pre-exam planning materials sent to the insurer prior to the examination. The Department will incorporate the results of the ERM evaluation into the standard exam process to enhance the risk-focused surveillance process.

When conducting an ERM evaluation, the Department will look for adherence to the following ERM function objectives:

  • An objective ERM function, headed by an appropriately experienced individual with the requisite authority and access to the board of directors and senior management, that is adequately resourced and has competent personnel who are able to provide the insurer’s board of directors and management with ongoing assessments of the insurer’s risk profile.
  • A written risk policy that delineates the insurer’s risk/reward framework, risk tolerance levels, and risk limits. An insurer’s ERM function should provide for the identification and quantification of risk under a sufficiently wide range of outcomes using techniques that are appropriate to the nature, scale, and complexity of the risks the insurer bears and are adequate for capital management and solvency purposes.
  • A process of risk identification and quantification supported by documentation providing appropriately detailed descriptions and explanations of risks identified, the measurement approaches used, key assumptions made, and outcomes of any plausible adverse scenarios that were run. Prospective solvency assessments, including scenario and stress testing, should be a key component of the ERM function, as they can help highlight the impact of such scenarios and stresses on an insurer’s future solvency. The insurer’s ERM function should incorporate risk tolerance levels and limits in the policies and procedures, business strategy, and day-to-day strategic decision-making processes.
  • In the context of its overall ERM framework, an insurer should consider a risk and capital management process to monitor the level of its financial resources relative to its economic capital and the regulatory capital requirements. Additionally, an effective ERM function should incorporate investment policy, asset-liability management policy, effective controls on internal models, longer-term continuity analysis, and feedback loops to update and improve ERM continuously.
  • An insurer should address as part of its ERM all reasonably foreseeable and relevant material risks including, as applicable: insurance; underwriting; asset-liability matching; credit; market; operational; reputational; liquidity; and any other significant risks associated with group membership. The assessment should include identifying the relationship between risk management and the level and quality of financial resources necessary as determined with quantitative and qualitative metrics.
  • Additionally, an insurer’s board of directors and senior management should contemplate having the insurer perform its own risk and solvency assessment (“ORSA”) as part of the ERM function to assess the adequacy of its risk management and current and future solvency position. Insurers should keep current with NAIC developments with regard to reporting on their ORSA. The ability of an insurer to reflect risks in a robust manner in its own assessment of risk and solvency is a key component of an effective overall ERM function. Insurers should consider the guidance provided in the ORSA Guidance Manual when conducting their ORSA. An insurer should perform their ORSA on a regular basis and should share the results of the assessment with senior management and its board of directors.
  • If an insurer is part of a holding company, consolidated enterprise, conglomerate, or other group characterized by common control or management, then the insurer’s ERM function should identify, quantify, and manage any risks to which the insurer may be exposed by transactions, or affiliation, with the holding company or the other affiliates within the group. That is, the insurer should assess and identify methods to manage the impact of affiliated entities or the holding company on the insurer. If systems to perform these functions are located at the common control and management level (e.g., holding company), then the insurer should be able to demonstrate how those systems anticipate and mitigate or manage the risks to which affiliates expose the insurer. This demonstration should include not only those risks that may result in direct financial loss to the insurer through transactional or common control ties, but also reputational and other risks where the loss of confidence in one member of the group may cause distress to the insurance company.

An insurer that believes that any of the records it submits to the Department in connection with its ERM contain “trade secrets . . . or if disclosed would cause substantial injury to the competitive position of the subject enterprise” may request, pursuant to New York Public Officers Law § 87(2)(d), that the Department except such documents from disclosure pursuant to Public Officers Law § 89(5)(a)(1). Should the Department receive a request for records for which an insurer requested an exception from disclosure, the Department will notify the insurer and provide the insurer with an opportunity to respond in accordance with Article 6 of the Public Officers Law.


The Department views ERM as a key component of the risk-focused surveillance process, and expects every insurer to adopt a formal ERM function that identifies, measures, aggregates, and manages risk exposures within predetermined tolerance levels, across all activities of the enterprise of which the insurer is part, or at the company level when the insurer is a stand alone entity.

Please direct any questions or comments regarding this circular letter to Tim Nauheimer, Chief Risk Management Specialist, Markets Division, at (212) 709-1538 or [email protected].

Very truly yours,

Matti Peltonen
Acting Executive Deputy Superintendent