Most content addresses the buyer side of insurance risk management (how a corporation manages business risk by purchasing coverage). That is corporate risk transfer, but insurance risk management means something different inside an insurance carrier and that distinction matters for those working at a US insurer or a bank-owned insurance subsidiary subject to NAIC supervision.
This article focuses on the carrier-side discipline. Insurance risk management within a carrier is the practice of identifying, measuring, monitoring, and managing the risk of loss the insurance enterprise itself bears.
Key Risk Categories for Insurance Companies
Carriers face a distinctive set of risks. The table below maps the main categories to the risk owner inside a typical carrier and the primary regulatory anchor that drives oversight.
| Risk category | Typical risk owner | Primary regulatory anchor |
|---|---|---|
| Underwriting risk | Chief underwriting officer | NAIC RBC, Solvency II Pillar 1 |
| Reserving risk | Chief actuary | Statement of Actuarial Opinion, IFRS 17 |
| Market risk | Chief investment officer | NAIC investment limits, Solvency II Pillar 1 |
| Credit risk (reinsurance, premium) | Treasurer, head of reinsurance | NAIC credit-for-reinsurance rules |
| Operational risk | Chief operating officer | NAIC Model Audit Rule, Solvency II Pillar 2 |
| Conduct risk | Compliance officer, head of distribution | NAIC market-conduct examinations, state DOI exams |
| Catastrophe risk | Chief actuary, head of cat modelling | NAIC ORSA, state DOI cat-loss filings |
Underwriting risk is the carrier’s most fundamental exposure. The pricing assumptions used at policy inception drive the long-term solvency of the book. Adverse selection, mispricing, and emerging risks all show up here. Additionally, inadequate reserves understate the carrier’s true liability and overstate surplus. Market risk is concentrated in the carrier’s investment portfolio, which backs the reserves. Insurers are large institutional investors, and the duration mismatch between assets and liabilities is the area most carrier risk programs spend the most effort on. Credit risk shows up in two main places:
- Reinsurance counterparty exposure (the chance a reinsurer cannot pay when called)
- Premium receivables (the chance policyholders or producers do not remit premium owed)
Operational risk in insurance focuses on:
- Claims handling
- Technology platforms
- Fraud
Conduct risk has grown sharply in regulatory attention since the early-2010s wave of market-conduct settlements; sales-practice supervision and suitability monitoring fall here.
Catastrophe risk is unique to insurance (the concentration of policies in earthquake zones, hurricane corridors, or wildfire regions) and can wipe out years of earnings in a single event, which is why catastrophe modelling is its own dedicated discipline.
The NAIC ORSA Framework
The NAIC adopted the Risk Management and Own Risk and Solvency Assessment Model Act in 2012, and most US states have adopted it since. ORSA applies to insurers above premium and asset thresholds and requires those insurers to:
- Maintain a risk management framework
- Conduct an own assessment of risk exposure
- Submit an ORSA Summary Report annually to the lead state regulator
The ORSA Summary Report has three required sections: Section 1 describes the insurer’s risk management framework including governance, risk culture, and risk appetite. Section 2 documents the insurer’s own assessment of risk exposure across each category with stress and scenario testing. Section 3 covers group risk capital and prospective solvency over a multi-year horizon.
- Climate-related risk now appears explicitly in NAIC guidance.
- Cyber risk receives focused attention through the NAIC Insurance Data Security Model Law.
- Artificial intelligence governance is the newest area as per the AI risk management model bulletin.
ORSA is principles-based rather than prescriptive. Regulators evaluate the report based on the insurer’s business model and risk profile.
Solvency II and International Insurance Risk Frameworks
Solvency II is the EU’s prudential framework for insurance and reinsurance undertakings, in force since January 2016. The framework rests on three pillars:
- Pillar 1 sets capital requirements through SCR and MCR.
- Pillar 2 covers governance and supervisory review including ORSA.
- Pillar 3 covers public disclosure and reporting.
International groups also face oversight through the Insurance Capital Standard adopted in December 2024. Cross-border carriers increasingly maintain frameworks that satisfy both Solvency II and NAIC ORSA.
Reinsurance and Risk Transfer Mechanics
Reinsurance is the primary mechanism by which carriers transfer risk. Treaty reinsurance covers a defined portion of a book, while facultative reinsurance covers individual risks. Insurance-linked securities such as catastrophe bonds provide alternative capital for peak risks.
Reinsurance counterparty management remains critical, including credit quality, collateral arrangements, and concentration risk.
How Bank Holding Companies Integrate Insurance Risk
Bank holding companies owning insurance subsidiaries operate under dual regulation. Insurance entities follow NAIC frameworks, while holding companies are supervised by the Federal Reserve.
Enterprise risk programs integrate both views. Platforms such as Predict360 and risk management for insurance companies support these programs.
Frequently Asked Questions
What is the difference between insurance risk management and risk management for businesses?
Insurance risk management is the carrier-side discipline performed inside an insurance company. Risk management for businesses (the buyer side) is performed inside a non-insurance company and includes the decision to retain, mitigate, or transfer risk through insurance. The two share vocabulary but answer to different regulators and stakeholders.
What is NAIC ORSA?
NAIC ORSA (the Own Risk and Solvency Assessment) is a US insurance regulation requiring qualifying insurers to maintain a risk management framework, conduct their own assessment of risk exposure, and submit an annual ORSA Summary Report to their lead state regulator. The Model Act was adopted by the NAIC in 2012 and has been adopted by most US states.
What risks do insurance companies face?
Carriers face underwriting risk (mispricing, adverse selection), reserving risk (inadequate loss reserves), market risk (investment portfolio exposure), credit risk (reinsurance counterparties, premium receivables), operational risk (claims handling, fraud, technology), conduct risk (sales practices, suitability), and catastrophe risk (geographic or peril concentration).
How does Solvency II differ from NAIC ORSA?
Solvency II is the EU’s three-pillar framework with prescribed capital requirements (Pillar 1), governance and supervisory review (Pillar 2), and public disclosure (Pillar 3). NAIC ORSA is the US’s principles-based framework focused on the insurer’s own assessment of risk and prospective solvency. The ORSA component of Solvency II Pillar 2 inspired the NAIC’s adoption of the same name in 2012.
Insurance risk management is the carrier-side discipline, distinct from the corporate buyer side, and is increasingly integrated into the enterprise programs of bank holding companies that own insurance subsidiaries. The discipline runs on the same architecture every well-governed risk function does, incorporating:
- A written plan
- A continuous program
- A risk management system that produces evidence
Stay informed about the latest in compliance and risk management technology.
Sign Up- GRC Insights
- Industry Updates
- Product Information
- Additional Resources