Insurance Risk Management: 2026 Carrier-Side Guide

Key Risk Categories for Insurance Companies

Carriers face a distinctive set of risks. The table below maps the main categories to the risk owner inside a typical carrier and the primary regulatory anchor that drives oversight.

Underwriting risk is the carrier’s most fundamental exposure. The pricing assumptions used at policy inception drive the long-term solvency of the book. Adverse selection, mispricing, and emerging risks all show up here. Additionally, inadequate reserves understate the carrier’s true liability and overstate surplus.

Market risk is concentrated in the carrier’s investment portfolio, which backs the reserves. Insurers are large institutional investors, and the duration mismatch between assets and liabilities is the area most carrier risk programs spend the most effort on. Credit risk shows up in two main places:

• Reinsurance counterparty exposure (the chance a reinsurer cannot pay when called)
• Premium receivables (the chance policyholders or producers do not remit premium owed)

Operational risk in insurance focuses on:

• Claims handling
• Technology platforms
• Fraud

Conduct risk has grown sharply in regulatory attention since the early-2010s wave of market-conduct settlements; sales-practice supervision and suitability monitoring fall here.

Catastrophe risk is unique to insurance (the concentration of policies in earthquake zones, hurricane corridors, or wildfire regions) and can wipe out years of earnings in a single event, which is why catastrophe modelling is its own dedicated discipline.

The NAIC ORSA Framework

The NAIC adopted the Risk Management and Own Risk and Solvency Assessment Model Act in 2012, and most US states have adopted it since. ORSA applies to insurers above premium and asset thresholds and requires those insurers to:

• Maintain a risk management framework
• Conduct an own assessment of risk exposure
• Submit an ORSA Summary Report annually to the lead state regulator

The ORSA Summary Report has three required sections:

Section 1 describes the insurer’s risk management framework: the governance structure, risk culture, risk identification and prioritisation processes, risk appetite and tolerance statements, and the integration of risk management into business decision-making.

Section 2 documents the insurer’s own assessment of risk exposure across each material risk category, including stress and scenario testing.

Section 3 covers group risk capital and a prospective solvency assessment over a multi-year horizon.

The NAIC has sharpened ORSA expectations in recent years:

• Climate-related risk now appears explicitly in NAIC guidance, and the NAIC’s Climate Risk Disclosure Survey requires participating insurers to report on climate-risk integration.
• Cyber risk receives focused attention through the NAIC Insurance Data Security Model Law, which most states have adopted.
• Artificial intelligence governance is the newest area: the NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted in late 2023, sets expectations for AI risk management.

ORSA is principles-based rather than prescriptive. Lead state regulators evaluate the report in the context of the insurer’s business model and risk profile. The corollary is that insurers are expected to articulate their own approach with credibility and depth.

Solvency II and International Insurance Risk Frameworks

Solvency II is the EU’s prudential framework for insurance and reinsurance undertakings, in force since January 2016. The framework rests on three pillars:

• Pillar 1 sets capital requirements through the Solvency Capital Requirement (SCR) and the Minimum Capital Requirement (MCR), with insurers permitted to use a standard formula or an approved internal model.
• Pillar 2 covers governance and the supervisory review process, including the Own Risk and Solvency Assessment that gave the US NAIC ORSA its name.
• Pillar 3 covers public disclosure and supervisory reporting through the Solvency and Financial Condition Report and the Regular Supervisory Report.

Internationally active insurance groups face additional oversight through the International Association of Insurance Supervisors’ Insurance Capital Standard, which the IAIS adopted in December 2024 as a Prescribed Capital Requirement for IAIGs. The ICS provides a comparable group capital measure across jurisdictions and complements local solvency regimes rather than replacing them.

The 2017 Bilateral Agreement Between the United States and the European Union on Prudential Measures Regarding Insurance and Reinsurance addressed reinsurance collateral, group supervision, and information exchange, reducing some of the sharpest jurisdictional friction.

Carriers operating across borders increasingly maintain risk management frameworks that satisfy both Solvency II governance expectations and NAIC ORSA requirements simultaneously, which has driven the practitioner conversation toward common architectural patterns.

Reinsurance and Risk Transfer Mechanics

Reinsurance is the primary mechanism by which carriers themselves transfer risk. Treaty reinsurance covers a defined portion of the cedent’s book. Proportional treaties (quota share, surplus share) cede a fixed percentage of premium and losses, while non-proportional treaties (excess of loss) attach when losses exceed a threshold. Facultative reinsurance covers individual risks and is used for non-standard or large exposures.

Captive insurers (carriers wholly owned by their insureds) are a parallel mechanism increasingly used by large corporates and bank holding companies to retain and manage risk that the commercial market either prices unattractively or cannot absorb.

Insurance-linked securities (primarily catastrophe bonds) provide an alternative source of risk capital for peak peril exposures. The market has expanded substantially over the past decade, with Aon and Guy Carpenter both reporting consistently strong cat-bond issuance through 2024 and into 2025. Cat bonds typically attach above the carrier’s reinsurance program and provide multi-year risk transfer for specific perils.

The operational discipline that ties these mechanisms together is reinsurance counterparty management. The credit quality of reinsurers, the collateral arrangements behind the reinsurance recoverables, and the concentration of cessions to single counterparties all sit on the carrier’s risk register and feed the ORSA assessment.

How Bank Holding Companies Integrate Insurance Risk

US bank holding companies that own insurance subsidiaries face a dual-regulatory environment. The insurance subsidiary is supervised by its lead state insurance regulator under NAIC frameworks. The bank holding company is supervised on a consolidated basis by the Federal Reserve under the Bank Holding Company Act and, where the holding company is large enough to fall within the FRB’s heightened standards, under enhanced prudential standards.

The practical result is that the holding company’s enterprise risk program must accommodate both regulatory regimes. The insurance subsidiary’s ORSA Summary Report typically rolls into the holding company’s enterprise risk reporting, with the holding-company chief risk officer responsible for synthesising the insurance risk view alongside the bank’s credit, market, operational, and liquidity risk views.

Some holding companies maintain fully separate risk functions in the insurance subsidiary and the bank, with coordination at the CRO level. Others operate a single enterprise risk function with insurance-specific staff embedded within it. Both patterns can work but relies on a coherent view of risk across the enterprise and learning whether each subsidiary still satisfies its primary regulator’s requirements.

Platforms such as Predict360, discussed in more depth in the risk management for insurance companies explainer, are used by both bank-side and insurance-subsidiary risk programs because the underlying capabilities (risk register, control library, KRI dashboards, regulatory-change feed) apply on both sides.

Frequently Asked Questions