Metricstream Logo

AI-First Connected GRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

webinar

MetricStream Ranked #1 in Operational Risk and Audit Categories

Learn More

Discover Connected GRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Your Insight Hub for Simpler, Smarter, Connected GRC

Download this report to explore why cyber risk is rising in significance as a business risk.

Explore the forces reshaping governance, risk, and compliance in 2026

Download the eBook

Learn about our vision and mission

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
search
Contact Us Request Demo
×
Hit enter to search or ESC to close

Operational Risk Management in Insurance: Frameworks, Risk Categories, and Regulatory Requirements

Introduction

Operational risk management in insurance is the discipline of identifying, assessing, monitoring, and mitigating risks arising from failed or inadequate internal processes, people, systems, and external events. It applies to all insurers and reinsurers operating across life, non-life, and specialty lines. Regulatory frameworks, including Solvency II, the NAIC ORSA Model Act, and IAIS ICP 16 set the baseline requirements for how these risks must be governed and reported.

Key Takeaways

  • Operational risk is embedded in core insurance functions like underwriting and claims, directly affecting both financial outcomes and policyholder trust.
  • Global frameworks such as Solvency II, NAIC ORSA, and IAIS ICP 16 define ORM expectations, but insurers must navigate differences across jurisdictions.
  • Key risk areas include model risk, claims process failures, conduct risk, and technology or cyber threats, all under increasing regulatory scrutiny.
  • Effective ORM relies on strong governance, clearly defined risk appetite, structured risk assessments, and continuous monitoring supported by loss data.
  • ORSA remains the central regulatory requirement, linking risk exposure to capital adequacy under both normal and stressed conditions.
  • Siloed data across underwriting, claims, and compliance functions continues to limit visibility and slow down risk reporting.
  • Managing regulatory change across EU, US, and UK frameworks adds operational complexity and requires structured tracking and adaptation.
  • Building a risk-aware culture across business units is critical to making ORM effective in practice, not just in policy.
  • AI is driving a shift toward continuous monitoring, automated ORSA processes, and stronger model risk governance.
  • Integrated platforms are essential to connect data, streamline workflows, and meet evolving regulatory and reporting demands.

Why Operational Risk Management in Insurance Is a Distinct Discipline

Insurance is frequently compared to banking as a financial services sector, and for some purposes, that comparison holds. Both involve capital adequacy requirements, risk-based supervision, and enterprise risk management frameworks. But operational risk management in insurance carries obligations and exposures that do not map neatly onto the banking model.

The core difference is structural. Insurers hold long-dated liabilities, policy obligations that may not crystallize for decades, and their exposure to operational failure is closely entangled with underwriting, claims, and actuarial functions that have no direct banking equivalent. A process failure in claims handling erodes policyholder trust, triggers conduct risk exposure, and may directly affect the insurer's ability to meet its core contractual obligations. This dual exposure to financial loss and to policyholder harm makes operational risk a more integrated concern for insurers than for banks, where operational failures are typically more separable from core credit and market risk functions.

Regulatory frameworks reflect this distinction. The three frameworks that most directly shape operational risk management in insurance, Solvency II in the EU, the NAIC ORSA Model Act in the United States, and IAIS ICP 16 globally, each embed ORM requirements inside broader enterprise risk and solvency frameworks. Understanding how each framework defines, scopes, and tests operational risk is the starting point for any insurer or reinsurer building or reviewing its ORM program.

What Is Operational Risk in Insurance?

Operational risk in insurance refers to the risk of loss resulting from inadequate or failed internal processes, people, or systems, or from external events. This definition aligns with the framing used by the International Association of Insurance Supervisors (IAIS) under ICP 16, which addresses enterprise risk management for solvency purposes and requires supervisors to ensure insurers maintain a structured approach to identifying, assessing, and managing all material risks, including operational ones.

What distinguishes operational risk from the risks more commonly associated with insurance, specifically underwriting, market, and credit risk, is that it does not arise from the business of risk transfer itself. Underwriting risk is the risk that claims exceed the premium collected. Market risk is the risk that investment portfolios decline in value. Credit risk is the risk that counterparties default. Operational risk sits alongside all three: it is the risk that the processes and people managing those other risks will malfunction, and that systems or external events will compound the damage.

Key Risk Categories in Insurance ORM

The operational risk profile of an insurer spans several distinct categories. Each category carries different causal drivers, different detection methods, and different regulatory implications. The categories below represent the areas that receive the most sustained regulatory and supervisory attention:

  • Underwriting risk arises when pricing models, actuarial assumptions, or risk selection processes produce premiums that are insufficient to cover claims and expenses over the policy period. While underwriting risk is sometimes classified separately from operational risk, the process failures that cause poor underwriting outcomes, including inadequate data quality, miscalibrated models, and insufficient peer review, are operational in nature.
  • Catastrophe risk is the risk of concentrated, correlated losses from a single event or series of related events, such as a major hurricane, earthquake, or pandemic. Insurers managing catastrophe risk must maintain robust scenario modeling capabilities, stress-tested reinsurance programs, and capital buffers sufficient to absorb tail events without impairing policyholder protection.
  • Model risk is the risk of adverse consequences arising from decisions based on incorrect or misused models. It includes errors in model design, data inputs, implementation, and interpretation. As AI and machine learning tools become more prevalent across the insurance value chain, model risk has expanded significantly.
  • Claims risk refers to the risk of operational failures in the claims handling process: late settlement, fraudulent claims not detected, inaccurate reserving, or inconsistent application of policy terms. Claims process failures carry both financial and conduct risk dimensions and are a frequent focus of market conduct examinations.
  • Conduct risk is the risk that the way an insurer designs, sells, or administers products causes harm to policyholders or fails to meet regulatory expectations for fair treatment. It covers mis-selling, inadequate disclosure, poor complaint handling, and biased algorithmic decision-making. deliver good outcomes for retail customers throughout the product lifecycle.
  • Technology and cyber risk encompass the operational disruptions, data breaches, ransomware attacks, and third-party system failures that can affect an insurer's ability to service policyholders, process claims, and maintain regulatory reporting. As insurers become more dependent on cloud infrastructure and third-party technology providers, this category has grown as a supervisory priority.

Regulatory Frameworks for Insurance ORM

The regulatory architecture for operational risk management in insurance reflects both the jurisdictional fragmentation of global insurance markets and the cross-border ambitions of major frameworks. Three frameworks, in particular, shape how most insurers structure their ORM programs:

1. Solvency II (Pillars 1, 2, and 3) is the EU's primary prudential framework for insurers and reinsurers. It operates across three pillars:

  • Pillar 1 sets quantitative capital requirements (including a capital charge for operational risk under the standard formula)
  • Pillar 2 establishes governance, internal control, and risk management requirements, including the Own Risk and Solvency Assessment (ORSA)
  • Pillar 3 covers public and regulatory disclosure.

The amending directive (EU) 2025/2 was published in the Official Journal of the European Union on 8 January 2025, with member states required to apply the new rules by 30 January 2027. The 2025 review introduces macroprudential tools, enhanced ORSA requirements incorporating systemic risk analysis, and a new proportionality regime for "small and non-complex undertakings" (SNCUs) that reduces ORM reporting burdens for qualifying firms.

2. NAIC ORSA Model Act #505 is the US framework requiring insurers and insurance groups above specified premium thresholds to conduct an Own Risk and Solvency Assessment at least annually. Under Model Act #505, the ORSA applies to any individual US insurer writing more than $500 million in annual direct written and assumed premium, and to insurance groups collectively writing more than $1 billion. The ORSA must cover the insurer's risk management framework, its assessment of risk exposures in both normal and stressed environments, and a group-level capital adequacy assessment.

3. IAIS ICP 16 addresses enterprise risk management for solvency purposes and provides the global supervisory standard against which national frameworks are benchmarked. ICP 16 requires supervisors to ensure that insurers maintain a documented ERM framework covering all material risks, including operational risks, with clear ownership, risk appetite statements, and linkage to capital planning. As of 2026, the IAIS represents supervisors from over 200 jurisdictions covering approximately 97% of global insurance premiums, reinforcing the global reach and influence of ICP-based standards

Comparison Table: Key Insurance ORM Regulatory Frameworks

FrameworkRegionWho It Applies ToKey ORM Requirement
Solvency II (incl. 2025 Review)European UnionAll EU insurers and reinsurers; lighter regime for SNCUs from 2027ORSA covering operational risk, capital adequacy, and macroprudential stress; Pillar 1 capital charge for operational risk
NAIC ORSA Model Act #505United StatesInsurers writing >$500M premium; groups writing >$1BAnnual ORSA Summary Report covering risk management framework, risk exposures, and group capital adequacy
IAIS ICP 16Global (standard-setting)All IAIS member jurisdictions and their supervised insurersERM framework covering all material risks; documented risk appetite, ownership, and linkage to solvency assessment
FCA Consumer DutyUnited KingdomAll FCA-authorized firms distributing retail insurance productsOutcome-based conduct obligations: demonstrate good outcomes for retail customers across product lifecycle

What an Effective ORM Program Looks Like

The steps below reflect how well-run insurance ORM programs are structured:

Step 1: Establish a Governance Structure with Clear Risk Ownership

Effective ORM begins at the board level. The board must approve the organization's risk appetite statement and receive regular reporting on material operational risks. Below the board, a Chief Risk Officer or equivalent function holds primary responsibility for the ORM framework, with clear delegation to business-line risk owners who are accountable for risks within their operations. The three-lines-of-defense model, with operational management as the first line, the risk function as the second, and internal audit as the third, should be explicitly mapped and documented, with each line's responsibilities defined and tested regularly.

Step 2: Define and Maintain a Risk Appetite Framework

The risk appetite statement must express the insurer's tolerance for operational risk in terms that are specific enough to drive behavior. Broad qualitative statements ("we accept low operational risk") do not satisfy regulatory expectations and do not support decision-making. Appetite statements should set quantitative tolerances for specific risk categories, such as technology downtime, claims error rates, and data breach frequency, and should be reviewed by the board at least annually and whenever the business model changes materially.

Step 3: Build a Risk Identification and Assessment Process

Risk identification in insurance ORM typically combines top-down scenario analysis (what could go wrong at the enterprise level) with bottom-up risk and control self-assessment (RCSA) exercises at the business-unit level. The RCSA process requires each unit to identify its material operational risks, rate the inherent risk, assess the strength of existing controls, and calculate residual risk. Results are aggregated and prioritized for senior management and board review.

Step 4: Implement Monitoring Controls and Loss Data Collection

Identifying risks is only part of the obligation. Insurers must also track the performance of controls designed to mitigate those risks and collect data on operational loss events. Loss event data, including near-misses and realized losses, provides the empirical foundation for refining risk assessments over time and for benchmarking the organization's operational risk profile against industry experience. ORSA requirements in both the US and EU explicitly require that risk assessments reflect the insurer's own historical experience, not only external benchmarks.

Step 5: Produce Board and Regulatory Reporting That Drives Action

Board-level operational risk reports should present the top risks by residual severity, the status of key controls, loss event trends, and changes in the risk environment since the last reporting cycle. The ORSA Summary Report filed with regulators must document the ERM framework, the results of the risk assessment, and the insurer's view of current and projected capital adequacy given its risk profile. Under Solvency II's 2025 revisions, ORSA reporting now also requires macroprudential risk analysis for larger undertakings.

Managing operational risk across frameworks and business lines needs connected systems. MetricStream brings everything together in one platform - centralised assessments, automated ORSA, and board-ready reporting aligned with Solvency II, NAIC, and IAIS.

Explore Our Solutions

Common ORM Challenges in Insurance and How to Address Them

Three challenges in particular arise with consistent frequency across insurers and reinsurers of different sizes and jurisdictions:

  • Siloed Risk Data Across Underwriting, Claims, and Compliance Functions

    One of the most persistent obstacles in insurance ORM is that risk data sits in separate systems operated by separate functions with different definitions, timelines, and priorities. Underwriting teams track pricing model performance in one system; claims teams manage loss data in another; the compliance function maintains a separate control inventory. When the CRO needs an integrated view of operational risk for an ORSA submission, assembling it requires manual aggregation across these silos, which introduces delay, error, and gaps.

    The practical solution is to establish a single ORM data architecture that draws on all three functions' data through defined integration points, rather than requiring each function to produce separate reports on demand.

  • Keeping Pace with Regulatory Change Across Multiple Jurisdictions 

    Insurers and reinsurers operating across the EU, US, and UK markets face the challenge of managing regulatory change simultaneously across frameworks that evolve on different timelines. The Solvency II 2025 review introduces macroprudential ORSA requirements and a new SNCU proportionality regime with a January 2027 implementation date. The NAIC continues to refine its AI governance guidance through the Big Data and AI Working Group.

    Tracking all three simultaneously, identifying where requirements overlap and where they diverge, and updating the ORM framework accordingly is a significant operational burden without a structured regulatory change management process.

  • Building a Risk-Aware Culture Beyond the Risk Function

    Risk appetite statements and RCSA processes produce limited value if the people running underwriting, claims, and technology operations do not treat operational risk as their concern. Culture gaps often emerge when ORM is positioned as a compliance obligation managed by the risk function rather than as a business discipline integrated into operational decision-making.

    Addressing this requires consistent leadership messaging, risk training embedded in business-unit onboarding, and an incentive structure that does not reward short-term operational performance at the expense of risk control quality. Regulatory frameworks increasingly recognize this: Solvency II Pillar 2 governance requirements and IAIS ICP 16 both require evidence that risk culture operates at the board level, not only within the dedicated risk function.

How AI Is Strengthening ORM in Insurance

Three capabilities in particular are shifting the practice of insurance ORM:

  • AI-powered continuous monitoring for early risk signal detection

    Traditional ORM relies heavily on periodic assessments, quarterly RCSAs and annual ORSA cycles, which can miss emerging risks between review points. AI-powered continuous monitoring tools analyze process data, transaction flows, and external signals in real time, flagging anomalies that may indicate operational stress before they crystallize into losses. For claims operations, this means detecting fraud patterns faster. For technology risk, it means identifying system performance degradation before it causes a service disruption.

  • Automated ORSA data collection and scenario modeling

    ORSA preparation is data-intensive. Pulling together loss event data, control assessment results, capital model outputs, and forward-looking stress scenarios from across the organization is a significant manual undertaking under traditional approaches. Automation, pulling data from source systems through structured integrations and populating standardized ORSA templates, reduces preparation time and improves the consistency of year-on-year reporting. AI-assisted scenario generation, informed by historical loss data and external event databases, also supports richer stress testing.

  • Model risk governance for AI and ML tools

    As insurers deploy AI in underwriting and claims decisions, model risk governance has become a first-order ORM concern. The NAIC's Big Data and AI Working Group is piloting an AI Systems Evaluation Tool across 12 US states as of 2026, designed to assess the extent and governance of AI use by insurers during regulatory examinations. Effective model risk governance requires a model inventory, documented validation processes, ongoing performance monitoring against defined thresholds, and clear escalation procedures when a model behaves unexpectedly.

Operational risk is growing more complex and central to scrutiny. Connect with MetricStream’s insurance risk specialists to streamline ORSA and strengthen risk monitoring.

Talk to an Expert

How MetricStream Can Help

MetricStream's Operational Risk Management solution provides insurance and reinsurance organizations with a unified platform to manage risk identification, assessment, control monitoring, loss event tracking, and regulatory reporting across the requirements of Solvency II, NAIC ORSA, and IAIS ICP 16. The platform supports RCSA workflows, risk appetite configuration, scenario analysis, and the structured documentation required for ORSA submissions, reducing the manual aggregation burden that is one of the most common friction points in insurance ORM programs.

As the model risk governance burden grows, driven by increasing AI and ML use in underwriting and claims, MetricStream's platform provides the workflow infrastructure to maintain model inventories, track validation cycles, and document performance monitoring in a format that supports both internal governance and regulatory examination. For CROs and Operational Risk Officers under examination pressure from NAIC AI governance reviews or EIOPA supervisory processes, a structured and auditable model risk record is a core operational requirement.

Explore MetricStream's Operational Risk Management Solution

Operational risk management in insurance is the discipline of identifying, assessing, monitoring, and mitigating risks arising from failed or inadequate internal processes, people, systems, and external events. It applies to all insurers and reinsurers operating across life, non-life, and specialty lines. Regulatory frameworks, including Solvency II, the NAIC ORSA Model Act, and IAIS ICP 16 set the baseline requirements for how these risks must be governed and reported.

  • Operational risk is embedded in core insurance functions like underwriting and claims, directly affecting both financial outcomes and policyholder trust.
  • Global frameworks such as Solvency II, NAIC ORSA, and IAIS ICP 16 define ORM expectations, but insurers must navigate differences across jurisdictions.
  • Key risk areas include model risk, claims process failures, conduct risk, and technology or cyber threats, all under increasing regulatory scrutiny.
  • Effective ORM relies on strong governance, clearly defined risk appetite, structured risk assessments, and continuous monitoring supported by loss data.
  • ORSA remains the central regulatory requirement, linking risk exposure to capital adequacy under both normal and stressed conditions.
  • Siloed data across underwriting, claims, and compliance functions continues to limit visibility and slow down risk reporting.
  • Managing regulatory change across EU, US, and UK frameworks adds operational complexity and requires structured tracking and adaptation.
  • Building a risk-aware culture across business units is critical to making ORM effective in practice, not just in policy.
  • AI is driving a shift toward continuous monitoring, automated ORSA processes, and stronger model risk governance.
  • Integrated platforms are essential to connect data, streamline workflows, and meet evolving regulatory and reporting demands.

Insurance is frequently compared to banking as a financial services sector, and for some purposes, that comparison holds. Both involve capital adequacy requirements, risk-based supervision, and enterprise risk management frameworks. But operational risk management in insurance carries obligations and exposures that do not map neatly onto the banking model.

The core difference is structural. Insurers hold long-dated liabilities, policy obligations that may not crystallize for decades, and their exposure to operational failure is closely entangled with underwriting, claims, and actuarial functions that have no direct banking equivalent. A process failure in claims handling erodes policyholder trust, triggers conduct risk exposure, and may directly affect the insurer's ability to meet its core contractual obligations. This dual exposure to financial loss and to policyholder harm makes operational risk a more integrated concern for insurers than for banks, where operational failures are typically more separable from core credit and market risk functions.

Regulatory frameworks reflect this distinction. The three frameworks that most directly shape operational risk management in insurance, Solvency II in the EU, the NAIC ORSA Model Act in the United States, and IAIS ICP 16 globally, each embed ORM requirements inside broader enterprise risk and solvency frameworks. Understanding how each framework defines, scopes, and tests operational risk is the starting point for any insurer or reinsurer building or reviewing its ORM program.

Operational risk in insurance refers to the risk of loss resulting from inadequate or failed internal processes, people, or systems, or from external events. This definition aligns with the framing used by the International Association of Insurance Supervisors (IAIS) under ICP 16, which addresses enterprise risk management for solvency purposes and requires supervisors to ensure insurers maintain a structured approach to identifying, assessing, and managing all material risks, including operational ones.

What distinguishes operational risk from the risks more commonly associated with insurance, specifically underwriting, market, and credit risk, is that it does not arise from the business of risk transfer itself. Underwriting risk is the risk that claims exceed the premium collected. Market risk is the risk that investment portfolios decline in value. Credit risk is the risk that counterparties default. Operational risk sits alongside all three: it is the risk that the processes and people managing those other risks will malfunction, and that systems or external events will compound the damage.

The operational risk profile of an insurer spans several distinct categories. Each category carries different causal drivers, different detection methods, and different regulatory implications. The categories below represent the areas that receive the most sustained regulatory and supervisory attention:

  • Underwriting risk arises when pricing models, actuarial assumptions, or risk selection processes produce premiums that are insufficient to cover claims and expenses over the policy period. While underwriting risk is sometimes classified separately from operational risk, the process failures that cause poor underwriting outcomes, including inadequate data quality, miscalibrated models, and insufficient peer review, are operational in nature.
  • Catastrophe risk is the risk of concentrated, correlated losses from a single event or series of related events, such as a major hurricane, earthquake, or pandemic. Insurers managing catastrophe risk must maintain robust scenario modeling capabilities, stress-tested reinsurance programs, and capital buffers sufficient to absorb tail events without impairing policyholder protection.
  • Model risk is the risk of adverse consequences arising from decisions based on incorrect or misused models. It includes errors in model design, data inputs, implementation, and interpretation. As AI and machine learning tools become more prevalent across the insurance value chain, model risk has expanded significantly.
  • Claims risk refers to the risk of operational failures in the claims handling process: late settlement, fraudulent claims not detected, inaccurate reserving, or inconsistent application of policy terms. Claims process failures carry both financial and conduct risk dimensions and are a frequent focus of market conduct examinations.
  • Conduct risk is the risk that the way an insurer designs, sells, or administers products causes harm to policyholders or fails to meet regulatory expectations for fair treatment. It covers mis-selling, inadequate disclosure, poor complaint handling, and biased algorithmic decision-making. deliver good outcomes for retail customers throughout the product lifecycle.
  • Technology and cyber risk encompass the operational disruptions, data breaches, ransomware attacks, and third-party system failures that can affect an insurer's ability to service policyholders, process claims, and maintain regulatory reporting. As insurers become more dependent on cloud infrastructure and third-party technology providers, this category has grown as a supervisory priority.

The regulatory architecture for operational risk management in insurance reflects both the jurisdictional fragmentation of global insurance markets and the cross-border ambitions of major frameworks. Three frameworks, in particular, shape how most insurers structure their ORM programs:

1. Solvency II (Pillars 1, 2, and 3) is the EU's primary prudential framework for insurers and reinsurers. It operates across three pillars:

  • Pillar 1 sets quantitative capital requirements (including a capital charge for operational risk under the standard formula)
  • Pillar 2 establishes governance, internal control, and risk management requirements, including the Own Risk and Solvency Assessment (ORSA)
  • Pillar 3 covers public and regulatory disclosure.

The amending directive (EU) 2025/2 was published in the Official Journal of the European Union on 8 January 2025, with member states required to apply the new rules by 30 January 2027. The 2025 review introduces macroprudential tools, enhanced ORSA requirements incorporating systemic risk analysis, and a new proportionality regime for "small and non-complex undertakings" (SNCUs) that reduces ORM reporting burdens for qualifying firms.

2. NAIC ORSA Model Act #505 is the US framework requiring insurers and insurance groups above specified premium thresholds to conduct an Own Risk and Solvency Assessment at least annually. Under Model Act #505, the ORSA applies to any individual US insurer writing more than $500 million in annual direct written and assumed premium, and to insurance groups collectively writing more than $1 billion. The ORSA must cover the insurer's risk management framework, its assessment of risk exposures in both normal and stressed environments, and a group-level capital adequacy assessment.

3. IAIS ICP 16 addresses enterprise risk management for solvency purposes and provides the global supervisory standard against which national frameworks are benchmarked. ICP 16 requires supervisors to ensure that insurers maintain a documented ERM framework covering all material risks, including operational risks, with clear ownership, risk appetite statements, and linkage to capital planning. As of 2026, the IAIS represents supervisors from over 200 jurisdictions covering approximately 97% of global insurance premiums, reinforcing the global reach and influence of ICP-based standards

FrameworkRegionWho It Applies ToKey ORM Requirement
Solvency II (incl. 2025 Review)European UnionAll EU insurers and reinsurers; lighter regime for SNCUs from 2027ORSA covering operational risk, capital adequacy, and macroprudential stress; Pillar 1 capital charge for operational risk
NAIC ORSA Model Act #505United StatesInsurers writing >$500M premium; groups writing >$1BAnnual ORSA Summary Report covering risk management framework, risk exposures, and group capital adequacy
IAIS ICP 16Global (standard-setting)All IAIS member jurisdictions and their supervised insurersERM framework covering all material risks; documented risk appetite, ownership, and linkage to solvency assessment
FCA Consumer DutyUnited KingdomAll FCA-authorized firms distributing retail insurance productsOutcome-based conduct obligations: demonstrate good outcomes for retail customers across product lifecycle

The steps below reflect how well-run insurance ORM programs are structured:

Step 1: Establish a Governance Structure with Clear Risk Ownership

Effective ORM begins at the board level. The board must approve the organization's risk appetite statement and receive regular reporting on material operational risks. Below the board, a Chief Risk Officer or equivalent function holds primary responsibility for the ORM framework, with clear delegation to business-line risk owners who are accountable for risks within their operations. The three-lines-of-defense model, with operational management as the first line, the risk function as the second, and internal audit as the third, should be explicitly mapped and documented, with each line's responsibilities defined and tested regularly.

Step 2: Define and Maintain a Risk Appetite Framework

The risk appetite statement must express the insurer's tolerance for operational risk in terms that are specific enough to drive behavior. Broad qualitative statements ("we accept low operational risk") do not satisfy regulatory expectations and do not support decision-making. Appetite statements should set quantitative tolerances for specific risk categories, such as technology downtime, claims error rates, and data breach frequency, and should be reviewed by the board at least annually and whenever the business model changes materially.

Step 3: Build a Risk Identification and Assessment Process

Risk identification in insurance ORM typically combines top-down scenario analysis (what could go wrong at the enterprise level) with bottom-up risk and control self-assessment (RCSA) exercises at the business-unit level. The RCSA process requires each unit to identify its material operational risks, rate the inherent risk, assess the strength of existing controls, and calculate residual risk. Results are aggregated and prioritized for senior management and board review.

Step 4: Implement Monitoring Controls and Loss Data Collection

Identifying risks is only part of the obligation. Insurers must also track the performance of controls designed to mitigate those risks and collect data on operational loss events. Loss event data, including near-misses and realized losses, provides the empirical foundation for refining risk assessments over time and for benchmarking the organization's operational risk profile against industry experience. ORSA requirements in both the US and EU explicitly require that risk assessments reflect the insurer's own historical experience, not only external benchmarks.

Step 5: Produce Board and Regulatory Reporting That Drives Action

Board-level operational risk reports should present the top risks by residual severity, the status of key controls, loss event trends, and changes in the risk environment since the last reporting cycle. The ORSA Summary Report filed with regulators must document the ERM framework, the results of the risk assessment, and the insurer's view of current and projected capital adequacy given its risk profile. Under Solvency II's 2025 revisions, ORSA reporting now also requires macroprudential risk analysis for larger undertakings.

Managing operational risk across frameworks and business lines needs connected systems. MetricStream brings everything together in one platform - centralised assessments, automated ORSA, and board-ready reporting aligned with Solvency II, NAIC, and IAIS.

Explore Our Solutions

Three challenges in particular arise with consistent frequency across insurers and reinsurers of different sizes and jurisdictions:

  • Siloed Risk Data Across Underwriting, Claims, and Compliance Functions

    One of the most persistent obstacles in insurance ORM is that risk data sits in separate systems operated by separate functions with different definitions, timelines, and priorities. Underwriting teams track pricing model performance in one system; claims teams manage loss data in another; the compliance function maintains a separate control inventory. When the CRO needs an integrated view of operational risk for an ORSA submission, assembling it requires manual aggregation across these silos, which introduces delay, error, and gaps.

    The practical solution is to establish a single ORM data architecture that draws on all three functions' data through defined integration points, rather than requiring each function to produce separate reports on demand.

  • Keeping Pace with Regulatory Change Across Multiple Jurisdictions 

    Insurers and reinsurers operating across the EU, US, and UK markets face the challenge of managing regulatory change simultaneously across frameworks that evolve on different timelines. The Solvency II 2025 review introduces macroprudential ORSA requirements and a new SNCU proportionality regime with a January 2027 implementation date. The NAIC continues to refine its AI governance guidance through the Big Data and AI Working Group.

    Tracking all three simultaneously, identifying where requirements overlap and where they diverge, and updating the ORM framework accordingly is a significant operational burden without a structured regulatory change management process.

  • Building a Risk-Aware Culture Beyond the Risk Function

    Risk appetite statements and RCSA processes produce limited value if the people running underwriting, claims, and technology operations do not treat operational risk as their concern. Culture gaps often emerge when ORM is positioned as a compliance obligation managed by the risk function rather than as a business discipline integrated into operational decision-making.

    Addressing this requires consistent leadership messaging, risk training embedded in business-unit onboarding, and an incentive structure that does not reward short-term operational performance at the expense of risk control quality. Regulatory frameworks increasingly recognize this: Solvency II Pillar 2 governance requirements and IAIS ICP 16 both require evidence that risk culture operates at the board level, not only within the dedicated risk function.

Three capabilities in particular are shifting the practice of insurance ORM:

  • AI-powered continuous monitoring for early risk signal detection

    Traditional ORM relies heavily on periodic assessments, quarterly RCSAs and annual ORSA cycles, which can miss emerging risks between review points. AI-powered continuous monitoring tools analyze process data, transaction flows, and external signals in real time, flagging anomalies that may indicate operational stress before they crystallize into losses. For claims operations, this means detecting fraud patterns faster. For technology risk, it means identifying system performance degradation before it causes a service disruption.

  • Automated ORSA data collection and scenario modeling

    ORSA preparation is data-intensive. Pulling together loss event data, control assessment results, capital model outputs, and forward-looking stress scenarios from across the organization is a significant manual undertaking under traditional approaches. Automation, pulling data from source systems through structured integrations and populating standardized ORSA templates, reduces preparation time and improves the consistency of year-on-year reporting. AI-assisted scenario generation, informed by historical loss data and external event databases, also supports richer stress testing.

  • Model risk governance for AI and ML tools

    As insurers deploy AI in underwriting and claims decisions, model risk governance has become a first-order ORM concern. The NAIC's Big Data and AI Working Group is piloting an AI Systems Evaluation Tool across 12 US states as of 2026, designed to assess the extent and governance of AI use by insurers during regulatory examinations. Effective model risk governance requires a model inventory, documented validation processes, ongoing performance monitoring against defined thresholds, and clear escalation procedures when a model behaves unexpectedly.

Operational risk is growing more complex and central to scrutiny. Connect with MetricStream’s insurance risk specialists to streamline ORSA and strengthen risk monitoring.

Talk to an Expert

MetricStream's Operational Risk Management solution provides insurance and reinsurance organizations with a unified platform to manage risk identification, assessment, control monitoring, loss event tracking, and regulatory reporting across the requirements of Solvency II, NAIC ORSA, and IAIS ICP 16. The platform supports RCSA workflows, risk appetite configuration, scenario analysis, and the structured documentation required for ORSA submissions, reducing the manual aggregation burden that is one of the most common friction points in insurance ORM programs.

As the model risk governance burden grows, driven by increasing AI and ML use in underwriting and claims, MetricStream's platform provides the workflow infrastructure to maintain model inventories, track validation cycles, and document performance monitoring in a format that supports both internal governance and regulatory examination. For CROs and Operational Risk Officers under examination pressure from NAIC AI governance reviews or EIOPA supervisory processes, a structured and auditable model risk record is a core operational requirement.

Explore MetricStream's Operational Risk Management Solution

Frequently Asked Questions

Operational risk in insurance is the risk of loss from failed or inadequate internal processes, people, systems, or external events. It is distinct from underwriting, market, and credit risk because it arises from how the business is run rather than from the nature of the risks being transferred.

Underwriting risk is the risk that premiums collected are insufficient to cover claims and expenses over the policy period. Operational risk is the risk that the processes, people, and systems managing those underwriting decisions will malfunction.

The main operational risk categories for insurers are process and people risk, technology and cyber risk, model risk, claims risk, and conduct risk. External event risk, including regulatory change and catastrophe-related operational disruption, is also material.

The Own Risk and Solvency Assessment (ORSA) is an internal evaluation of an insurer's risk management framework and its current and projected solvency position. In the US, NAIC Model Act #505 requires any insurer writing more than $500 million in annual premium, and any group writing more than $1 billion, to complete an ORSA at least annually. Under Solvency II, all EU insurers above SNCU thresholds must complete an ORSA as a core Pillar 2 obligation.

Solvency II requires EU insurers to hold regulatory capital against operational risk under the standard formula (Pillar 1), maintain a documented governance and internal control framework (Pillar 2), and complete an annual ORSA that covers the adequacy of the risk management framework and the insurer's solvency position under stress.

The IAIS addresses operational risk within its ICP 16 framework on Enterprise Risk Management for Solvency Purposes, which requires supervisors to ensure insurers maintain a comprehensive ERM framework covering all material risks, including risks from failed processes, people, systems, and external events.

Conduct risk is the risk that an insurer's products, sales practices, or claims handling cause harm to policyholders or fail to meet regulatory standards for fair treatment. It includes mis-selling, inadequate disclosure, inconsistent claims decisions, and biased algorithmic outcomes.

Insurers manage catastrophe risk through a combination of probabilistic scenario modeling, reinsurance purchasing, capital allocation, and policy accumulation controls.

Model risk in insurance is the risk of loss arising from decisions based on incorrect, miscalibrated, or misused models. It matters because pricing, reserving, capital allocation, and claims decisions across the insurance value chain depend on quantitative models. As AI and machine learning tools expand into underwriting and fraud detection, model risk has broadened to include algorithm bias, data quality failures, and explainability gaps.

The three lines of defense model divides risk accountability across three layers. The first line is operational management, which owns and manages risks day-to-day within business units. The second line is the risk and compliance function, which sets the ORM framework, monitors risk exposures, and provides independent oversight. The third line is internal audit, which provides independent assurance that the first and second lines are functioning as intended.

lets-talk-img

Ready to get started?

Speak to our GRC experts Let’s talk