ORSA in practice — automating Solvency II Pillar II.

This guide is built from European insurance engagements where the ORSA had become an annual exercise driven by the calendar rather than by the risk profile. The premise: AI compresses the mechanical work — data assembly, narrative drafting, scenario tabulation — so the actuaries and CRO can focus on the parts the supervisor actually wants insurers to think about.

What ORSA is (and what it isn't)

Article 45 of Directive 2009/138/EC (Solvency II) requires every insurance and reinsurance undertaking to conduct, as part of its risk-management system, its own risk and solvency assessment. The Delegated Regulation (Article 45) and EIOPA's Guidelines on ORSA (EIOPA-BoS-14/259) define the operational expectations.

ORSA is a process, not a document. The process is required at least annually and on any material change to the risk profile. The process produces several outputs, of which one — the ORSA Supervisory Report — goes to the national competent authority (NCA). The internal ORSA documentation is broader: process records, methodology documentation, sensitivity analyses, board interactions, internal report.

What ORSA isn't: an SCR re-computation. The ORSA includes a quantitative element, but its job is to test whether the SCR (computed under standard formula or internal model) is appropriate for this insurer's risk profile — not to redo the standard-formula calculation.

The three questions

Article 45 frames ORSA around three required assessments:

1. Overall solvency needs. What capital does the insurer think it needs, given its own risk profile, business strategy, and time horizons? Not the same question as the SCR.
2. Continuous compliance. Will the insurer continuously comply with the Pillar I capital requirements (SCR, MCR) and the requirements regarding technical provisions, taking into account the planning period?
3. Significant deviation. Does the insurer's actual risk profile deviate significantly from the assumptions underlying the SCR calculation (standard formula or internal model)?

EIOPA and individual NCAs have made clear that supervisors evaluate the ORSA process and report against these three questions specifically. The report should answer them in order, with evidence and judgment for each.

Why ORSA reports are usually too long

Two patterns we see consistently in client ORSA reports:

1. Overweight on data, underweight on judgment. 80% of pages on capital tables, sensitivities, and scenario outputs; 20% on the management interpretation. Supervisors want the inverse.

2. Disconnected from strategy. The ORSA describes risks in isolation from the business plan. Supervisors expect to see risk and capital flow from strategic choices — pricing, product mix, M&A intent, reinsurance strategy.

The structural fix is to write the report top-down: management conclusions first, then the analyses that support them, then the appendices with the tables. AI helps with the bottom layer (data and tabulations); the top layer (judgment) stays human and gets more page-share.

The ORSA workflow we run

Step 1 — Define the assessment scope

For this year's ORSA, what's in scope? The risk universe should reflect material risks (market, underwriting, credit, operational, liquidity, strategic, reputational, ESG / climate) but a 200-risk inventory isn't useful. Pick the 20–30 risks that actually shape capital and strategy, with rationale for inclusions and exclusions.

Step 2 — Assemble the source data

Inputs come from many systems: actuarial models, capital models, financial statements, product systems, reinsurance contracts, risk-event databases, ALM models. Sia RegAI integrates these into a single ORSA workspace where the same source data drives the regulatory artifact (ORSA report) and the internal artifact (board pack).

Key practical note: data lineage from source to ORSA conclusion is a supervisory expectation. If the ORSA says "our credit-risk capital is appropriate given concentrations," the file has to support that claim with the underlying concentration data and the methodology.

Step 3 — Run the three core assessments

Overall solvency needs. Multiple methods used together: SCR plus capital add-on; SCR plus economic-capital approach; risk-by-risk needs aggregated with diversification assumptions; stress-and-scenario-based capital. The methods should agree directionally; if they don't, that's the discussion.

Continuous compliance. Project SCR and MCR over the business plan horizon (3–5 years) under base and adverse scenarios. Identify the periods and conditions under which compliance is at risk and what management actions would address them.

Significant deviation. Map the SCR's key assumptions (correlations, concentration limits, lapse assumptions, mortality assumptions) against the actual portfolio. Where they diverge, document the deviation and explain whether it's material.

Step 4 — Stress and scenario analysis

The ORSA is the right place for forward-looking scenarios beyond the SCR's historic-calibration approach. Climate scenarios (NGFS, IPCC), pandemic stress, geopolitical scenarios, technology / cyber shocks, regulatory changes (e.g., a new capital requirement). Each scenario should narrate the transmission to risk and capital, and trigger management actions.

Step 5 — Management actions and capital plan

The supervisor wants to see what the insurer would do if the scenarios materialised. Not a generic "we have reinsurance" answer — concrete, sized, time-bound actions. Risk appetite breaches need defined trigger points and responses. This section is the one supervisors flag most often as underdone.

Step 6 — Internal report and board interaction

The internal ORSA report goes to the AMSB (Administrative, Management, or Supervisory Body — board or equivalent). The board's role is not to rubber-stamp; the supervisor expects evidence of substantive board engagement. Minutes, challenges from board members, and management responses all matter.

Step 7 — Supervisory report

The ORSA Supervisory Report is the artifact submitted to the NCA. It's a subset of the internal ORSA documentation. Country-specific format expectations apply — French ACPR, German BaFin, Dutch DNB, Italian IVASS, Irish CBI all have their own preferences for length and emphasis. Sia RegAI ingests the country-specific guidance and adapts the supervisory report format accordingly.

Where AI compresses the cycle

Drafting

The ORSA report has predictable structure across years and across insurers. AI drafts the standard sections (executive summary, methodology, risk-profile description, capital projections, scenario analyses) from the underlying data. The CRO and chief actuary review and sharpen; the value-added section — judgment and management commentary — gets more time.

Time-saving in our engagements: a typical 200-page ORSA goes from 8 weeks of writing to 2 weeks of writing plus 2 weeks of senior-team review.

Cross-year delta

Year-on-year ORSA changes are often where insights live. AI compares this year's draft to last year's report, surfaces changes in risk profile and capital, and flags what should be discussed. Manual diffing of long reports is tedious; AI does it in seconds.

Supervisor-feedback integration

NCAs provide feedback on prior ORSAs. AI ingests prior-year supervisor feedback and surfaces it during this year's drafting — "the NCA flagged underdone management-action descriptions last year; here are this year's drafts of those sections for review."

Cross-jurisdiction reuse

Insurers operating across multiple Solvency II jurisdictions (or with parallel regimes — Bermuda BSCR, Swiss SST, US RBC) duplicate work. The same underlying data feeds multiple regulatory artifacts. AI maps once, generates each regulator's required artifact from the shared dataset.

What stays human

• The actuarial function's opinion. Article 48 requires the actuarial function to opine on the underwriting policy and reinsurance arrangements. That opinion is signed; AI doesn't.
• The CRO's narrative on risk appetite. The CRO's view on whether risk-taking aligns with the risk appetite is the substantive part of Pillar II. AI assists with the analysis; the narrative is the CRO's.
• Board challenge and conclusions. The supervisor wants evidence of board engagement, not AI-generated meeting minutes.
• Management actions. What the insurer would actually do under stress is a strategic decision. AI can model alternatives; management decides.

Where Sia RegAI helps

Sia RegAI ingests the Solvency II Directive (esp. Article 45), the Delegated Regulation (Article 45), EIOPA Guidelines on ORSA, the ORSA-relevant Solvency II RTS / ITS, and the country-specific guidance from ACPR, BaFin, DNB, IVASS, CBI, and other major NCAs. For an insurer running ORSA:

• Maps the obligation set against your existing ORSA framework and surfaces gaps.
• Drafts the ORSA Supervisory Report sections from underlying data, with citation back to source.
• Cross-maps shared obligations with IFRS 17 disclosures for unified reporting workflows.
• Tracks supervisor-feedback themes year-over-year.

Citation graph back to source paragraph at every step; defensible at on-site supervisory review.

Common pitfalls

• ORSA as an SCR re-computation. The supervisor wants the insurer's own view, not a recompute. Methods that diverge from standard formula are valuable — they show thinking.
• Underdone management-action sections. The most-cited supervisor feedback. Don't write "we would consider reinsurance"; write a sized, time-bound action plan.
• Disconnect from the business plan. ORSA without strategy is paperwork. Risk and capital should flow from strategic choices.
• Tools driving content. AI drafts; humans decide. Letting AI write the management commentary defeats the point of Pillar II.
• Single-shot delivery. Solvency II is in active revision (Solvency II Review). ORSA expectations evolve. Build the workflow on a system that updates with the source.

Closing

ORSA was the most ambitious bit of Solvency II — it asked insurers to think, not just compute. Insurers that get value from it treat the report as the artifact of a strategic conversation, not the conversation itself. AI compresses the artifact-production work so the strategic conversation gets more time. Pillar II ends up doing what Article 45 hoped for: pulling risk and capital into the same room as the business plan.

The supervisor is not the audience for ORSA. The board is. A good ORSA process gives the board what it needs to govern; the supervisory report is a by-product.