The Own Risk and Solvency Assessment, commonly referred to as ORSA, is a fundamental part of the Solvency II regulatory regime for insurance companies. It is a continuous internal process through which an insurer assesses the adequacy of its risk management and the sufficiency of its solvency position in light of its specific risk profile, strategic plans, and business environment. Unlike the standard capital requirements that apply broadly across the industry, the ORSA is tailored to each insurer’s own risks and business strategy.
Own Risk and Solvency Assessment requires insurers to take a forward-looking view of their risks and solvency needs, typically over a multi-year planning horizon. This includes not just current capital adequacy but also how future risks—such as economic downturns, emerging liabilities, or changes in business models—might impact the firm’s financial stability. Insurers must document the ORSA process and report it to their board of directors and supervisory authorities, ensuring that senior management is actively engaged in understanding and overseeing the company’s risk exposure.
The assessment is not just about regulatory compliance; it is intended to embed risk culture into the core of decision-making processes. It helps firms align their capital management, risk appetite, and strategy in a way that strengthens resilience and sustainability. Because the ORSA is meant to reflect the insurer’s unique perspective on its risks, the methods, frequency, and level of detail can vary, but it must always be proportionate to the nature, scale, and complexity of the business.
How ORSA developed over time
Pillar 2 of Solvency II was established to go beyond the quantitative capital requirements of Pillar 1 and instead focus on governance, risk management, and supervisory review processes. From the outset, the European Commission and regulators recognized that capital alone would not ensure the financial soundness of insurance undertakings. Sound internal controls, robust risk culture, and forward-looking assessments of risk exposure were seen as critical to the overall resilience of firms.
The concept of ORSA, or Own Risk and Solvency Assessment, was central to Pillar 2. It first emerged during the early 2000s as part of regulatory thinking around how to promote better internal risk management practices within insurers. The ORSA was formally introduced in the Solvency II Directive (2009/138/EC) as a requirement for undertakings to assess their own capital needs in light of their risk profile, strategy, and business planning.
During the preparatory period between 2010 and 2015, EIOPA issued a series of guidelines and consultation papers on how insurers should implement ORSA. These clarified that the ORSA should not be a compliance exercise but an internal process integrated into business decision-making. The assessment had to be forward-looking, typically covering a three-to-five-year horizon, and include both qualitative and quantitative elements. Key features included assessing the adequacy of the standard SCR or internal model against the firm’s actual risk profile, stress and scenario testing, and linking solvency assessment with business strategy.
By the time Solvency II came into force on January 1, 2016, ORSA had become a mandatory component of the risk management system. Supervisory authorities began reviewing ORSA reports as part of the Supervisory Review Process (SRP), with increasing expectations around the quality and integration of these assessments. In practice, this meant firms had to demonstrate how the ORSA informed their risk appetite, governance processes, and capital planning. Many regulators issued national guidance to clarify reporting formats, submission timelines, and the depth of analysis required.
From 2016 onward, the role of Pillar 2 and ORSA continued to mature. Supervisors placed growing emphasis on the linkage between ORSA and board-level oversight, emerging risks, operational resilience, and macroprudential concerns. EIOPA undertook several thematic reviews, including how ORSA processes captured climate risk, cyber risk, and long-term guarantees. There was also a stronger push toward aligning ORSA outcomes with actual management actions, including capital buffers and strategic responses to stress scenarios.
The COVID-19 crisis in 2020 tested the effectiveness of ORSA processes across the market. Regulators used this period to emphasize the importance of dynamic and reactive ORSA frameworks, capable of addressing sudden shocks and liquidity pressures. Lessons from the crisis led to increased expectations that ORSA processes be updated more frequently than once per year in times of stress or material change.
Following Brexit, the UK retained the Solvency II regime but initiated its Solvency UK review process. While the ORSA requirement was maintained, the UK regulators signaled a desire to streamline and make it more proportionate. Feedback during the consultation process noted that smaller firms often found ORSA overly burdensome. As part of the emerging Solvency UK reforms, the ORSA remains in place but with the potential for more targeted expectations based on firm size and complexity.
As of 2025, both Solvency II and Solvency UK continue to regard Pillar 2 and the ORSA as foundational tools for effective supervision. The focus is shifting toward integrating ESG risks, promoting better use of risk insights in business planning, and ensuring that governance structures are genuinely using ORSA findings to guide risk-based decision-making. The ORSA is no longer seen just as a regulatory deliverable but as a strategic management instrument critical to long-term solvency and resilience.