insight-ingle-left-2
insight-ingle-left-3

April 18, 2025

How MAR and ORSA Go Hand in Hand for Insurance Companies

For insurance companies, navigating the regulatory landscape can feel like charting a course through complex terrain. Two key frameworks, the Model Audit Rule (MAR) and the Own Risk and Solvency Assessment (ORSA), often appear on this same path. While both aim to ensure financial health and stability, they approach the goal from distinct angles. Understanding the similarities and differences is crucial for effective compliance and risk management.

Shared Goals: A Foundation of Financial Strength

Both MAR and ORSA share the overarching objective of safeguarding the financial health and solvency of insurance companies. They both emphasize:

  • Internal Controls: Both frameworks recognize the importance of robust internal controls in mitigating risks and ensuring accurate financial reporting. A strong control environment is the bedrock of both MAR compliance and a successful ORSA process.
  • Risk Assessment: A thorough understanding of current and emerging risks is central to both. They each require companies to identify, assess, and manage risks that could impact financial performance.
  • Protection of Policyholders: Ultimately, both regulations aim to protect policyholders by ensuring that insurance companies are financially sound and can meet their obligations.
  • Documentation: Thorough documentation is essential for demonstrating compliance with both MAR and ORSA. This includes documenting control design and operating effectiveness, risk assessments, and the ORSA framework itself.
  • Board Oversight: Both frameworks emphasize the crucial role of the board of directors in overseeing the company’s financial health and risk management processes.
  • Regulatory Compliance: Both are developed by the NAIC, adopted by regulatory authorities (state insurance departments), and require insurers to comply with specific requirements.  
  • Compliance Thresholds: Both regulations become applicable once insurers reach a certain threshold of direct and assumed written premiums.

Diverging Paths: Focus and Scope

Despite these shared goals, MAR and ORSA differ significantly in their focus and scope:

  • Focus: MAR primarily focuses on the accuracy and reliability of financial reporting. It emphasizes the importance of internal controls over financial reporting (ICFR) and requires an internal audit function, and management must issue a report assessing the effectiveness of the insurer’s internal controls over financial reporting. ORSA, on the other hand, takes a broader, enterprise-wide view of risk. It requires companies to assess all material risks, including financial, operational, strategic, and reputational risks, and how these risks interact.
  • Scope: MAR’s scope is primarily limited to ICFR. ORSA encompasses all aspects of the insurer’s business and requires a prospective analysis of the company’s solvency position under various stress scenarios. It looks beyond historical data and considers future potential impacts.
  • Nature: MAR is a regulatory requirement with specific compliance deadlines and reporting requirements. ORSA, while also required by regulation in many jurisdictions, is more of a process that companies must establish and maintain. It’s a dynamic, ongoing assessment of risk, not just a point-in-time snapshot.
  • Output: The primary output of MAR is the independent auditor’s report on ICFR. The ORSA process culminates in an ORSA report that summarizes the company’s risk assessment and solvency position. This report is often submitted to regulators but also serves as a key internal management tool.

Key Differences Summarized:

MARORSA
ScopeFocuses on the accuracy and reliability of financial reporting. It’s more of a retrospective review of controls and processes.Focuses on the insurer’s overall solvency and its ability to withstand various stress scenarios. It’s a forward-looking assessment of risks.
ApproachRequires an independent audit of the insurer’s financial statements by a CPA firm and an attestation from the CEO and CFO as to the reliability and accuracy of the financial statements. Requires insurers to conduct their own internal assessment of risks and capital needs, tailored to their specific profile.
ReportingRequires insurers to have an annual financial audit conducted by a CPA firm and management to develop a report and attest to Internal Controls over Financial Reporting (ICFR).Requires insurers to submit an ORSA Summary Report to their lead state regulator, detailing their Enterprise Risk Management (ERM) function and capital planning.
FrequencyConducted annually.Typically conducted annually or more frequently as needed.

Integrating MAR and ORSA: A Synergistic Approach

While distinct, MAR and ORSA are not mutually exclusive. In fact, they can be complementary. A strong ICFR framework, as required by MAR, provides a solid foundation for the ORSA process. The controls implemented for MAR compliance can also address some of the risks identified in the ORSA process.

By understanding the similarities and differences between MAR and ORSA, insurance companies can develop a comprehensive and integrated approach to risk management and compliance. This not only fulfills regulatory requirements but also strengthens the company’s overall financial health and resilience. A well-executed ORSA process, informed by a robust ICFR framework, provides valuable insights for strategic decision-making and helps ensure long-term sustainability.

How Johnson Lambert Can Help

Johnson Lambert has extensive experience assisting insurance companies with both MAR compliance and ORSA implementation. Our team can help you:

  • Assess your current ICFR framework and identify areas for improvement.
  • Develop and implement a robust ORSA process tailored to your specific needs.
  • Integrate MAR and ORSA for a more efficient and effective risk management program.

Contact us today to learn more about how we can help you navigate the complexities of MAR and ORSA.

Jordan Fulbright

Jordan Fulbright

Senior Manager - Internal Audit

Questions?

Our team has extensive experience assisting insurance companies with both MAR compliance and ORSA implementation.

Contact Us

How MAR and ORSA Go Hand in Hand for Insurance Companies

For insurance companies, navigating the regulatory landscape can feel like charting a course through complex terrain. Two key frameworks, the Model Audit Rule (MAR) and the Own Risk and Solvency Assessment (ORSA), often appear on this same path. While both aim to ensure financial health and stability, they approach the goal from distinct angles. Understanding the similarities and differences is crucial for effective compliance and risk management.

Shared Goals: A Foundation of Financial Strength

Both MAR and ORSA share the overarching objective of safeguarding the financial health and solvency of insurance companies. They both emphasize:

  • Internal Controls: Both frameworks recognize the importance of robust internal controls in mitigating risks and ensuring accurate financial reporting. A strong control environment is the bedrock of both MAR compliance and a successful ORSA process.
  • Risk Assessment: A thorough understanding of current and emerging risks is central to both. They each require companies to identify, assess, and manage risks that could impact financial performance.
  • Protection of Policyholders: Ultimately, both regulations aim to protect policyholders by ensuring that insurance companies are financially sound and can meet their obligations.
  • Documentation: Thorough documentation is essential for demonstrating compliance with both MAR and ORSA. This includes documenting control design and operating effectiveness, risk assessments, and the ORSA framework itself.
  • Board Oversight: Both frameworks emphasize the crucial role of the board of directors in overseeing the company’s financial health and risk management processes.
  • Regulatory Compliance: Both are developed by the NAIC, adopted by regulatory authorities (state insurance departments), and require insurers to comply with specific requirements.  
  • Compliance Thresholds: Both regulations become applicable once insurers reach a certain threshold of direct and assumed written premiums.

Diverging Paths: Focus and Scope

Despite these shared goals, MAR and ORSA differ significantly in their focus and scope:

  • Focus: MAR primarily focuses on the accuracy and reliability of financial reporting. It emphasizes the importance of internal controls over financial reporting (ICFR) and requires an internal audit function, and management must issue a report assessing the effectiveness of the insurer’s internal controls over financial reporting. ORSA, on the other hand, takes a broader, enterprise-wide view of risk. It requires companies to assess all material risks, including financial, operational, strategic, and reputational risks, and how these risks interact.
  • Scope: MAR’s scope is primarily limited to ICFR. ORSA encompasses all aspects of the insurer’s business and requires a prospective analysis of the company’s solvency position under various stress scenarios. It looks beyond historical data and considers future potential impacts.
  • Nature: MAR is a regulatory requirement with specific compliance deadlines and reporting requirements. ORSA, while also required by regulation in many jurisdictions, is more of a process that companies must establish and maintain. It’s a dynamic, ongoing assessment of risk, not just a point-in-time snapshot.
  • Output: The primary output of MAR is the independent auditor’s report on ICFR. The ORSA process culminates in an ORSA report that summarizes the company’s risk assessment and solvency position. This report is often submitted to regulators but also serves as a key internal management tool.

Key Differences Summarized:

MARORSA
ScopeFocuses on the accuracy and reliability of financial reporting. It’s more of a retrospective review of controls and processes.Focuses on the insurer’s overall solvency and its ability to withstand various stress scenarios. It’s a forward-looking assessment of risks.
ApproachRequires an independent audit of the insurer’s financial statements by a CPA firm and an attestation from the CEO and CFO as to the reliability and accuracy of the financial statements. Requires insurers to conduct their own internal assessment of risks and capital needs, tailored to their specific profile.
ReportingRequires insurers to have an annual financial audit conducted by a CPA firm and management to develop a report and attest to Internal Controls over Financial Reporting (ICFR).Requires insurers to submit an ORSA Summary Report to their lead state regulator, detailing their Enterprise Risk Management (ERM) function and capital planning.
FrequencyConducted annually.Typically conducted annually or more frequently as needed.

Integrating MAR and ORSA: A Synergistic Approach

While distinct, MAR and ORSA are not mutually exclusive. In fact, they can be complementary. A strong ICFR framework, as required by MAR, provides a solid foundation for the ORSA process. The controls implemented for MAR compliance can also address some of the risks identified in the ORSA process.

By understanding the similarities and differences between MAR and ORSA, insurance companies can develop a comprehensive and integrated approach to risk management and compliance. This not only fulfills regulatory requirements but also strengthens the company’s overall financial health and resilience. A well-executed ORSA process, informed by a robust ICFR framework, provides valuable insights for strategic decision-making and helps ensure long-term sustainability.

How Johnson Lambert Can Help

Johnson Lambert has extensive experience assisting insurance companies with both MAR compliance and ORSA implementation. Our team can help you:

  • Assess your current ICFR framework and identify areas for improvement.
  • Develop and implement a robust ORSA process tailored to your specific needs.
  • Integrate MAR and ORSA for a more efficient and effective risk management program.

Contact us today to learn more about how we can help you navigate the complexities of MAR and ORSA.

Jordan Fulbright

Jordan Fulbright

Senior Manager - Internal Audit