Prudential Regulation Authority Rulebook

6.1

The PRA expects the ORSA to include an assessment of the risks it faces or may face in the future. Key risks would not be limited to quantifiable risks and would include non-quantifiable risks such as reputational, strategic, and group risks.

6.2

The PRA expects firms to identify the key risks to their strategy and show how these drive current and future risk profiles, as against firms’ stated risk appetite and tolerances. For example, within insurance risk, the PRA expects firms to consider how capital is distributed through the different classes and how it is likely to look in the future. Where necessary, the ORSA would highlight proposed management actions upon a perceived risk that may fall outside its appetite.

6.3

Following the identification of key and emerging risks, the PRA expects the assessment to include the identification of key controls and risk owners and to demonstrate that management actions to mitigate those risks are discussed and agreed. Where a firm decides to accept a material risk, the PRA expects the report to explain why it was considered appropriate.

6.4

For groups, the PRA expects firms to consider group-specific risks (such as leverage, dividend sustainability, access to funding, and liquidity) as well as group-wide risks (those risks associated with businesses owned by the group) including the risks from non-regulated, non-financial and non-EEA entities.