Prudential Regulation Authority Rulebook

3.1

The ORSA policy is a standalone document and not, for example, part of the ORSA report. The PRA expects a separate ORSA policy^[5] to be sufficiently detailed, rather than generic. The ORSA policy is expected to include the process and procedures required by the ORSA framework. Examples of good practice include:

• a clear scope which states whether the ORSA is for a group, solo entity or both;
• a clear list of all entities captured by the ORSA (as well as a list of entities which have been excluded);
• a description of how the ORSA incorporates the strategic and business planning processes;
• a description showing how the ORSA incorporates the risk profile, approved risk tolerance limits and overall solvency needs;
• the timing and frequency of the ORSA framework (including, for example, its detailed elements such as stress tests, sensitivity analyses and reverse stress tests) and the ORSA report, including the triggers for an ad hoc ORSA;
• information on data quality standards;
• the structure of the ORSA report, including details of the key ORSA records;
• a description of the roles and responsibilities of all those involved with the ORSA, including those of the board;
• details of how the board owns the ORSA framework and process; and
• a requirement for the board to approve the ORSA policy at least annually.