RISK MANAGEMENT
(May 2022)
If the future could be predicted with 100% accuracy,
individuals and organizations could plan to completely avoid or flawlessly address
their exposures to loss. In reality, unknown events can upset even the best
predictions of performance and prevent individuals and organizations from
accomplishing tasks, meeting goals, or attaining expected results. The threat
of loss requires consideration of ways to deal with it and the consequences of
loss if it occurs.
Risk management is the method and discipline used to
address this uncertainty. In the last half of the twentieth century, risk
management developed from a group of vague, unorganized concepts, relying
heavily on common sense, to a highly developed and organized discipline that
enables organizations to anticipate losses and suggest actions to take to
prevent or reduce those losses.
What Is “Risk”?
Risk is the uncertainty,
possibility, or chance of loss. A chance occurrence that results in monetary
losses makes the profit predictions of an organization unreliable. Taken a step
further, such chance occurrences may expose the organization to a loss or
series of losses of a magnitude that could compromise its financial stability
and ability to survive.
Risk Management Defined
Risk management is the
active identification, evaluation and management of all potential hazards and
exposures to loss that a risk may experience. It incorporates insurance in the
process but also provides organized alternatives if insurance is not available,
inappropriate, or too expensive.
Risk management is a
continuous process of identifying loss exposures, measuring them against the
firm’s ability to tolerate them and then handling them with the appropriate
control, transfer, or financing techniques. Constant monitoring of exposures
and attention to them affects risk management decisions. Exposures identified
but not already addressed by a strategy must be reevaluated and decisions made
about the best methods for handling them.
In a current, broader concept
of Enterprise Risk Management, the goal includes using concepts that will allow
a business to identify and assess additional business opportunities with the
evaluation including how well that opportunity fits with the entity’s risk
appetite.
Types of Risk
Risk is either
speculative or pure. Speculative risk has two possible outcomes: the chance of
gain or the chance of loss. When a business commences operations, it will
experience only two possible outcomes over a period of time. It may be
successful and make money or it may lose money because income does not cover
expenses. Organizations deal with this type of risk by choice, actually seeking
or exposing themselves to certain risks with the hope of taking advantage of
opportunities. Speculative risk includes consideration of opportunity costs and
what might be lost by not taking a chance on a potentially profitable venture.
Risk managers involved with this type of risk must be able to evaluate
business, credit and commodity risks, hedging exposures and investment risks.
The other type, pure
risk, also offers two possible outcomes: loss or no loss. Examples of this type
of risk include loss to property by fire, wind, or theft; third party liability
claims for damages; or the interruption or reduction of income from loss of
power, strikes or fire. With pure risk, the most favorable outcome is to have
no loss. The only other possibility is that a loss will occur. This is why
exposures need to be identified and analyzed to determine the effect they may have
on continuing business operations. Whether identification and analysis take
place, the only two outcomes with pure risk situations are loss or no loss.
Risk managers involved with this type of risk must be knowledgeable and
experienced with insurance, various risk transfer clauses in operating
contracts, loss control and safety and accident prevention.
Pure risk exposures
involve a number of broad and diverse classes of risk. They include:
·
Economic
·
Legal
·
Political
·
Social
·
Physical
·
Juridical
Any or all of these can
present significant exposures to any organization. Pure and speculative risks
do not exist independent of one another. Both types exist and interact with one
another in varying degrees in most organizations. The focus of this article is
confined to pure risk exposures.
The Risk Management Process
The risk management
process consists of activities organized into five sequential steps or phases:
1. Risk
Identification
2. Risk
Analysis
3. Risk
Control
4. Risk
Financing and
5. Risk
Administration
1. Risk Identification
The first risk management
step is identifying the existing exposures to loss as well as exposures that
may exist in the future. This is accomplished by gathering information by any
number of methods, including survey forms, questionnaires, physical
inspections, product and procedure flow charts and contracts, financial records
and loss history reviews. These approaches attempt to discover the exposures to
loss faced by an organization. This phase is the foundation of risk management
since a risk not properly identified or addressed by the organization or an
individual is retained.
2. Risk Analysis
Once the exposures are
identified, they must be organized and quantified. This is accomplished in this
phase. Organizing risk, also known as the qualitative portion of the analysis
phase, requires reviewing and categorizing exposures into those sharing common
elements. One method is to place exposures into similar classes representing
potential losses, such as:
·
Property exposures
·
Liability exposures
·
Net income exposures
·
Human resource exposures
This phase also includes
quantifying the loss potential from the identified exposures. This is
accomplished by estimating the dollar amount of future losses that may occur.
One method of projecting future
losses is to review past loss experience, then use statistical probability and
trend analysis to extrapolate that past experience into estimated future
losses. Quantification also assists the risk manager in prioritizing the order
or sequence in handling possible loss exposures.
|
Example: The new Risk Manager for
Southwest Machine Manufacturers Unlimited has no idea about which loss
exposures need greater attention. She pores over the last ten years of the
company’s loss experiences and discovers the following: |
|
||
|
Situation A |
Situation B |
Situation C |
|
|
Property losses
occurred twice a year and each incident averaged $15,000 |
Fleet auto losses
occurred more than a dozen times a year and each incident averaged $6,000 |
Commercial General
Liability losses occurred about once every four years and averaged $45,000 |
|
|
Based on this
information, she decides to tackle the company’s auto losses. Although the
average loss per incident was far lower than the property and liability
losses, their annual frequency was much higher, resulting in the highest
amount of total annual loss. A total cost, $30,000. B total annual cost,
$48,000. C annual total cost, $11,250. |
|||
3. Risk Control
This is the action phase.
It includes any action taken, at the most optimal cost, to minimize or reduce losses
that may occur. The principal types of risk control methods most commonly used
in this phase are:
a. Avoidance
- Prevention
- Reduction
- Segregation
- Contractual
Transfer
Let's look at exactly
what is meant by each of these terms.
a. Avoidance
Avoidance is a decision to not engage in a particular
activity that creates an exposure to loss. It can also mean the elimination of
an activity that creates an exposure to loss.
|
|
Example: Jana, Acme Filters Inc.’s CFO, studies an offer to buy a
small filter company that has developed a new process meant to strengthen
filter fibers. Jana decides to decline the opportunity after research
discovers that the method would increase manufacturing costs by nearly 30%.
Further, the firm’s insurance records show that the process used has resulted
in worker injuries from chemical burns. Therefore, she avoids the exposure of
increased costs, a per unit, lower margin of profit and the higher worker
injury hazard. |
When a
risk is avoided, loss probability is zero. Be aware that this method is not
practical in all cases, since it could involve avoiding activities that might
be positive and result in profits. In the example above, Jana’s decision to not
invest in the stock also eliminates the chance to benefit from that stock’s possible
market gains.
Related
Article: The Cost of Doing Nothing
b. Prevention
Prevention
is any measure that reduces the probability or frequency of a particular loss
occurring but which does not completely eliminate all possibility of that loss
occurring. Prevention attempts to reduce the likelihood of an occurrence.
|
Example: The safety supervisor for Nifty Manufacturing adds
machine guards to their equipment in order to prevent access to moving parts
which could injure its machine operators. |
c. Reduction
Reduction
efforts attempt to reduce the severity of the losses that do occur. Wearing a
motorcycle helmet when riding does not stop the accident from happening, but it
should reduce injury to the rider if an accident does occur. This approach recognizes
that, since certain losses are inevitable and cannot be avoided or prevented,
they should be acknowledged and steps taken to minimize their impact.
d. Segregation
Segregation
consists of two techniques. The first is separation of loss exposure units and
it is used in conjunction with the second technique, which is the duplication
of loss exposure units. With separation, assets are divided into two or more
separate units. If they are then further separated geographically, the
likelihood of all assets being lost in a single event is greatly diminished.
Duplication, on the other hand, involves the reproduction of an asset to be a
standby kept in reserve. A common example of risk control by segregation is in
the use of computer backups. The backup disk becomes the duplication function
and storing the backup disk in a separate location is an example of the
separation function.
e. Contractual Transfer
Contractual
transfer is the shifting of a loss exposure in conjunction with an asset or
activity, using a written contract or agreement, from one party to another. In
contractual transfers for risk control, there is no indemnity or compensation
between the parties. The obligations for loss exposures resulting from the
performance of certain activities that one party deems hazardous are
transferred. An example of risk control by contractual transfer is the
outsourcing of a “risky” activity to an independent contractor.
|
Example: An automobile dealership service center accepts vehicles
requiring all types of repairs but arranges for independent contractors to
perform the painting and welding repairs. |
The risk control phase is
important but it only rarely eliminates risk unless avoidance is practiced. The
undesirable event may still occur and if it does, the organization will need
funds to pay for the damage caused by the loss. These funds are obtained
through the function of risk financing.
4. Risk Financing
Risk financing involves
acquiring funds at the lowest cost from which losses will be paid.
There are only two
answers to the question of who pays for damages caused by losses. In one case,
the organization experiencing the loss pays for the damages (risk retention).
In the other case, another person or a different organization pays for the
damages (risk transfer). There is a distinction between risk transfers made for
risk control and risk transfers made for risk financing. Risk control transfers
shift or transfer the acts or obligations to perform to another party. Risk
financing transfers shift the obligation to pay. It is possible to transfer the
obligation to perform a given act or process without transferring the
obligation to pay for losses as a result of the obligation to perform. The
reverse is also true and allows transfer of the obligation to pay without
transfer of the obligation to act. It is normal to transfer both the obligation
to act and the responsibility to pay losses arising from the transferred
obligation but it is not necessarily done that way in every case.
|
|
Example: A general contractor hires a sub-contractor to install
the heating and cooling equipment at a work site and the general contractor
is listed as an additional insured on the sub-contractor’s insurance policy. |
Financial risk transfer
is accomplished in one of two ways. One is to transfer it to a professional
risk bearer (an insurance company) by purchasing an insurance policy. The other
is to transfer it to someone other than an insurance company. The financial
transfer of risk to an insurance company is well known and understood and was
briefly discussed in the first part of this article. The financial transfer of
risk to a non-insurance entity is not necessarily as well known but is still
fairly common. Hold harmless agreements, indemnification clauses and liquidated
damages clauses are examples of frequently used risk financing transfer
clauses. They are found in a number of different written operating contracts,
such as lease agreements, customer sales agreements and agreements with
independent contractors. Other examples of financial risk transfers include the
obligation of a tenant to pay for plate glass damage or for the
repair/replacement of mechanical equipment damage to the landlord’s building.
Persuading another entity
to pay for losses may be desirable but the cost of actually doing so may be
prohibitive or impractical. As mentioned above, any risk not transferred is
retained. In many cases, it may be more cost-effective to retain certain risks
and the resulting damages and pay them like operating expenses. Losses that
occur frequently and predictably but which have fairly low dollar amounts
attached to them can usually be budgeted and efficiently financed internally
through risk retention. Other methods of risk retention and financing include
pre-loss funded and unfunded reserve accumulations and post-loss borrowing of
funds.
Defining and coordinating
financial risk transfer methods with financial risk retention methods is one of
the most challenging tasks confronting the risk manager. The ability to
anticipate losses, making arrangements to prevent, reduce or control their
impact and adequately arranging for funds availability to pay for them is the
reason the position exists and is one of the measures of the worth of the risk
manager to the organization.
Risk control and risk
financing activities interact with each other. An effective risk management
program must use at least one risk control technique and one risk financing
technique for each identified exposure.
5. Risk Administration
Risk administration is the
implementation and monitoring of risk management policies and procedures. Risk
administration covers a broad range of activities frequently assigned to the
risk management department. Some examples are:
·
Corporate planning
·
Policy development
·
Safety programs
·
Contingency and catastrophe planning
·
Crisis management
Other regular or frequent
administration activities include claims administration, allocation of the
costs of risk, litigation management, insurance acquisition, loss monitoring
and incident (near-miss) investigations.
How Does the Risk Manager Help?
The risk manager's job is
to identify and analyze risks and to make recommendations to management
concerning how to control and finance them. To do this effectively and
efficiently, the risk manager must be aware of all the activities, assets,
locations, products and processes of the organization. Risk managers must also
have knowledge of business law, statistics, economics, safety and loss control,
business finance and insurance. Most of all, the risk manager must be
innovative in applying this knowledge in the performance of his duties. The
risk manager is responsible for anticipating losses, adequately preparing the
organization for them and minimizing the costs of doing so.
Related Court Case: Loss Prevention Representative
Did Not Have Duty To Make Specific Inspection
The Role of Insurance in Risk Management
Insurance
is a component of risk management, not a substitute for it. In exchange for the
payment of a known loss (the premium), insurance transfers the financial
consequences of covered loss exposures from the insured to the insurance
company. This transfer of loss exposures by purchasing insurance to cover them
is the most common and frequently used method of handling risk. However, some
exposures are simply too trivial to justify the purchase of insurance and
others are so monumental, uncertain or uninsurable that no insurance carrier
will accept them. In addition, worldwide exposures, certain unique types of
risks and exposures created by government-enacted legislation are normally
avoided by most insurance companies. To summarize, insurance is simply not
available for many of the risks and exposures that organizations face. If
insurance for a given risk or exposure is not available, that risk or exposure
becomes retained by the insured and must be financed with funds from within the
organization if it causes a loss.
Insurance availability is
not the only reason to seek alternatives to handling risk. Organizations
monitor use of corporate funds closely because of the ever-present need to
maximize profits. If organizations do not use the most effective and efficient
methods of financing identified risk or loss exposures, they jeopardize their
competitive position in their marketplace and possibly their future survival.
Conclusion
Insurance may be the first or last way to handle risk but
it is not necessarily the only way or the best way. Risk management is a
comprehensive approach to handling risk by identifying, analyzing, controlling
and financing risk, and finding and implementing the most efficient methods for
doing so. The risk management function plans pre-loss activities, prepares the
organization for losses, and executes post-loss activities. When risk
management activities are done effectively and efficiently, they offer a
thorough and efficient approach for addressing the expenses and effects of
losses that face an organization.