The first step in the risk management process is to determine the objectives of the risk management program, deciding precisely what it is that the organisation expects its risk management program to achieve. This step is often overlooked, with the result that the risk management program is less effective than it could be. In the absence of coherent objectives, there is a tendency to view the risk management process as a series of individual isolated problems, rather than as one single problem, and there are no guidelines to provide for a logical consistency in dealing with the risks that the organisation faces. Risk management objectives serve as a prime source of guidelines for those charged with responsibility for the program, and also serve as a means of evaluating performance.
The primary objectives of the risk management effort is to preserve the operating effectiveness of the organisation, to make sure that it is not prevented from attaining its other goals by pure risk or the losses arising from those risks. This implies avoidance of financially catastrophic losses that could result in bankrupts or that could prevent the organisation from performing its function, whatever that function may be. A second objective - equally important in the view of some - is the humanitarian goal of protecting employees from accidents that might result in death or serious injury. Other goals may focus on cost, the efficient use of resources, social responsibility, and preservation of good public relations. One authority classifies risk management objectives as "pre-loss" and "post-loss", and suggests the following objectives in each category.
Pre-loss objectives |
Post-loss objectives |
Economy |
Survival |
Reduction in anxiety |
Continuity of operations |
Meeting externally imposed obligations |
Earning stability |
Social responsibility |
Continued growth |
|
Social responsibility |
Obviously, the specific objectives of the risk management function may vary from organisation to organisation. Often, there will be a number of goals, and it is conceivable that some goals may be in conflict with others. In resolving these conflicts, the guiding principle must be recognition that survival is a prerequisite for everything else.
Often, the risk management objectives of an organisation are formalised in a corporate risk management policy, which states the aims and describes policy measures for their attainment. Ideally, the objectives and the risk management policy should be determined by the board of directors of the company, since they are ultimately responsible for the preservation of the organisation's assets. In formulating the objectives and the risk management policy, the board of directors should receive advice from the risk manager acting as a staff advisor.
Obviously, before anything can be done about the risks an organisation faces, someone must be aware of them. In one way or another, the risk manager must dig into the operations of the organisation and discover the risks to which it is exposed. It is difficult to generalise about the risks that a given organisation is likely to face, because differences in operations and conditions give rise to different risks. Some risks are relatively obvious, while there are many that can be, and often are, overlooked. To reduce the possibility of overlooking important risks, most risk managers use some systematic approach to the problem of risk identification. A few of their more important tools include insurance policy checklists, risk analysis questionnaires, flowcharts, analysis of financial statements, and inspections of the firm's operations.
The first requirement in risk identification is to gain as through a knowledge as possible of the organisation and its operations. The risk manager needs a general knowledge of the goals and functions of the organisation, the practises of the particular industry, and the specific activities of the organisation itself. The history of the organisation and the scope of its current operations are captured in a variety of records, and these records represent a basic source of information required fro risk analysis and exposure identification. A variety of tools are available to assist in extracting information pertinent to the identification process.
The key tool in the risk identification process is a risk analysis questionnaire, also sometimes called a "fact finder". Risk analysis questionnaires are designed to lead the risk manger to the discovery of risks through a series of detailed and penetrating questions about the organisation. In some instances, these questionnaires are designed to include both insurable and uninsurable risks. Unfortunately, because these questionnaires are usually designed to be used by a wide range of businesses, they do not always include unusual exposures or identify loss areas that may be unique to a given firm.
A second important aid in risk identification and simply a listing of common exposures is called an exposure checklist. Obviously, a checklist cannot include all possible exposures to which an organisation may be subject; the nature and operations of different organisations vary too widely for that. However, it can be used effectively in conjunction with other risk identification tools to reduce the chance of overlooking a serious exposure.
Insurance policy checklists are available from insurance companies and from publishers specialising in insurance-related publications. Typically, such lists include a catalogue of the various policies or types of insurance that a given business might need. The risk manager simply consults such a list, picking out those policies applicable to the firm. A principal defect of this approach is that it concentrates on insurable risks only, ignoring the uninsurable pure risks.
In certain instances, analysis of a flowchart of the firm's operations may alert the risk manager to singular aspects of the firm's operations that give rise to special risks. Probably the most positive benefit of using flow charts is that they force the risk manager to become familiar with the technical aspects of the firm's operations, thereby increasing the likelihood of recognising special exposures.
Analysis of the firm's financial statements can also aid in the process of risk identification. The asset listing is the balance sheet may alert the risk manager to the existence of assets that might otherwise be overlooked. The income and expense classification in the income statement may likewise indicate areas of operation of which the risk manager was aware.
In addition to financial statements, there are a variety of other internal records and documents that are useful in the risk identification process. These include corporate bylaws, annual reports, and minutes of board of director meetings, organisation charts, and policy manuals, records of past losses, and contracts such as leases and rental agreements, purchase orders, and construction contracts.
Just as one picture is worth a thousand words, one inspection tour may be worth a thousand checklists. An examination of the firm's various operations sites and discussions with managers and workers will often uncover risks that might otherwise have gone undetected.
Some information is not recoded in documents or records, and exists only in the minds of executives and employees. Interviews with various parties within an organisation are sometimes required to dig this information out and add it to the general information that is used to identify exposures. The number and scope of such interviews will depend on the situation. Depending on the circumstances, these can include the CEO, operations manager, CFO, legal counsel, plant engineer, purchasing agent, personnel manager, plant nurse, safety manager, employees and supervisors. External parties such as the organisation's attorney and CPA may also be able to provide useful information.
The preferred approach to risk identification is a combination approach, in which all the tools listed are brought to bear on the problem. In a sense, each of these tools can provide a part to the puzzle, and together they can be of considerable assistance to the risk manager. But no individual method or combination of methods can replace the diligence and imagination of the risk manager in discovering the risks to which the firm exposed. Because risks may lurk in many sources, the risk manager needs a wide-reaching information system, designed to provide a continual flow of information about changes in operations, the acquisition of new assets, and changing relationship with outside entities.
Once the risks have been identified, the risk manager must evaluate them. This means measuring the potential size of the loss and the probability that it is likely to occur. The evaluation requires some ranking of priorities. Certain risks, because of the severity of the possible loss they would entail, will demand attention prior to others, and in most instances there will be a number of exposures that are equally demanding. Any exposure with the potential for a loss that would represent a financial catastrophe ranks in the same category as any other exposure equally dangerous, and there is no distinction among risks in this class. It makes little difference if bankruptcy results from a liability loss, a flood, or an uninsured fire loss. The net effect is the same. Therefore, rather than ranking exposures in some order of importance such as "1, 2, 3", it is more appropriate to group them into general classifications such as critical, important and unimportant. One set of criteria that may be used in establishing such a priority ranking focuses on the financial impact that the loss would have on the firm. For example,
- Critical risks include all exposures in which the possible losses are of magnitude that would result in bankruptcy.
- Important risks include those exposures in which the possible losses would not lead to bankruptcy, but would require the firm to borrow in order to continue operations.
- Unimportant risks include those exposures in which the possible losses could be met out of the existing assets or current income of the firm without imposing undue financial strain.
To assign individual exposures to one of these three categories, one must determine the amount of financial loss that might result from a given exposure and also the ability of the firm to absorb such losses. Determining the ability to withstand the losses calls for measuring the level of uninsured loss that could be borne without resorting to credit and deciding on the firm's maximum credit capacity.
Once the risks have been identified and evaluated, the next step is consideration of the approaches that may be used to deal with risks and the selection of technique that should be used for each one.
Risk management recognises two broad approaches to dealing with risks facing an individual or organisation: risk control and risk financing. Risk control focuses on minimising the risk of loss to which the entity is exposed, and includes the techniques of avoidance and reduction. Risk financing concentrates on arranging the availability of funds to meet losses arising from those risks that remain after application of the risk control techniques, and includes the tools of retention and transfer. Although risk control and risk financing are alternative approaches to dealing with risk, they are not mutually exclusive. Risk control and risk financing are alternatives, but they are also complementary approaches to dealing with risk. More often than not, they are used in combination. In fact, it is the process of combining the application of risk control and risk financing techniques that represent the art and science of risk management.
Before turning to the considerations in selecting from among the techniques used to deal with risks, let us briefly review the four basic techniques subsumed under the broad approaches of risk control and risk financing:
- avoidance,
- reduction,
- retention, and
- transfer
Avoidance
Risk is avoided when the individual or organisation refuses to accept a risk even temporarily. The most common approach to risk avoidance, both by individuals and by organisations, is by not engaging in a hazardous activity. You can avoid the risk of being killed when your bungee cord snaps by finding another recreational activity. A manufacturer can avoid the risk of liability associated with hazardous products by picking another product line. The prerequisite to risk avoidance is recognising the hazards in an activity so the activity can be avoided.
Reduction
Risk reduction includes all measures other than avoidance designed to reduce the frequency, severity, or unpredictability of losses.
One of the pivotal events in the development of risk management was the recognition by some insurance buyers that actions aimed at minimising risk, if effective, could be more cost effective than obtaining insurance to indemnify the organisation against losses. This led to an increased focus on techniques that reduce the likelihood or potential severity of those losses that occur. It is common to distinguish those efforts aimed at preventing the occurrence of loss from those aimed at minimising the severity of losses that do occur, referring to them respectively as loss prevention and loss control. Prohibitions against smoking in areas where flammables are present is a loss prevention measure. A sprinkler system is a loss control measure. Other methods of controlling severity include segregation or dispersion of assets and salvage efforts. Dispersion of assets will not reduce the number of fires or explosions that may occur, but it can limit the potential severity of the losses that do occur. Salvage operations after a loss has occurred can minimise the resulting costs of the loss.
Another distinction is sometimes made between the "engineering approach" to loss prevention and control, in which the principal emphasis is on the removal of hazards that may cause accidents, and the "human behaviour approach", in which the elimination of unsafe acts is stressed. This distinction is based on the focus of control measure and represents two schools of thought regarding the emphasis is loss prevention and control. The human behaviour approach is based on the view that since most accidents result from human failure, the most effective approach to loss prevention is to change people's behaviour. The engineering approach, in contrast, emphasises systems analysis and mechanical design, aimed at protecting people from careless acts that are viewed as perhaps inevitable. National Safety Council ads on television and in-print media urging drivers not to drink typify the human behaviour approach. Air bags in automobiles, which are activated without human intervention, typify the engineering approach.
A final way of classifying risk reduction measures is by the timing of their application, which may be prior to the loss event, at the time of the event, or after the loss event. Safety inspections and drivers' training classes illustrate measures that are designed to prevent the occurrence before losses occur. Seat belts and air bags are designed to minimise the amount of damage at the time an accident occurs. Post-event loss prevention measures related to auto accidents include negotiating with injured persons for an out-of-court settlement or a stern defence in litigation.
Retention
When an organisation does not take positive action to avoid, reduce, or transfer a risk, that risk is retained. This retention may be conscious or unconscious, and it may be voluntary or involuntary. In addition to the distinctions between conscious and unconscious retention and voluntary and involuntary retention, another distinction may be drawn between funded retention and unfunded semi-liquid form against the possible losses that are retained. The need for segregated assets to fund the retention program will depend on the firm's cash flow and the size of the losses that may result from the retained exposure.
Transfer
Transfer may be accomplished through contractual arrangements such as hold-harmless agreements, through survey bonds, by subcontracting, or through insurance. The most formal transfer technique, and by far the most common, is the purchase of commercial insurance. Although there is sometimes a misconception to the contrary, commercial insurance plays a central role in risk management process. Some people seem to believe that the purpose of risk management is to minimise the role of insurance in dealing with risk. It is not. The central idea of risk management is on dealing with risks by whatever means is most appropriate, and in many instances, commercial insurance will be the only acceptable approach.
The choice
This phase of the risk management process is primarily a problem in decision making; more precisely, it is deciding which of the techniques available should be used in dealing with each risk. The extent to which the risk management personnel must make these decisions on their own varies from organisation to organisation. Sometimes the organisation's risk management policy establishes the criteria to be applied in the choice of techniques, outlining the rules within which the risk manager may operate. If the risk management policy is rigid and detailed, there is less attitude in decision making done by the risk manager. He or she becomes an administrator of the program rather than a policy maker. In other instances, where there is no formal policy or where the policy has been loosely drawn to permit the risk manager a wide range of discretion, the position carriers much greater responsibility.
In deciding which of the techniques available should be used to deal with a given risk, the risk manager considers the size of the potential loss, its probability, and the resources that would be available to meet the loss if it should occur. The benefits and costs in each approach are evaluated, and then, on the basis of the best information available and under the guidance of the corporate risk management policy, the decision is made. Some of the important considerations in the selection of the most appropriate technique are discussed later.
The decision is made to retain a risk. This may be accomplished with or without a reserve and with or without a fund. If the plan is to include the accumulation of a fund, proper administrative procedures must be set up to implement the decision. If loss prevention is selected to deal with a particular risk, the proper loss-prevention program must be designed and implemented. The decision to transfer the risk through insurance must be followed by the selection of an insurer, negotiations, and placement of the insurance.
Evaluation and review are essential to the program for two reasons. First, the risk management process does not take place in a vacuum. Things change; new risks arise and old ones disappear. The techniques that were appropriate last year many not be the most advisable this year, and constant attention is required. Second, mistakes sometimes occur. Evaluation and review of the risk management program permits the manager to review decisions and discover mistakes, it is hoped, before they become costly.
Although the evaluation and review of the risk management operation should be continuing functions of the risk manager, some firms also hire independent consultants periodically to review their program. The risk management consultants, such as Australian Risk Services, are an independent adviser who offers this service. Such experts may be hired to evaluate the entire risk management program, or particular segments of it. they are employed not only by business firms that are unable or unwilling to create the position of risk manager within the organisation, but also by many companies that have a risk manager and still consider an outside review to be desirable.
|
|
