Risk Management

Risk management evolved as an idea that the cost of losses can be substantially reduced by designing the business and training its employees to minimize losses, rather than just buying insurance to cover losses. In other words, the management of risk can be scientific, not so much through controlled experiments as is done in traditional science, but by studying losses to understand why the loss occurred and how it can be prevented or mitigated. Information gained from studying losses could thus be compiled and promulgated to others with similar risks. Moreover, such information is increasingly used in expert systems, computer systems that not only store extensive knowledge, but also apply that knowledge through the use of algorithms based onanalytical principles developed by experts.

Risk management is used by small employers, corporations, nonprofit organizations, and federal, state, and local governments. Even people can benefit from a personal risk management program. Risk management is an important subdivision of most businesses, since the viability of any business will depend on how well it controls and finances risk.

The cost of risk includes premiums, retained losses, financial guarantees, internal administrative costs, outside risk management services, and taxes, fees, and other related expenses. Since the term risk has several meanings, risk managers often use the term loss exposure to remove any ambiguity as to what is meant. A loss exposure is any situation where a loss is possible, whether loss occurs are not.

History of Risk Management

Although businesses always had to manage risk, risk management was not recognized as a separate function of business until the beginning of the 20th-century. Then, major corporations, such as railroads and steel companies, started hiring an insurance manager, who purchased all of the insurance for a specific company. However, the responsibilities of the insurance manager did not include the other forms of risk management: risk avoidance, reduction and retention. Only in the 1950s, did risk management start to appear in the printed literature, as it became increasingly recognized that managing risk was one of the most important functions of a business.

Quantitative tools were also developed to make risk management more precise. One of these mathematical tools is normative decision theory, which provides algorithms for making the best decisions based on specific inputs. Previously, management science and descriptive decision theory described how and why people chose certain options; normative decision theory consisted of methods of selecting the best options based on specific inputs or quantitative data.

With the development of complex systems, such as the Intercontinental Ballistic Missile System and the space missions, a more holistic approach was developed, often referred to as the systems safety approach, 1st developed by the military and the aeronautics industry, where the entire system was examined in terms of its components and the operation of the system by humans. The system safety approach was developed because it was increasingly recognized that losses occurred because of a failure either in a system component or from human error.

Risk Management Objectives

Losses and the cost of managing risks reduces the profitability of the business. Therefore, that profitability depends on eliminating or reducing the cost of losses and of managing the risks, which is the function of the risk manager. The main concern of the risk manager is to determine how much risk to retain and how much should be transferred through insurance or other available means. Additionally, the risk manager requires detailed knowledge of the types of insurance that are available and their costs, so that the best decision can be made.

Risk management for most firms is probably the responsibility of at least several people. Generally, the larger the organization, the more likely they will have a department devoted to risk management. Additionally, many types of businesses will have specific employees whose duty is to manage particular types of risks. For instance, banks and other financial institutions generally have one or more people whose only job is to ensure that the bank complies with the laws and regulations affecting it. Many types of risk, such as legal or financial risk, require specialized knowledge, so it is typical that these types of risk will be managed by people specialized in those specific areas, usually as 1 part of their activities.

Generally, a risk management program must involve other departments of the business, since they would be in a better position to address loss exposures in their department. For instance, the accounting program should maintain internal accounting controls to reduce employee fraud, embezzlement, and theft. The finance department can better assess the risk that it is taking with its investments and what effect it will have on the firm. The human resources department will generally have greater expertise in following the rules and regulations for employee benefit programs, pensions, safety programs, and in implementing policies for hiring, promotion, and dismissal. The production department must institute quality control to reduce product defects and improve safety in the workplace. The marketing department must ensure that products are labeled according to regulations and to provide the maximum benefit to the consumer and that the product is distributed safely to the consumer.

Risk management objectives can be divided into pre-loss and post-loss objectives.

Pre-Loss Objectives

Pre-loss objectives are goals that a business should strive for before any losses occur. Preventing or minimizing losses are the most cost-effective ways for a business to reduce the cost of losses. As they say, an ounce of prevention is worth a pound of cure. Equipment and business procedures should be selected to maximize safety and reliability. It must be decided how much risk to retain and what types and amounts of insurance should be purchased and who is primarily responsible for risks overall and particular types of risks.

Loss exposures for business include:

Another pre-loss objective is to reduce anxiety, since some loss exposures can cause catastrophic losses, such as major lawsuits. Legal obligations must be met, including installing safety devices to protect workers, to properly dispose of hazardous materials, and to label consumer products appropriately.

Post-Loss Objectives

Post-loss objectives will depend on the magnitude of loss, but generally include:

Risk Managers

Because of the complexity and risks that large organizations face, they employ risk managers who specialize in risk control and financing. In smaller organizations and businesses, risk management is usually the responsibility of the executives and owners.

Risk managers must keep up to date on industry trends and rising prices of insurance, litigation costs, and various other costs that generally increase with inflation. They must know and use risk control and risk finance methods, which are detailed in the previous article, Handling Risk: Avoidance, Loss Control, Retention, Noninsurance Transfers, and Insurance. To limit losses from some retained risks, it must be decided whether excess insurance, which pays only if actual losses exceed a specified amount, will be purchased.

Insurance coverages and the size of deductibles must be decided. Risk managers will generally solicit competitive premium bids from several insurers to obtain the lowest price. They must decide on the terms of the insurance, and on specific exclusions and endorsements. If the risk manager wants coverage or special provisions that are not provided by standard policies, then an insurance company or broker may write a manuscript policy containing the desired provisions. Generally, manuscript policies are only written for larger accounts because they must comply with state laws, so it would not be cost-effective to provide manuscript policies for smaller accounts.

Generally, insurance contracts will specify how claims are to be presented and what evidence of loss is to be presented. The risk manager would have to inform others of some of these insurance policy requirements, especially among those who are likely to recognize the loss 1st.

Risk Management Policy

A fundamental objective of risk management is to decide what priority profits have over risk. In this sense, this objective is the same that investors have when they must decide how much risk are they willing to assume to maximize profits. For it is usually true that greater profits can only be obtained by undertaking greater risks.

However, the risk-return ratio is much more complex for a business than for an investment portfolio. Moreover, a business can suffer losses that greatly exceed any potential for profit, and if the business is a corporation, especially a public corporation, then shareholders should also be informed of the business's potential risks and how the business will manage those risks. Consequently, a business should develop a risk management policy that delineates specific objectives for each area of its business.

The risk management policy, at a minimum, should determine how much risk should be retained, and if potential losses exceed a certain dollar value, a percentage of working capital, or some other specific measure, then insurance should be in purchased to cover that exposure. The policy should also state who is primarily responsible for risk management overall and who is responsible for particular risks. Generally, a risk manager will generally be responsible for insurance coverage, maintaining property appraisals and inventory valuations, processing claims, maintaining loss records, and supervising and reviewing loss prevention activities. The risk policy may also state that only insurance from insurance companies with a minimum rating, such as an A+ in Best's Policyholders Ratings, should be purchased. If insurance must be purchased from another company not satisfying the minimum rating, then the risk manager must obtain approval from the board of directors and/or file a report about the purchase.

The risk management policy should also include how loss exposures will be treated, what top-level executives should know about the risk management process, what standards will be used to monitor the risk manager's performance. A written risk policy will also give the risk manager greater authority in the firm, allowing a more effective implementation of the policy.

A risk management manual may also be published that provides greater detail of the risk management process and can be tailored for specific employees working in specific areas of the business. The manuscript should also include procedures to follow in an emergency.

Risk Management Matrix

A common method of categorizing risk and the solutions to handle those risks is to use a risk management matrix, where risks are placed in a table according to their frequency and maximum loss exposure, from losses with low probability and low severity to the maximum possible loss, which would be the worst loss that could happen to the firm during its lifetime, and to the maximum probable loss, which is the worst loss likely to happen. Then the means to manage that risk would be determined by how frequent and severe the loss would be. In other words,  the risk management matrix is a special type of decision matrix, where the risk management technique used depends on the 2 characteristics of losses: frequency and severity, as exemplified by the following table:

Risk Management Matrix
FrequencySeverityRisk Management Technique
highlowLoss Prevention and Retention
highhighAvoidance and Reduction

Avoidance is the only rational technique for a loss that is both severe and frequent, since no organization can remain viable suffering a high frequency of losses that are also severe. Likewise, no insurance company will ensure such a loss. If these losses cannot be avoided completely, then every effort should be made to reduce or likelihood. Commonly occurring losses can be budgeted and paid as an operating expense.

Risk Management Process

The risk management process consists of 6 steps:

  1. determine objectives
  2. identify risks
  3. evaluate risks
  4. managing those risks
  5. implement the plan
  6. review the results

The 1st step is to identify how risks will be managed:

Identifying Risks

Thorough knowledge of an organization and its activities is required to identify risks. Besides having a broad knowledge of the particular business and the laws and regulations affecting it, the risk manager must generally obtain more specific information by interviewing the appropriate people, both inside and outside of the organization, by physical inspections, and by reading relevant internal records and documents. Risk can also be identified by studying OSHA requirements for the specific business and what factors insurance companies consider when setting a premium, which will usually depend on the hazards associated with the type of business and for that particular business.

Documents that should be examined include financial statements, leases and other contracts, inventory records, asset schedules, and appraisals and valuation reports. The risk manager should also be notified of upcoming construction, remodeling, renovation of the firm's properties, or the introduction of new products, activities, or other operations that may give rise to risk. A risk manager must have a clear idea of how the business operates and what could potentially happen if specific parts of the business are disrupted, such as from the destruction of equipment or from the death or resignation of key employees. Risk managers often use flowcharts to understand the business more thoroughly and to better evaluate what would happen if one part of the business was disrupted.

Risk Evaluation

The magnitude of the risk depends on both the potential magnitude of the loss and the probability that the loss will occur. To prioritize risks and to manage them successfully requires that potential losses and their probability be assessed for each risk.

Besides classifying each risk according to a risk management matrix, another closely related method is the criticality analysis approach. Criticality analysis, used in the US space program, analyzes risks in terms of their severity and places them in particular classes according to how critical the loss would be to the project. The criteria for each class would generally depend on the project and the organization or business, but the following classes illustrate how criticality analysis works:

The effort to manage the above risks would be proportional to their criticality. Putting risks in classes rather than prioritizing them individually makes sense because the effect of any loss within a given class would be the same. For instance, if 2 different losses would bankrupt the firm, then both losses should be avoided or insured. Likewise, for important risks and unimportant risks, since losses from these categories would result in the same remedy.

When risks are evaluated, all potential losses associated with that risk should be evaluated. Both direct and indirect costs of loss exposures must be estimated. For instance, if a critical machine in a factory is destroyed, then not only the cost of the machine must be considered, but also the cost of lost income, and any other losses resulting from the destruction of machine.

Risk Identification Tools

There are several tools that risk managers can use to identify risks. Most of these tools come from the insurance industry, since it is obviously necessary for them to identify risks that the insured are exposed to, in order to set accurate premiums. Additionally, insurance companies are generally exposed to many businesses within a specific industry and over a long period of time, so they have gained a great deal of information on the risk exposures of particular industries and businesses. The major tools used are risk analysis questionnaires, exposure checklists, insurance policy checklists, and expert systems. Although insurance companies are primary users of these techniques, risk managers have used them to expand their applicability to all risks, whether they are insurable or not.

Risk analysis questionnaires (a.k.a. factfinders) are questions answered by specific people in the business on the particular aspects of the business that may give rise to risk. Generally, the later questions are refined according to the answers given for the earlier questions, thereby honing in on the important risk factors.

A risk exposure checklist is another means of identifying major risks, especially for particular industries and businesses. Like all checklists, it helps to prevent overlooking major exposures. An insurance policy checklist can also be used and can usually be obtained from insurance companies or publishers of insurance related information. A risk manager can obtain insurance policy checklists for every applicable insurable risk for the business. The disadvantage of insurance policy checklists is that they generally do not cover non-insurable risks.

An additional source of information for the risk manager is historical loss data that the business, or other similar businesses, has suffered over time. Risk maps can also be used to identify risks, such as those used for floods and earthquakes.

All the above tools have been combined into expert systems, where the questions and information is stored in a computer system. Expert systems store all the information necessary for particular industries or businesses, and they can generate new questions to ask, based on earlier information and they can even incorporate information from other sources, such as industry or insurance publications. Additionally, an expert system can be designed to give specific weights to specific factors that would represent a more accurate assessment of that risk exposure.

Enterprise Risk Management

As with any business, the success of any large enterprise will involve a successful management of its risks, both pure and speculative, whether the risk is insurable or not. Besides the risk from physical hazards, such as firestorms, an enterprise also has many other risks. Financial risks include market risk, when the price of supplies increases or the value of investments decreases; liquidity risk, when the firm does not have enough liquid assets to pay debts becoming due; and credit risk, when the firm may not receive repayment of its loans or receive payment for its products that were sold on credit. Banks, insurance companies and other financial institutions especially require successful financial risk management.

Enterprises also have other risks that can affect it overall, including operational risk, reputational risk, compliance risk, and strategic risk. Operational risk arises from an internal process that causes losses, such as lack of internal controls, fraud, and technology risks, including antiquated technology, breach of information systems by outsiders, programming errors; and losses from external events, such as fires and floods. Reputational risk arises from lower sales because of negative publicity or a negative reputation. Compliance risk is the risk of failing to comply with laws and regulations, which will usually result in fines or lawsuits that can cost the firm a significant amount of money. Strategic risk is failing to implement the firm's strategy, resulting in lower profits or greater costs.