You're reading riskVue.

THE WEBZINE FOR RISK MANAGEMENT PROFESSIONALS


Enter your e-mail address to get our free monthly e-newsletter
LEARN MORE


Search riskVue's hundreds of risk management articles
TOPICAL INDEX   ISSUE-BY-ISSUE INDEX

RISKVUE ARCHIVE | RISK BITES

Beyond Traditional Risk Management

By Steven E. NyBlom, CSP, CPEA, ARM, ALCM

Overview

The role of risk management has been evolving in recent years. Organizations are coming to recognize that traditional risk management practices need to be expanded given today’s business conditions and the effects of some key wide-scale disasters. This provides significant growth potential for those who can expand their horizons beyond the traditional risk management model. Recent crises have demonstrated the need for a high level, systematic approach to risk management that goes beyond scope of individual business units. There is an absolute need to integrate risk management into the strategic management planning and decision-making processes.

Traditional Risk Management

The term “risk management” is used in a wide variety of contexts. The banking world refers to risk management dealing with their concern for borrowers who may default on loans. Physicians refer to risk management in the context of treating their patients. This paper is focused on safety professionals, who view traditional risk management as including purchasing insurance, managing contracts and contract language, managing insurance claims, and directing risk control efforts. The goal is to minimize the effects of accidental losses for insurable events through financing, indemnification or hold harmless clauses, claim handling, or risk control. Traditional risk management departments handle workers’ compensation, general liability, automobile liability, and property claims.

For insurance professionals, the most common risk management definitions are taken from the Insurance Institute of America (IIA) Associate in Risk Management (ARM) series (IIA 4-5). There is a definition for risk management as a managerial or administrative process and another for risk management as a decision-making process.

“Risk management as a managerial or an administrative process is defined as a process that includes the four functions of planning, organizing, leading, and controlling the organization’s activities to minimize the adverse effects of accidental and business losses on that organization at reasonable cost.”

“Risk management as a decision-making process is a sequence of the following five steps:

(1) Identifying and analyzing exposures to accidental and business losses that might interfere with an organization’s basic objectives

(2) Examining feasible alternative risk management techniques for dealing with those exposures

(3) Selecting the apparently best risk management techniques

(4) Implementing the chosen risk management techniques

(5) Monitoring the results of the chosen techniques to ensure that the risk management program remains effective”

The first definition above, from the 1997 edition of the book, clearly includes “business losses” and “at reasonable expense.” These phrases were added to an earlier definition to emphasize that risk management applies to a more broad scope than traditionally considered.

Traditional risk management is described by George L. Head: “In many organizations, risk management as a function is limited to only threats of loss. Relatively few organizations currently consider opportunities for possible gains to be made within the scope of risk management. Indeed, many ‘traditional’ risk managers avoid any opportunities to become involved in making decisions about opportunities for gain so they would not be accused of trying to step beyond the proper scope of their authority. For these risk managers, protecting their organizational rights to manage accidental losses is more important than finding opportunities to broaden the range of their work to encompass, say, risks of loss due to political changes, changes in regulations or changes in monetary exchange rates or other prices.” (Head 22)

Does your organization view risk management in a traditional, insurance-focused manner, or does your organization view risk management as a very broad-based function that is essential to the strategic planning of the organization? Moving beyond traditional risk management requires skills and abilities many safety professionals have not had to use. This can present career risks or opportunities. At a minimum, safety professionals should understand what lies beyond traditional risk management.

Terminology

At this time, there is no consistent use of terms to describe efforts beyond traditional risk management. Some terms in use include aggregation risk management, business risk management, enterprise risk management, enterprise-wide risk management, firm-wide risk management, holistic risk management, integrated risk management, strategic risk management and total risk management. The inconsistent terminology can confuse people. Regardless of the name being used, the concept is clear that there are many types of risks to be considered which may not be familiar to traditional risk managers.

“Enterprise risk management” seems to be the most common term used. The Committee of Sponsoring Organizations of the Treadway Commission (COSO), with PricewaterhouseCoopers LLP leading the project, has published a draft Enterprise Risk Management Framework in an attempt to develop a broadly-accepted framework for enterprise risk management. COSO includes five organizations: American Institute of Certified Public Accountants, American Accounting Association, Financial Executives International, The Institute of Internal Auditors and the Institute of Management Accountants. The components of enterprise risk management identified in the Framework include: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. Some of these elements are captured in the Associate in Risk Management definition of “risk management” noted previously.

Business risks can be categorized in a number of ways. Many safety professionals may not be familiar with the terminology used to describe business risks. Some of the common categories include (Miccolis):

  • Market risk—exposure to uncertainty due to changes in rate or market price of an invested asset (e.g., interest rates, equity values).
  • Credit risk—exposure to loss due to the default or downgrade of a counterparty (e.g., bond-issuer, reinsurer).
  • Operational risk—exposure to uncertainty arising from daily tactical business activities.
  • Strategic risk—exposure to uncertainty arising from long-term policy decisions.
  • Liquidity risk—exposure to adverse cost or return variation stemming form the lack of marketability of a financial instrument at prices in line with recent sales.
  • Hazard risk—exposure to loss arising from damage to property or from tortious acts; typically includes the perils covered by property/casualty insurance.

“Traditional risk management works best on financial and hazard risks—the risks that are transferable. ERM [enterprise risk management], by contrast, stresses management of operational and strategic risks. ‘A bank’s operational risk would be its back office, in terms of how its payments are made and its credit-underwriting processes in terms of how it makes loans, monitors credit, and ensures repayment of loans,’ says Terzuoli [Frank Terzuoli, senior vice president of business-risk consulting at New York-based insurance broker Marsh Inc.] ‘A manufacturer’s operational risk would involve the manufacturing process and the processes embedded in building ideas. While traditional risk management requires more accounting-type skills, ERM requires skill in strategic planning, process reengineering, and marketing.” (Banham 66)

The Risk Management Process

The risk management process has not changed. What has changed is the scope of business operations being considered within the risk management process. The new model for risk management is to prepare for and deal with the adverse effects of any event or series of events. Identifying and understanding the nature of risks requires a cross-section of personnel from the organization. Effective risk management minimizes losses and the negative impact on the organization.

1. Identifying and Analyzing Risks

Risks must be identified at the operational or functional level and aggregated at the organization level to facilitate decision-making and priority setting. Internal risks (financial, strategic, operational, integrity [embezzlement, theft, fraud, etc.]) and external risk (legal/regulatory, political and business/economic environment, social environment, technological) must be identified. This can not be accomplished in a vacuum; it requires effort at all levels of management. The key is to develop a mechanism to discuss and evaluate a wide range of risks faced by the organization as a whole. Checklists and questionnaires can be used as a starting point. Consultants can be used to facilitate the process. Brainstorming sessions at all levels of the organization are very effective.

Once risks have been identified, quantifying them can be difficult because of different perceptions. One method of doing this is to identify all of the risks and then ask a wide group to rank them. Some will be high, some low. This leads to more discussion about each of the risks with the intention of coming to a common understanding. A general agreement on risk prioritization is critical. Having a general agreement, however, does not guarantee your priorities will not change. Having a wide group participate in this process will minimize the changes in risk priorities. Having too small of a group is problematic because “Even the same person, at different times, is likely to have different perceptions of what are in fact unchanging risks. These perceptions, whether accurate and rational or not, are themselves important factors of managing the realities of risk.” (Head 20)

The identification and analysis process requires values to be determined, perils to be considered, and consequences of events to be analyzed. Values at risk come in many forms: physical assets, people and intellectual assets, market share, and reputation. Perils can be natural, human, or economic. The consequence of loss can be negligible to extreme. An important facet to risk management is considering the consequences of loss that can affect the organization as a whole, particularly those losses that can impact multiple business units given the same occurrence.

The events of September 11, 2001, had significant impact on organizations from a personnel, property and liability loss perspective. Individual events need to be considered on an integrated basis. One example of addressing a large problem is the issue of absence management. Many organizations do not take an integrated approach to addressing the reasons for employees being absent, even though the absences may be related. Some of the reasons an employee could be absent include: personal illness, family member illness, mental holiday, workers’ compensation claim, short term disability and long term disability. Evaluating the inter-relationship between causes is more effective than treating each type of absence independently.

According to Andrew Jackson, a member of the Project Advisory Council to COSO and assistant general auditor at General Motors Corp., “What we’ve seen is that you have to look at risks across the enterprise, and you have to look at the interdependencies of those risks. Otherwise, risk management is ineffective.” Douglas F. Prawitt, a member of the Project Advisory Council to COSO and associate professor at Brigham Young University says “Sometimes there may be risks that magnify each other that you want to know about. Other times there may be risk in different units that offset each other. As a result, the organization may be more or less willing to allow one subunit to take on a level or risk, because another aspect in a different part of the organization would mitigate or magnify it. It’s also important to develop an integrated response to risks, so that the right hand isn’t unaware of what the left hand is doing.” (Chapman)

The end result of this step is a prioritized list or ranking of risks. This process helps to establish the risk tolerance of the organization. The prioritized list also helps identify areas where resources should be allocated.

2. Examining Alternative Risk Management Techniques

Once risks have been identified, analyzed and prioritized, there needs to be a determination of how to address the risks. “Effective enterprise risk management requires that management select a response that is expected to bring risk likelihood and impact within the entity’s risk tolerance. Risk responses fall within the categories of risk avoidance, reduction, sharing and acceptance.” (Martens and Nottingham 4) These are not always discrete categories. Risks may be addressed within the scope of multiple categories. The intention should be to make losses occur less frequently, with less severity, and with more predictability within the organization’s accepted risk tolerance.

Risk avoidance is an option for some organizations. This is not true for others. We need law enforcement, fire protection, health services, and other inherently hazardous operations. Reduction is anything that reduces the frequency or severity of a particular loss. This could include any risk control or risk mitigation efforts. Sharing includes any method of distributing the risk including transferring the risk to other organizations. This could include contractual transfer, subcontracting relationships, self-retention plans and insurance. Acceptance is simply acknowledging the risk but doing nothing to address the frequency or severity of losses.

3. Selecting the Best Risk Management Techniques

For management to make an intelligent decision in each category (avoidance, reduction, sharing and acceptance), discussions must occur between all of the appropriate personnel. Risk is the responsibility of everyone. The lowest level employee often has the most knowledge relating to a specific type of risk and the controls that might be appropriate. There are operational, human resource, legal, public relations, political and strategic reasons for taking some actions while not taking others. Senior management must be adequately informed of their options and the cost-benefit arguments for each possible action. The organization may also have regulatory or contractual reasons for selecting given techniques.

Selecting the best technique involves art as well as science. There is no single correct answer. Different organizations will come to different conclusions at different points in time. The decision-making process will be influenced by the organization’s past history, industry trends, legal trends and social trends.

One of the influences leading to an expanded view of risk management is the Sarbanes-Oxley Act of 2002. The Act requires disclosure of a series of company operations for publicly traded companies. Compliance and litigation risks must have effective internal controls. Rick Navarre, CFO of Peabody Energy, “notes that ‘under Sarbanes-Oxley, the audit committee is mandated to understand how we assess and handle the risks confronting the company. I wanted them to be comfortable that we had identified each and every risk we face and prescribed specific risk transfer and mitigation strategies for those risks we did not want to retain.’” (Banham 65) “As for the risks you should have known about but didn’t, [the act] obligates companies to uncover them through a process that is rigorous enough to ensure a reasonable chance of uncovering them. This is implied, not specific.” (Banham 66)

For those risks the organization chooses to retain, the best techniques will deal with pre-loss and post-loss issues. Pre-loss controls can minimize the frequency and severity of losses. Post-loss controls can ensure proper mitigation response, reduced interruption and claim handling. The level of controls selected should be determined through careful analysis of the costs versus the benefits. Some of these are easier to quantify than others. The cost-benefit analysis is particularly critical when resources are scarce. Those options with the best expected rate of return should be selected.

4. Implementing the Chosen Risk Management Techniques

Risk management techniques can not be implemented without broadening the skills of employees at all levels. Formal training must be developed and completed. All employees need to be educated about risks and the controls appropriate to those risks. The techniques must be understood. Success stories and failures should be shared and best practices must be communicated.

5. Monitoring the Results

Once steps have been taken to identify risks and implement the chosen techniques for handling the risks, the results must be measured. The risk management process is not static. If the results are not achieved then the decision-making process needs to be re-evaluated. Performance metrics must be defined. These metrics must measure positive or negative results for each of the identified risk categories. The selected metrics should measure actual performance results and activities and compare these to established goals.

Communicating results as measured against goals must be done throughout all levels of an organization. Proper use of the data will identify trends, provide early warnings, indicate when corrective action is needed, and forecast future performance. During the monitoring process, lessons learned and best practices must be communicated throughout the organization.

Conclusion

The different perceptions of senior management will influence the extent that a risk manager will be allowed to expand the scope beyond the traditional model. Many organizations have expanded beyond the traditional approach while others have not.

Change and uncertainty are constant factors in our lives. Risk is unavoidable in everything we do and it must be addressed. Expanding our focus beyond the traditional aspects of risk management will help us demonstrate to senior management the value we bring to the organization. We may not have the background to see interdependencies or non-traditional risks, but we can help to facilitate the process of having the proper personnel in the organization identify and evaluate these issues.

Going beyond traditional risk management is not an easy task. There are many obstacles and roadblocks. “When asked to identify the major obstacles to ERM [enterprise risk management], survey respondents pointed mainly to organizational problems. These include a lack of alignment between risk management and current planning processes; a lack of clearly defined roles, accountability, and information flows; cultural opposition; and a low recognition of benefits within the company.” “The individual who leads it must have a broad view of an organization’s risks and functions as well as the authority to drive organizational change. Many companies, particularly in the finance and energy sectors, have appointed a chief risk officer (CRO) to perform this function.” (Elliott)

Successfully getting to this point will result in risk management issues being identified and considered in the strategic planning process. This should be our goal in expanding our horizons beyond our traditional boundaries.

Bibliography

Banham, R. “Fear Factor.” CFO. June 2003: 65-70.

Chapman, C. “Bringing ERM Into Focus.” Internal Auditor. June 2003. http://www.theiia.org/iia/index.cfm?act=content.print&doc_id=4229

The Committee of Sponsoring Organizations of the Treadway Commission (COSO). Enterprise Risk Management Framework (draft). COSO, 2004. http://www.erm.coso.org/Coso/coserm.nsf/vwWebResources/
PDF_Manuscript/$file/COSO_Manuscript.pdf

Elliott, M. “The Emerging Field of Enterprise Risk.” Viewpoint, Number 2, 2001. Marsh & McLennan Companies, Inc. 2001. http://www.mmc.com/views/autumn_01_elliott.shtml

Head, G. “The Duality of Risk.” Risk Management. Jan. 2004. 20-23.

Insurance Institute of America (IIA). Essentials of Risk Management, 3rd ed. Vol. 1. Malvern, PA: IIA, 1997.

Martens, F. and Nottingham, L. Enterprise Risk Management: A Framework for Success, PricewaterhouseCoopers LLP. 2003. http://www.pwcglobal.com/extweb/service.nsf/
8b9d788097dff3c9852565e00073c0ba/f45c1d8b50537aa685256dcf007dda4e/
$FILE/COSORiskFramework.pdf

Miccolis, J. “The Language of Enterprise Risk Management: A Practical Glossary and Discussion of Relevant Terms, Concepts, Models, and Measures.” Tillinghast-Towers Perrin. May 2002. http://www.irmi.com/expert/articles/miccolis007.asp

ABOUT THE AUTHOR

Steven E. NyBlom, CSP, ARM, ALCM is the Assistant Division Chief of the Loss Control and Prevention Section of the County of Los Angeles Risk Management Branch. He was formerly Assistant Director, Casualty Risk Control, for Aon Risk Services, Inc. in Los Angeles, California. At the County, Steve is responsible for leading all Countywide loss control efforts. His staff supports over 90,000 County employees in 38 different departments including Sheriff, Fire, Health Services, Public Works and others. Steve is a Professional Member of ASSE and the current Administrator of the RM/I Practice Specialty. He completed his education at the University of California, Davis with degrees in Aeronautical Engineering and Mechanical Engineering. He has been teaching Associate in Risk Management (ARM) courses for the Insurance Educational Association (IEA) for several years and has published a number of articles.

Reprinted from Proceedings of the 2004 ASSE Professional Development Conference.

riskVue | The webzine for risk management professionals
May 2005

Browse This Month's Articles

Useful Web Tools

ISSUE ARCHIVE

Issue-by-Issue Article Index

Topical Index

MORE RESOURCES

Industry Event Calendar

Risk Manager’s Guide to All 50 States

FREE OFFERS

Get riskVue's free monthly e-mail

Download our White Paper, "How To Choose and Use a Risk Management Consultant"

ABOUT RISKVUE

Learn more about riskVue

Call for Authors

Advertise

Get riskVue Banners

Privacy Policy Legal Notices Site Map


Copyright ©1999–2008 by Warren, McVeigh & Griffin, Inc.
ISSN 1553-8826

Warren, McVeigh & Griffin, Inc.
Risk Management Consultants
1420 Bristol Street North, Suite 220
Newport Beach, CA 92660
949-752-1058 Telephone
949-955-1929 Fax
www.riskvue.com
www.griffincom.com

Comments? Questions? Suggestions? We’d like to hear from you. Address your e-mail to the riskVue Editor.

Privacy Policy | Legal Notices

Warren, McVeigh & Griffin, Inc., one of the oldest and most respected independent risk management consulting firms, is ready to work with you. Call us today at 949-752-1058 for a free initial consultation, or visit our Web site for more information.