A better way to manage risk
Historically, risk management was a term used to describe the management of insurable risks. Companies documented insurable risks and put loss control measures into place to reduce any negative outcome. The focus on insurable risks is referred to as pure risk, meaning there is only a chance for loss to occur.
Risk management today has a broader focus, and risks that can be covered by a traditional insurance policy are only part of the picture. Not only are risks constantly evolving, but risk practitioners must consider speculative risks. Stock prices could go up or down. Products could be recalled or become obsolete. New markets could be developed, paving the way for future growth. These examples, commonly referred to as risk opportunities, could have an upside or downside impact on an organization.
In addition to expanding how risk is defined, firms should ensure that their risk discussions are inclusive and strategic. Leaders in each department throughout an organization have the greatest awareness and knowledge of risks that could impact their specific area, but they are not always consulted. This can result in risk siloes, where risks are not communicated widely, leaving gaps in a company’s understanding of risk at a high level.
It is also important to consider risks within the context of strategic objectives. Companies should take a coordinated approach to the identification of organizational risks, encouraging open dialogue centered on the organization’s strategic objectives and the risks that could derail those objectives. This involves moving risk from an insurance sector-only discussion to one that includes business leaders from across the organization. This will result in a greater perspective of organizational risks that, once identified, can be more effectively managed. This expanded approach to managing risk is called Enterprise Risk Management, or ERM.
Using categories to help identify areas of risk
Every business has its own unique set of challenges. Understanding these challenges provides the framework for risk identification. Companies should categorize their risks and logically group them to allow for more focused discussions—selecting and adapting risk identification categories to fit their organizational structure.
Some common categories of risk include, but are not limited to, strategic, operational, and hazard risk. For example, an “operational” category may include human resources, IT, finance, and administration risks. The focus here is on risk associated with the activities of individuals or from the operations of the organization. A “strategic” category may include space for competitive, economic, political, legal, and environmental risks. A “hazard” risk category will focus on areas such as workers compensation, liability, and property damage. Hazard risks are often associated with insurance. Once companies establish the methodology that makes sense in their context, their next step is to bring together business leaders for more focused risk-management discussions as appropriate. Remember, each risk group can have both upside and downside risks to consider. In addition, there may be risks so inherent to certain organizations that they warrant their own unique category. Once firms have identified their areas of risk, they will need to analyze them through risk assessment.
Risk assessment must include reasonable assumptions and relevant data
Companies must analyze each risk to determine its impact on the organization as well as the likelihood of occurrence. Quantitative analysis, such as a review of financial data, including income and balance sheets, litigation reports, and retention levels, is one way to measure some risks. Qualitative assessment outlines other risks, such as determining management’s appetite for risk, innovation and marketing, compliance and regulatory risks, human capital risks, competition, and operational risks. Both qualitative and quantitative analysis produce valuable risk management data. As each risk is identified, what will the risk impact be on meeting the organization’s strategic objectives? Business leaders should ask these questions to assess the full impact of each risk:
1. What is the probability that the identified risk will occur?
2. If it did occur, what would be the severity of the loss?
3. How does the identified risk impact my organization’s strategic objectives?
4. Is the identified risk systemic, meaning it has the potential to reach beyond the organizational level?
The hidden costs inherent in risk
Cost is a factor in most business decisions. The direction an organization moves, or doesn't move, can impact its bottom line. For example, an organization notices a trend of an increased number of vehicle accidents. This trend has increased costs associated with repairs to the vehicles involved as well as costs associated with bodily injuries. An investigation reveals the accidents are primarily the result of driver inattention.
Installing a camera in each vehicle, along with a computerized device that monitors speed and other driving habits, can help mitigate further accidents and associated costs. Initial costs from the purchase of the devices may be substantial, but as a result, vehicle accidents decrease over time. Companies should compare the cost of the devices purchased against the savings estimated by the expected reduction in losses—and consider hidden costs in each alternative. In our example, reputational damage and societal impact can be a hidden cost arising from the vehicle accidents, while equipment maintenance and employee morale could be a cost associated with the decision to purchase the monitoring equipment.
The same process holds true when determining a risk retention level for insurance coverage. Some risks can and should be retained, while others would be better addressed by insurance. A cost-benefit analysis often includes not only monetary costs but other factors for which dollar values are hard to assign, such as the effect on reputation or the specialized services often offered by insurance companies and brokers.
The ERM process
The Enterprise Risk Management process is a continuous, structured, and integrated framework used to assess challenges that may pose a threat to an organization, its people, its assets, and the community. The basic steps used in the ERM process are:
- Identify risks
- Analyze risk
- Evaluate risk treatment options
- Select and implement risk treatment options
- Monitor and review
Imagine this scenario: Payroll suddenly experiences an influx of employees calling to say their paychecks never arrived in their bank accounts. An email-based phishing scam has been identified as the culprit. This risk is analyzed, and as a result, viable options to treat this risk are determined, considering the cost and effectiveness of the risk treatment compared to the potential impact and likelihood of additional occurrences. The options selected include employee training on phishing scams, simulated phishing emails, and multi-factor authentication. The controls are put into place, the number of phishing victims tracked, and the controls are continuously reviewed to evaluate effectiveness.
Demonstrating the value of ERM
Enterprise Risk Management may seem like an obvious choice, but before getting started, companies must have buy-in from senior leadership and individual employees alike. This mutual understanding is what is referred to as an organization’s “risk culture.” Understanding the benefits and being able to communicate them in meaningful ways is key to any successful risk-management program. Individuals need to understand why they should care about something before committing resources and time. In summary, ERM:
- Supports a reduction in an organization’s overall cost of risk
- Supports innovation
- Creates efficiency
- Fosters integrity
- Improves outcomes
- Assists with organizational planning and decision-making
- Establishes risk ownership and accountability
- Details lines of communication
- Identifies the tools and resources for successful implementation
But presenting a list of bullet points is not enough. Instead, business leaders need to demonstrate the value of ERM in a way that is tailored to the organization’s audience and tied back to real-life scenarios such as case studies of risk events that other similar organizations have experienced. Through such examples, impacts can be better understood and subsequent conversations about risk will be more robust. This is especially true when risk is set within the context of how it could prevent an organization, a department, or an individual from achieving goals and missions. Companies should present value using various metrics, including intangibles such as reputation, social good, and financial loss. This step is crucial: many well-intentioned ERM programs meet their demise due to a failure to properly communicate, educate, and achieve buy-in.
Building a more resilient future
The recent COVID-19 pandemic and “the new normal” that came with it is not just a buzzword but an actuality. Companies now need to consider the existence of unanticipated risk in a connected modern world, which changes the approach to assessing uncertainty and its potential impacts—not just for organizations, but for society as a whole. Thankfully, risk management as a practice is evolving along with the very challenges it aims to manage.
As we work to build a more resilient future, it is clear that not every risk has an insurance solution, and not every risk will be identified in advance. It is also clear that firms can no longer afford to ignore potentially rare, catastrophic events.
Complicating matters is the fact that measurements of risk will be biased, as risk assessment is not an exact science. Subjectivity can cause human nature to over or underestimate risk based on our perceptions, experiences, fears, and incentives.
It is imperative that companies systematically recognize these facts as we continue to evolve the practice of managing risk as the risks themselves evolve. A holistic, integrated risk-management strategy can improve organizational outcomes by fostering communication and helping companies recognize their blind spots. Importantly, the risk management process must begin with proper context and buy-in. The complexities and rewards of ERM are worth the pragmatic and thoughtful approach required as we continually strive to be better prepared in a fast-changing and unpredictable world.