Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
RISK MANAGEMENT
Course description
The course explores the insurance industry’s relationship to its external environment. It
will examine the regulatory environment, and the general dynamics of the how the
concepts, approaches and methodologies adopted by organization in the risk
management process.
Course Objectives
The objectives of this course include;
I) To enable students, appreciate the framework for the general conduct of
insurance and reinsurance business.
II) To provide the basic knowledge about fundamental principles of insurance and
their application
III) To make students understand how insurance enterprises are organized
IV) To equip the students with the basic characteristics of insurance cover and the
knowledge of the production processes involved
Learning outcomes
After completing this course, the student should able:
i) To have the knowledge to do insurance business
ii) To explain the business and economic cycle of the insurance industry.
iii) To explain the consumer oriented regulatory environment pertaining to the
insurance industry
iv) To appreciate the insurance market determinant factors and how they impact
on the behavior of the market participants
v) To understand the operational environment of insurance enterprises in
particular the regulatory framework
COURSE DESCRIPTION
TOPIC DESCRIPTION LESSON DETAILS
1.0 Classification of risk Risk and Related concepts
Classification of risks
Risk attitudes
Risk costs
2.0 Theoretical aspects of risk
management
Risk concepts & possibilities
Risk classification & categorization
Approaches & Philosophy
Cost of risk
3.0 Scope and objectives of risk
management
Risk management approach
Risk management definitions and
basic concepts
Risk management contributions
and benefits to business
4.0 Effective risk management
strategies
Formulating risk management strategy
Objectives - pre & post loss objectives
Role of Risk manager
Implementation strategies
Risks profiling & risk audits
Organizing & Controlling the strategy
5.0 Identifying & Analyzing loss
exposures:
Types of risk identification techniques – Hazard
identification & risk assessment –
Statistical and other methods of
assessing risk exposures - Prioritizing and mapping of risks
6.0 Risk Financing Risk financing techniques
7.0 Alternative Risk Transfer (ART)
Mechanism
Finite risk reinsurance
Risk transfer to capital markets
Global trends in the insurance
industry
Intergraded risk management
Traditional and non-traditional
options
Alternative risk financing products
8.0 Business Continuity Management Definition of business continuity
management
Emergency, disaster and catastrophe
Emergency threats
Disaster phases
Business continuity planning
9.0 Enterprise Risk Management Enterprise risk management
definitions and its application
Limitations of enterprise risk
management
ERM impact on management
practices
Other ways that ERM contribute to
value creation
ERM process
CHAPTER 1.
1.1. RISK CONCEPT AND CLASSIFICATION
Introduction
This Chapter looks at risk and its treatment. It looks at the nature and treatment of risks
in our society. There are no single risk theories, statistics and actuaries each have their
own concept of risk. However, risk historically has been defined in terms of certainty.
Based on this chapter, risk is defined as uncertainty concerning the assurance of loss.
Learning Outcomes
After studying chapter, you should be able to
1. Define Risk
2. Understand the following types of risks
Pure Risk
Speculative
Subjective
Objective
Diversification and Non diversifiable risks
3. Explain risk attitudes
4. Describe the costs associated with risks
Unit Structure
Risk and Related concepts
Classification of risks
Risk attitudes
Risk costs
Study Guide
You are supposed to have basic understanding of risk and theory of probability and
evolution of risk management.
1.1 RISK AND RELATED CONCEPTS 1
If you have worked in, or studied insurance, you will already have some idea of what is
meant by risk. When studying risk management, it is important to distinguish between
the following three concepts which are central to any study of risk management. These
concepts are often used synonymously and are freely interchanged. It is however,
important to understand the distinction between the concepts and their components
clearly.
Risk, is defined as the deviation or variability of actual results from an expected or desired
result. Some other definitions of risk include:
• Risk is a combination of hazards measured by probability;
• Risk is a condition in which loss or losses are possible;
• Risk is a condition that can threaten the assets or earning capacity of an enterprise; and
• Risk is a set of circumstances with a possibility of loss, whether or not a loss actually
takes place.
Risk implies that there is uncertainty present. There is uncertainty whether the event will
take place and if it takes place what the outcome will be.
The supplied definitions of risk imply that:
•The decision-maker is uncertain about the outcome and the actual outcome may
therefore deviate from the expected outcome;
• The degree of uncertainty surrounding the event determines the level of risk; and
• The degree of risk can therefore be interpreted in terms of the frequency with which an
event will occur and the probability that it will display a certain outcome. The risk event
represents the deviation from the expected outcome.
Perils
A peril is the cause or source of a loss (loss event). Perils can be classified into:
• Natural perils such as hail, floods, vermin infestation to mention a few. The occurrence
I of natural perils is largely beyond human control. Humans can however take effective
loss control measures to control the severity of losses resulting from natural perils
• human perils, for example, the actions or inactions of single individuals or groups of
individuals committing theft, homicides, acting negligent, or failing through
incompetence or dishonesty; and
• economic perils stem from the actions of large numbers of persons or of governments
in, for example, conducting strikes or boycotts, waging and war to mention a few.
Insurance policies usually refer to specified perils, which mean that cover is provided
whenever a loss is caused by the specified peril.
Hazards
A hazard is a condition that may increase the frequency or severity or both, of a loss
resulting from a given peril.
Hazards can be classified as:
• physical hazards - these comprise physical properties that might increase the change of
loss from the various perils. For example, a thatch roof increases the possibility of loss
due to fire;
• moral hazards - refer to an increase in the probability of loss resulting from the evil
tendencies in the character of individuals or groups. For example, a person's dishonest
tendencies may induce that person to commit insurance fraud. Individuals acting against
the law can also be classified as moral hazards. For example, a person driving under the
influence of alcohol is deliberately acting against the law and is increasing the possibility
of loss due to accidents;
• legal hazards - refer to the increase in the frequency and severity of loss that arises from
legal doctrines enacted by legislatures and created by courts. Example is increases in
possibilities of liability losses due to legislation.
Example
You have a meeting in Bushenyi at 14:00. You live in Mbbarara. Your expected outcome
is to be at the meeting at 14:00. The risk in this case is that you might be late for the
meeting or miss the meeting in total due to certain circumstances.
Some of the possible perils that might cause a deviation in the expected outcome (to be
at the meeting at 14:00) are accidents, car troubles, hi-jacking to mention a few.
Hazards that might increase the possibility of the deviation due to the identified perils can
include amongst others wet road conditions, spillage on the road surface, speeding, traffic
jams, road works.
In some cases, a hazard might also be the cause of the deviation. For example, road works
might increase the possibility of the deviation but can also be the cause of the deviation.
1.2. CLASSIFICATION OF RISK
1. Classification of risks
Risks have been mainly classified as:
a) Personal, property or liability risk
i). Personal: Potential loss to the persons
ii) Property: Potential loss to the property
iii. Liability Risk: Potential liability for any individual or institution.
b) Physical, social or market risk
i.) Physical: Storm, Tempest, Flood, Hurricane and such other natural phenomena.
ii). Social: Riot, Strike, Civil Commotion, Burglary, Theft etc.
iii.) Market: The price reduction or the purchase and sale constraints are involved.
c) Pure or speculative risk
III) Pure Risk: is considered in the context of the existence of a chance of
loss only, but not the chance of gain at all.
iv). Speculative Risk: When there is a chance of gain as well a loss.
Examples of pure risks include
Chemical Fire, explosion
Natural Cyclone, flood, earthquake
Social
Riot, strike, theft, fraud, negligence
Technical Machinery Breakdown
Personal Death, disablement, sickness, theft, fraud
and injury,
It can be seen that in most cases it is unlikely that anything other than loss will result.
Entrepreneurial or business risk undertaken by businessmen is an example of speculative
risk where either profit or loss may result. The following chart provides illustrations of
business risks.
Technical New technology,
Social Consumer behavior, industrial unrest
Economic Inflation, tax policy, competition
Political War, nationalization
Some examples of business risks are:
1. Production may not achieve the planned output at the planned cost due to
uncertain events such as non-availability of raw materials or increase in their costs
or labour problems in the form of strikes, or work to rule or go slow tactics, etc.
d) Static or dynamic risk
i). Static Risk: Which are connected with losses caused by the irregular action of the forces
of the nature or the mistakes and misdeeds of human beings.
v. Dynamic Risk: Which are associated with changes in human wants and improvements
in Machinery or Technological innovations.
e) Fundamental or particular risk
i.) Fundamental Risk: Risks associated with groups, impersonal in original and effect.
These fundamental risks are in the form of Political or Economic changes happening to a
group.
vi.) Particular Risk: Which are associated with individuals.
Case Study.
Brandon aged 37, worked as construction worker in Kampala. He was married and had
two preschool children. While working on the roof of the new house under construction,
a heavy gust wind blew Brandon off the roof into a hole adjacent to the house. He was
seriously injured and died shortly after being admitted into a local hospital.
Brandon’s tragic and untimely death shows that we live in a risky and dangerous world.
The media report daily on similar tragic events that illustrate clearly the widespread
presence of risk in our society. Examples abound – a deranged gunman kills 10 customers
in a local department store, a small town is wiped out by a tornado; a drunk driver kills 5
people in a van on a crowded expressway, brush fires destroy hundreds of expensive
homes. In addition, many people experience financial tragedies
Because of catastrophic medical expenses, the unexpected death of a family head, or the
loss of a good paying job. Still others experience financial setbacks because they
negligently injure someone and cannot pay a liability judgement and other legal costs.
1.3. RISK ATTITUDES
Risk attitudes can be defined as the ways in which a person behaves in an uncertain
situation and vary from person to person because of their personalities, economic status,
potential gains/ losses.
These attitudes fall into one of the following categories:
Diagram 1: Categories of risk attitude
The risk neutral person reacts to risk in line with its statistical probability i.e with the
likelihood of its occurrence. He tries to neutralize or balance the chance of a loss against
the chance of gain e.g. if he has to bet on the result of a match between two teams, he
will bet equal amounts on both the teams.
The risk preferer actually welcomes the existence of risk and uncertainty. He is willing to
take chance of gain against the odds posed by risks.
The risk averter is the one normally frightened by risk and does not like to live with
uncertainty. He would rather pay for certainty and will even pay for changing uncertainty
Categories of Risk Attitude
Risk Neutral
Risk prefer
Risk Averter
into certainty, e.g. payment of premium to insurer for the assurance of loss
compensation.
Under which of the following risk attitude category is a person willing to take a chance of
gain against the odds posed by risks?
I. Risk neutral
". Risk preferer
II. Risk averter
IV. All of the above - risk neutral, risk preferer and risk averter
1.4 RISK COSTS
The costs imposed by the existence of risk can be identified in three separate areas:
1. Cost of the loss
This includes both direct and indirect costs.
Direct costs being those immediately attributable to the event - e.g. repairs to a damaged
vehicle, replacement of goods damaged as the result of a collision, third party
compensation, if necessary, assessor's expenses etc.
indirect costs in this example may be additional wear and tear on other vehicles and time
lost by other drivers attending the scene of the accident.
2. Costs of handling risk
Time spent on identification, analysis and negotiation of insurance covers could be more
profitably employed in income-generating activities. The additional monetary costs of
loss prevention and reduction together with the costs of consultancy fees and insurers'
profit loading serve to reduce the profitability of the company.
3. Costs imposed by risk
Because we live in an uncertain world, individuals are willing to pay amounts in excess of
the sums which they stand to lose, on average, in the long term i.e. over their lifetime.
This is known as the expected value of loss.
The cost of risk is, thus, dependent on three variables, viz.
a) Risk control measures,
b) Uninsured losses
c) Insurance
These costs get distributed among the bearers of the risks, as shown in the following
diagram:
Total Direct & indirect costs of Risk
Cost of handling Risk Cost of loss Cost imposed by Risk
Private costs
Social Costs
CASE APPLICATION
Michael is a college senior who is majoring in marketing. He owns a high-mileage 2000
Ford that has a current market value of $2500. The current replacement value of his
clothes, television, stereo, cell phone, and other personal property in a rented apartment
totals $10,000. He six-month supply. He also has a waterbed in his apartment that has
leaked in the past. An avid runner, Michael runs five miles daily in a nearby public park
that of drug dealers, numerous assaults and muggings, and drive -by shootings. Michael’s
parents both work to help him pay his tuition.
For each of the following risks or loss exposures, who is killed by a drunk driver in an auto
accident
identify an appropriate risk management technique that
could have been used to deal with the exposure. Explain
your answer.
a. Physical damage to the 2000 Ford because of a collision with another motorist
b. Liability lawsuit against Michael arising out of the negligent operation of his car
C. Total loss of clothes, television, stereo, and personal wears disposable contact lenses,
which cost $200 for a property because of a grease fire in the kitchen of his rented
apartment
Distribution of Costs of
Risk
d. Disappearance of one contact lens
e. Water bed leak that causes property damage to the has the reputation of being
extremely dangerous because apartment
f. Physical assault on Michael by gang members who drive-by shootings. Michael's parents
both work to help are dealing drugs in the park where he runs
him pay his tuition.
g. Loss of tuition assistance from Michael's father who killed by a drunk driver in an auto
accident.
Study Questions
1. Explain the meaning of risk
2. How does objective risk differ from subjective risk?
3. What is the difference between peril and Hazard?
4. What is the difference between pure risk and speculative?
5. List the major types of pure risk
6. What are risk attitudes
7. Explain the costs associated with risk
CHAPTER 2: THEORETICAL ASPECT OF RISK MANAGEMENT
Introduction
Risk management is one of the many activities that organizations (and individuals) carry
out to help them achieve their objectives.
Risk management assists organizations and individuals to decide
1. How much risk to accept when pursuing objectives.
2. The necessary actions to deal with risk and uncertainty in order to pursue the
objectives
In developing answers to such questions a number of aspects of risk management must
be taken into consideration.
Learning objectives
1. To develop an understanding of various concepts on risk management.
2. To develop a practical approach to application of risk management and decision
making.
3. To develop an understanding of risk classification and its application.
4. To develop an understanding and application of total cost of risk.
RISK CONCEPTS AND POSSIBILITIES
Risk experts and scholars have developed various risk concepts to support various
industries and projects. These concepts have proved to be vital to the transformation of
the risk management function. The fundamental concepts of risk recognize that risk is
not entirely about eliminating risk but managing it.
The elimination perspective of risk would bring most business to standstill as business
must take “calculated risks” for a reward. The conflict between risk and reward is one
that requires a careful thought through process. The tradeoff between profits and
opaque risks require an objective approach by any business. In a highly regulated macro
and micro business environment this objectivity may be hijacked by powerful business
groups exaggerating potential returns while diminishing perceived potential risks. It is
paramount that an organizations must have strong risk management and risk
governance culture to limit any such incidents.
Thus it can be conceived that managing risks presents various opportunities (internally
and externally) if processes and procedures are in place and are rigorously tested to
confirm if they are applicable to rapidly changing and dynamic business environment.
The process of managing risk will involve;
1. Defining the risk appetite (how much risk is an organization willing to accept) and
risk capacity (how much risk can an organization afford to take).
2. Identification of risks that will affect an organizations ability to achieve its
objectives.
3. Risk assessment of impact and frequency of risk.
4. Decisions on how to manage risk if it indeed occurs
5. Managing the entire processes of monitoring and communication.
Risk management concepts varies from industry to industry due to a myriad of risks that
will affect a particular organization. Risk factors such as those inherent in the strategy of
an organization, product offerings, economic conditions, consumer preferences and
demographic changes will affect organizations differently.
Attitude towards Risks
In the mid-80s, when the frequency of professional liability claims against design
professionals reached an all-time high and many insurers had abandoned the
professional liability market, a frequently heard comment was that the result would be
“vanilla architecture” and “timid engineering.” That did not happen. Instead, most
design professionals learned to manage risk proactively by following certain basic
principles as part of an overall risk management philosophy. Some of these principles
included;
Engage in projects within the design professional’s qualifications, experience, and
staffing.
Carefully select clients through “due diligence” inquiries of appropriate persons,
including other design professionals who have previously performed services for
the same client.
Provide training and regularly repeat training for firm personnel on contractual
and risk management topics, including how to identify and deal with difficult
client issues or risk-intensive situations.
With such an approach insurers are more willing to take on design risks if the client has
taken all necessary due diligence to minimize any foreseeable gaps that would arise into
a claim.
1.0 Risk and Decision Making
We know by experience that very few people make decisions on the basis of well-
deliberated calculations, no matter if the decision situation is of private character or in a
job situation. We also know that people often neglect the normative rules when making
risky decisions, and that they often make decisions by intuition or on “a hunch” that
seems correct. The descriptive theory gives us some explanations why people make
decisions the way they actually do and why the suggested normative rules for decision-
making under risk and uncertainty are not followed. For instance people make decisions
by
Following well-known paths and by following well established and built in norms.
Research on risk attitudes with actual behavior when handling risky prospects, still
remains relatively murky. However as we unveil various theories on risk management a
number of foundation concepts will be learnt.
Risk means different things to different people, and that they perceive risk in different
ways depending on what area they are working within. Many studies have attempted to
deal with this differentiation aspect and studied the role of risk in their respective fields.
It thus can be assumed that “Risk” is a much overused word and there is need to
provide a useful definition of risk in the field of decision-making.
This definition distinguishes three types of decision-making situations. We can say that
most decision-makers are in the realms of decision-making under either:
a) Certainty, where each action is known to lead invariably to a specific outcome.
b) Risk, where each action leads to one of a set of possible specific outcomes, each
outcome occurring with a known probability.
c) Uncertainty, where actions may lead to a set of consequences, but where the
probabilities of these outcomes are completely unknown. A risky situation is thus
a situation where the outcome is unknown to the decision-maker and the
outcome of which outcome may lead to erroneous choices.
When making any decision, an understanding of several of risks that may impede
(chance of loss) or even increase the realization of decision need to be taken into
consideration. Risks can take various shapes as below
Pure risk – chance of loss or no loss (breakeven)
Speculative risk – chance of loss or gain (business risk)
There exist a fine line between pure and speculative risks as organizations evolve and
the business environment changes.
It is worthwhile making a distinction between uncertainty and risk.
Uncertainty is a shortfall of knowledge or information about what kinds of outcome may
occur, the factors which may influence future outcomes, and the likelihood or impact of
various outcomes. These possible outcomes can be divided into unfavourable, expected
or favourable, according to present perceptions (which may change in future).
Risk is exposure to unfavourable outcomes, but it worth noting there may be upside risk
in terms of exposure to favourable outcomes.
It is important that consideration of the individual traits, skills, education and
experience of the decision maker will pay a critical role in making decisions.
Question
For instance if faced with a decision to purchase a new machine worth Ushs. 100 Million
or upgrade the current machine (second hand) at a cost of Ushs. 10 Million, what would
be your approach in order of rank for the options below;
(a) Avoid buying or upgrading the current machine?
(b) Collect more information?
(c) Check different aspects of the problem?
(d) Actively work on the problem to reduce any inherent risks?
(e) Delay the decision?
(f) Delegate the decision?
2.0 Risk Appetite
Whilst business exist to create value for its shareholders and generate a good return,
the uncertainty realization of these goals cannot be ignored.
The question on how much risk an organization should accept in order to add value for
the shareholders and to meet its obligations to other stakeholders? Determining the
“risk appetite” helps answer this question.
When an insurance organization takes on insurable risks on behalf of the clients, the
client expects that all valid claims will be paid subject to the policy limit, terms and
conditions. The insurance organization must have an appetite to take on such risks.
Risk appetite varies from organization to organization. When risk appetite is clearly
articulated and well understood by everyone in the organization, it guides (in fact it
should dictate) how much risk everyone is allowed to take when selecting business
strategies and in day-to-day decisions.
Risk appetite is described as the nature/type and the total amount of risk an
organization is willing to accept in order to pursue value. It should take into account the
organization's obligations towards its key stakeholders, especially its customers e.g.
insurance policyholders.
It articulates:
The organization's attitude towards risk-taking.
The nature/type of risks it wants to assume.
The nature/type of risks that is unacceptable.
The aggregate amount of risk the organization as a whole is willing to accept, under
both normal and extreme business environments.
It is important that the organization's risk appetite is commensurate with its ability to
manage risks.
Risk appetite is set at an aggregate organizational level and generally expressed in broad
terms quantitatively and qualitatively.
These days, organizations which have articulated their risk appetite formally define it in
a written Risk Appetite Statement. For instance we shall maintain all cost and expenses
within the approved budget.
While defining risk appetite a number of factors need to be taken into consideration;
Internal Factors affecting risk appetite include:
Company history of risk taking
Long term organizational objectives
Stage in organization’s life cycle; startup, growth, maturity & declining
The financial stability (assets, income and cash flow)
Management willingness to accept risk versus the organization’s financial ability
to assume risk.
External factors affecting organization’s risk taking appetite
Market maturity
Competition and the need to take business risk
Public image
Shareholder attitudes (owners, creditor, government and beneficiaries)
Example 1: Company ABC is strong in its business philosophy and willing to take risks.
However, it is a start-up company with has net losses, little net worth, and little ability
to borrow form banks What needs to change?
Example 2: Company XYZ is very conservative and not willing to take much risk. They are
have lots of cash, are profitable, excellent net worth, and have more money than their
banks. What needs to change?
Risk Tolerance
Risk tolerance is a quantitative expression of the total level of risk or uncertainty an
organization is willing to take when pursuing specific objectives.
Alternatively, it can be considered in terms of the key risks an organization faces, as the
amount of each of the key risks an organization is willing to take.
Risk tolerance should be aligned with risk appetite and represents the boundaries for
risk taking. It is expressed as an acceptable variation around an objective or the
performance outcome.
Risk limits are derived from risk tolerances. Risk tolerances are translated into granular
risk limits which are allocated throughout the organization. Risks limits are assigned to
each of the levels in the organization and they form the boundaries of individuals' risk-
taking in their day-to-day business activities.
For instance in an insurance underwriting manual (fire exposures) risk tolerance can be
described as “we shall take on exposures not exceeding Ushs. 3 Billion”. Thus an
underwriter is limited to only take on risks that are below this threshold.
Risk Capacity
Risk capacity is the type and amount of risk an organization is able to take or withstand.
A number of factors determines an organization's risk capacity – its financial resources,
the legislations and regulations an organization is subject to and its capabilities.
The more financial resources an organization has, the more risk it can withstand.
Therefore risk capacity can influence risk appetite.
Financial services organizations such as banks and insurers are regulated. Often, they
are authorized or licensed by their local regulator(s) and are required to hold a
minimum amount of capital (regulatory capital).
For the purpose of explaining risk capacity, is the amount of financial resources that
serves as a buffer to absorb unexpected losses. For banks and insurers, risk capacity can
be thought of as the level of risk an organization can take before breaching the
regulatory capital requirements.
RISK CLASSIFICATIONS AND CATEGORIZATION
Organizations will group risk according to their estimated cost and likely hood of
occurrence. This classification can be quantitative and or qualitative. In some
organizations aspects such as event based classification and cause based classification
are applied.
Event based classification seeks to classify risks by event i.e. by what has just occurred
which has given rise to an adverse impact. The Cause based classification seeks to
classify risk by what has given rise to the event.
Insurance is a means for dealing with the economic uncertainty associated with chance
occurrences. It does so by exchanging the uncertainty of the occurrence, the timing, and
the financial impact of a particular event for a predetermined price.
To establish a fair price for insuring an uncertain event, estimates must be made of the
probabilities associated with the occurrence, timing, and magnitude of such an event.
These estimates are normally made through the use of past experience, coupled with
projections of future trends, for groups with similar risk characteristics.
The grouping of risks with similar risk characteristics for the purpose of setting prices is a
fundamental precept of any workable private, voluntary insurance system.
This process, called risk classification, is necessary to maintain a financially sound and
equitable system. It enables the development of equitable insurance prices, which in
turn assures the availability of needed coverage to the public.
Risk classification is intended simply to group individual risks having reasonably similar
expectations of loss. Difficulty in risk classification comes with the introduction of
concepts such as “fairness” and “similar risk characteristics.” Each individual, each
business, each piece of property is unique; to the extent that the risk classification
process attempts to identify and measure every characteristic, it becomes unworkable.
On the other hand, because there are differences in risk characteristics among
individuals and among properties which bear significantly upon cost, to ignore all such
differences would be unfair.
The following basic principles should be present in any sound risk classification system in
order to achieve its purposes:
The system should reflect expected cost differences.
The system should distinguish among risks on the basis of relevant cost related
factors.
The system should be applied objectively.
The system should be practical and cost-effective.
The system should be acceptable to the public.
A risk classification system serves three primary purposes: to protect the insurance
program’s financial soundness; to enhance fairness; and to permit economic incentives
to operate with resulting widespread availability of coverage.
Protection of insurance program’s financial Soundness
The financial threat to an insurance program’s solvency is primarily through a
complex economic concept called adverse selection. It results from the
interaction of economic forces between buyers and sellers of insurance. In
markets where buyers are free to select among different sellers, normally with a
motivation to minimize the price for the coverage’s provided, adverse selection
is possible. In such markets sellers have a limited ability to select buyers and
have a basic need to maintain prices at a level adequate to assure solvency. In
many cases, these economic forces are in equilibrium; occasionally, they are not.
This relocation is the concept of adverse selection, which creates economic
instability and can threaten the insurance program’s financial stability. In the
early 1900's some assessment societies offered life insurance benefits to
members without making price distinctions on known mortality differences for
different age groups. Some younger members of those groups were gradually
attracted to lower priced competitors, while others decided not to insure at all.
This opting out resulted in higher prices for remaining members. Some of those
remaining then opted out. An upward spiral of higher prices resulted for the
fewer remaining older lives.
Risk classification is one means of minimizing the potential for adverse selection.
It reduces adverse selection by balancing the economic forces governing buyer
and seller actions. Risk classification is not the only answer to controlling adverse
selection.
Enhanced Fairness
Since adverse selection occurs when the prices are not reflective of expected
costs, a reasonable risk classification system designed to minimize adverse
selection tends to produce prices that are valid and equitable i.e. not unfairly
discriminatory. Differences in prices among insurance classes should reflect
differences in expected costs with no intended redistribution or subsidy among
the classes. Ideally, prices and expected costs should also match within each
class. That is, each individual risk placed in a class should have an expected cost
which is substantially the same as that for any other member of that class. Any
individual risk with a substantially higher or lower than average expected cost
should be placed in a different class.
Economic Incentive
Any economic system that relies primarily on private enterprise for the
distribution of goods and services relies on companies and individuals to seek
out potential customers and develop means of successfully selling and servicing
the needs of those customers. The companies that prove to be the most
successful in servicing customers’ needs will be rewarded with the largest
proportion of the potential customers. Insurers offering private, voluntary
insurance programs are no different in this regard. They have incentives to
expand their markets and to achieve a high penetration of the markets they
choose to serve. In developing marketing strategies, and in pricing the products
needed in their markets, insurers need a risk classification system that will
permit them to offer insurance to as many of their potential customers as
possible, while at the same time assuring themselves that their prices will be
adequate to cover the customers’ financial uncertainty that they assume.
RISK APPROACHES AND PHILOSOPHY
When there is a risk, there must be something that is unknown or has an unknown
outcome. In non-regimented usage, “risk” and “uncertainty” differ along the subjective
and objective dimension. Whereas “uncertainty” seems to belong to the subjective
realm, “risk” has a strong objective component. The relationship between the two
concepts “risk” and “uncertainty” seems to be in part analogous to that between “truth”
and “belief”.
In decision theory, a decision is said to be made “under risk” if the relevant probabilities
are available and “under uncertainty” if they are unavailable or only partially available.
Partially determined probabilities are sometimes expressed with probability intervals,
e.g., “the probability of having a motor accident tomorrow is between 0.1 and 0.4”. The
term “decision under ignorance” is sometimes used about the case when no
probabilistic information at all is available.
In real-life situations, even if we act upon a determinate probability estimate, we are
not fully certain that this estimate is exactly correct, hence there is uncertainty. It
follows that almost all decisions are made “under uncertainty”. If a decision problem is
treated as a decision “under risk”, this does not mean that the decision in question is
made under conditions of completely known probabilities.
Rather, it means that a choice has been made to simplify the description of this decision
problem by treating it as a case of known probabilities. This is often a highly useful
idealization in decision theory. However, in practical applications it is important to
distinguish between those probabilities that can be treated as known and those that are
uncertain and therefore much more in need of continuous updating. Typical examples
of the former are the failure frequencies of a technical component that are inferred
from extensive and well-documented experience of its use. The latter case is
exemplified by experts' estimates of the expected failure frequencies of a new type of
component.
In the risk sciences, it is common to distinguish between “objective risk” and “subjective
risk”. The former concept is in principle fairly unproblematic since it refers to a
frequentist interpretation of probability. The latter concept is more ambiguous. In the
early psychometric literature on risk (from the 1970s), subjective risk was often
conceived as a subjective estimate of objective risk. In more recent literature, a more
complex picture has emerged. Subjective appraisals of (the severity of) risk depend to a
large extent on factors that are not covered in traditional measures of objective risk
(such as control and tampering with nature). If the terms are taken in this sense,
subjective risk is influenced by the subjective estimate of objective risk, but cannot be
identified with it. In the psychological literature, subjective risk is often conceived as the
individual's overall assessment of the seriousness of a danger or alleged danger. Such
individual assessments are commonly called “risk perception”, but strictly speaking the
term is misleading. This is not a matter of perception, but rather a matter of attitudes
and expectations.
TOTAL COST OF RISK
As risk management moves from a tactical approach centered on insurance to a
strategic approach that emphasizes enterprise risk management (ERM), risk managers
and finance executives need to develop new tools to handle the emerging demands
generated by this shift.
The traditional tools cost of risk metrics have served executives well. They tend to focus
on insurance-based aspects of risk, including the price tag for premiums, claims and
administration. But those metrics alone no longer do the job, because they usually omit
the costs of the processes used to manage and reduce risks to acceptable levels. For
example, they ignore expenditures required for setting up the policies and procedures
that will help reduce the number and severity of accidents as well as the opportunity
costs and cost of capital associated with insuring and retaining risk.
A Difficult Path
Developing a new and more relevant cost-of-risk metric is not easy. The biggest problem
is tracking the costs, because it can be difficult to identify specifically what is spent on
managing operational risks,
In addition, there are structural barriers to changing the cost-of-risk calculation. In many
companies, risk is handled by more than one function, with little or no interaction
among the groups. Financial risks rest with the CFO/controller, treasury handles capital
market risks, human risks are the purview of HR, the environmental health and safety
group manages environmental risks, hazard risks are the responsibility of the insurance
risk manager, and business risks stay with operations, for instance. In this environment,
coordinating and measuring the cost of risk becomes more difficult.
A company must commit time and resources to understand all risks and their impact on
each other and only then can a company really understand their true cost and
correlation of risk and what methods they should employ to manage it.
The scope of decision-making is also limited to individual functions. Even risk managers
tend to make coverage decisions in silos by looking at each line of insurance coverage
individually and deciding to retain more property risk because insurance rates for that
line of coverage are expensive.
New ways of measuring and managing the cost of risk involve more than a holistic view
of risk. It will require risk managers to change their mind set. Risk managers need to
stop thinking of themselves as insurance buyers and they need to become a resource to
business groups to help them manage overall risks not just physical risks, but business
risks.
Even after companies have gathered the relevant data on a new cost-of-risk metric, they
may find that benchmarking that metric is a challenge. For example, if a company relies
on only one or two suppliers for a key manufacturing component, it will incur one level
of component availability risk by maintaining the status quo and a different amount of
risk by expanding its list of suppliers. However, another company is unlikely to face the
same level of risk because its circumstances may differ.
Whereas traditional cost-of-risk metrics look at past risks and expenditures, this broader
cost-of-risk metric focuses on the future and potential risks that companies could face.
For example the company's initial assessment includes operational risks that may occur
during the next 12 to 18 months, but the more strategic appraisal through the
organization's strategic planning process and management committee involves risks up
to 10 years in the future. However, there is no set approach to measuring the cost of
risk in this manner.
The first step is to interview senior leaders within the company about "what keeps them
up at night"
Total Cost of Risk
Cost of Risk refers to the sum of all the quantified costs and expenses associate with the
risk management function of an organization.
Components of Cost of Risk
Retained losses will include those that the organization has planned for (active)
and those that we inadvertently or unconsciously not been planned (passive)
Insurance costs include premiums, levies and tax related to the acquisition of
insurance coverage.
Risk Management department costs will include Salaries, employee benefits,
administrative charges-travel & training, Risk Management information system
and management overhead. These costs are specific to the risk management
department,
External Service Fees include fees paid to risk management consultants,
Actuarial, Legal, loss control & third party administrators
Indirect costs such as management time spent on loss related activities, loss of
good will, over time costs, damage to brand and penalties for lost contracts.
Benefits of Costs of Risk
1. TCOR plays an important role in guiding management on risk decisions. It
provides clarity on risk management spend and how resources can best be used
effectively while implementing risk management strategies.
2. TCOR enables management measure progress towards the risk management
objectives.
3. TCOR provides employee and management incentives. When specific risk
objectives and goals are achieved various incentives are triggered and enjoyed by
employees and management.
4. TCOR is instrumental in the pricing of products of services. In the product design
& pricing process, it is usual that the risk department will sign off any new
products after taking into consideration various components of risk allocated to
the product or service.
5. TCOR is promotes safety and risk control by communicating the financial impact
of a loss on the organization.
Cost of Risk Computation
Steps to measure the impact of a loss on sales or revenue:
1. Determine the profit margin of the organization
2. Divide the loss cost by the profit margin
The result is the sales or revenue required to pay for the loss.
When evaluating TCOR, remember it’s not just premiums. TCOR also includes self-
insured losses, internal administrative fees, including collateral costs, and outside
vendor fees, broker and third party administrator fees. A reduction in premiums may
actually result in a higher total cost of risk when losses and expenses are completely
factored into your TCOR analysis.
Total cost of risk is easily benchmarked against industry peers. By measuring TCOR
against revenue you’re able to compare your program to similarly situated
companies. Benchmarking provides a great performance measuring stick relative to
how you’re doing against your peers.
TCOR is like a balloon. When you squeeze on one bucket of cost, such as premiums or
broker fees, other areas may start to look outsized, such as losses. By working on one
area of TCOR, it exposes weaknesses in other areas of your risk management program.
This will help you identify problem areas that need additional attention in the coming
year.
Study Questions
1. Differentiate between risk and reward in a business concept.
2. Differentiate between risk tolerance and risk capacity.
3. Explain the three purposes of risk classification system.
4. What factors will affect the risk appetite of an organization?
5. Explain with an example the components of total cost of risk.
CHAPTER 3. SCOPE AND OBJECTIVES OF RISK MANAGEMENT
Introduction;
Risk Management is a process that defines loss exposure faced by an organization and
selects the most appropriate techniques for treating such exposures. This chapter looks
at the fundamentals of risk management and steps in the risk management process. This
chapter also looks at contributions and benefits of risk management.
Learning Outcomes
After compiling this chapter, you should be able
Describe risk management
Understand risk management definitions and basic components
Explain risk management contributions and benefits to business.
Unit structure.
Risk management approach
Risk management definitions and basic concepts
Risk management contributions and benefits
Study Guide.
You are expected to be familiar with the various definitions of risk and the risk concepts
for proper understanding of this chapter.
4.1 RISK MANAGEMENT DEFINITIONS AND BASIC COMPONENTS.
DEFINITIONS
The simplest definition of Risk Management can be: ‘the identification, evaluation,
control and prevention and transfer of a risk.’
Definition
Other commonly quoted definitions include:
a) The protection of assets, earnings, liabilities and people of an enterprise with
maximum efficiency and at minimum cost.
b) The identification and evaluation of the threats to the expectations of an
organization and the development of means whereby the expectations will be
fulfilled in the most efficient manner by removing or reducing those threats.’
c) The identification, measurement and economic control of risks that threaten the
assets and earnings of a business or other enterprise.
d) Risk management is the identification, assessment and prioritization of risks
followed by coordinated and economical application of resources to minimize,
monitor, and control the probability and / or impact of unfortunate events or to
maximize the realization of opportunities.
e) Risk management is the process of measuring, or assessing, risk and developing
strategies to manage it. Strategies include avoiding the risk, reducing the negative
effect of the risk, transferring the risk to another party and accepting some or all
of its consequences.
f) Traditional risk management focuses on risk emanating from physical or legal
causes (e.g. natural disasters, or fires, accidents, death and lawsuits.)
g) Financial risk management, on the other hand, focuses on risks that can be
managed using traded financial instruments.
DEFINITION
For non- profit organizations, the definition can be read:’ the identification,
measurement and economic control of risks that threaten the continued provision
of essential goods and services.
2. Basic components of a risk management process
Which form of definition is appropriate will depend on the situation being examined?
However, basic components of the risk management process shall remain the same viz.
a) Identification: the recognition/anticipation of risks that threaten the assets and
earnings of business enterprises.
b) Evaluation/ measurement/ assessment: estimating the likely probability of risk
occurrence and its likely severity. It should include analysis which involves
understanding the relevance of the risks to the operations of an organization and
measuring the impact and comparing the exposures.
c) Prevention and control: measures to avoid occurrence of risk, limit its severity and
reduce its consequences
d) Financing: determining what the cost of risk is likely to be or might be and ensuring
that adequate financial resources are available
The words ‘economic control’ will always be seen in the Risk management definitions.
What is meant by these words? They mean:
Definition:
‘Adopting measures for economic control that either:
a) Produce a measurable reduction in the cost of risk and / or
b) Reduce noticeably the possibility of catastrophe loss and / or
c) Help to ensure the company’s survival whilst minimizing the overall cost of risk
control
4.2 RISK MANAGEMENT APPROACH
Until a few years ago Risk management to many of us equated roughly with insurance, so
that if a risk is insured that was effective risk management. The growing awareness and
importance of risk management has brought about a subtle change in the status of the
insurers and the insured alike.
The major factors contributing to bring about such a change are the growing complexities
of industrial and commercial risks, the vast amount of money at stake in terms of assets,
people and potential liabilities.
Risk Management in terms of skills, knowledge and opportunity offers a wider appeal
than simply insurance which is just one link in the risk management process chain.
Before deliberating on Risk Management, it may be worthwhile to note that:
1. It means application of the following general management concepts to a
specialized area.
a) To manage is to forecast and plan to organize, to command , to coordinate and
to control,
b) To foresee and plan means examining the future and drawing up the plan of
action,
c) To organize means building up the dual structure of the undertaking both
material and human ,
d) To find good dependable alternatives, compare the results of these
alternatives, choose among them.
2. Risk management requires preparing plans, organizing materials and individuals,
maintaining activity for the selected objectives, binding together and unifying all
activities and efforts and controlling the activity to ensure that everything occurs
in conformity with established rules.
3. Risk is created by:
a) Activities (technical, scientific, commercial, constructional, manufacturing,
financial, professional, security, charitable, or political)
b) Relationship to people or property
c) Laws and regulations
d) Environmental, physical, social, political
This suggests that what need to be done with risks is – analysis, treatment and financing.
Diagram 1: Steps involved in risk management process
The process of risk management generates both benefits and costs for a particular
organization, for given community and for the entire economy.
For an organization such benefits include reduced costs of risks, lowered adverse
effects from exposure to losses, reduced waste of resources and improved
allocation of productive capabilities.
RISK ANALYSIS
Identification
Evaluation
RISK TREATMENT
Elimination
Reduction
limitation
Transfer
RISK FINANCING
Deductible
Self-insurance
4. Managing risks within a company implies a threefold approach
a) Formal system of risk threat
i) Identification/ anticipation,
ii) Measurement/ evaluation/assessment,
iii)Control
iv) Recording information and decisions,
v) Monitoring results.
B) Adopting measures for economic control that either
a. Produce a measurable reduction in overall cost of risk,
b. Noticeably reduce the possibility of both everyday working risks and
catastrophe loss and / or,
c. Help to ensure the company’s survival whilst minimizing the cost of risk
control
C) Establishing management responsibilities for risk.
The potential for applying risk management is very wide. Apart from the
insurable risk area it includes:
I. Commercial risks- evaluating trade –off between risk and return,
II. Political Risks- recognizing threats in the environment and keeping the
company in balance,
III. Social risks- dealing with risk problems in a social context,
IV. Project risks –ensuring on –time, on- budget performance,
V. IT risks- the special vulnerabilities in IT operations
VI. Military risks’
VII. Personal risks –handling various threats to the individual.
Application of each area will require analysis of the physical situation and
consideration of both the motivation and attitudes of the parties involved.
One of the biggest issues in practical risk management is the reluctance to
organizational competence and objective. This means that is difficult to solve
risk problems in badly managed company and that any risk management
activity may create considerable conflict.
4.3) RISK MANAGEMENT CONTRIBUTIONS AND BENEFITS TO BUSINESS
1. Possible contributions of risk management to a business
These can be broadly summarized as under:
a) Risk Management can make the difference between survival and failure
b) Profits can be improved by reducing expenses as well as increasing income.
c) Risk management can contribute directly to business profits in at least six
ways:
I. If a business has successfully managed its pure risks, the peace of mind and
confidence gained permits it to investigate and assume attractive
speculative risks that they might otherwise seek to avoid.
II. By alerting to the pure risk aspects of speculative ventures, risk
management improves the quality of the decisions regarding such ventures.
III. Once a decision is made to assume a speculative venture, proper handling
of the pure risk aspects permits the business to handle the speculative risk
more wisely and more efficiently.
IV. Risk management can reduce the fluctuations in annual profits and cash
flows.
V. Through advance preparations, risk Management can, in many cases, make
it possible to continue operations following a loss, thus retaining, customers
or suppliers who might otherwise turn to competitors
VI. Creditors, customers and suppliers, all of whom contribute to company’s
profit, prefer to do business with a firm that has sound protection against
pure risks. Employees also prefer to work for such firms.
Peace of mind made possible by sound management of pure risks may itself
be a valuable non-economic asset because it improves the physical and
mental health of the management and owners.
The risk management plan may also help others, such as employees, who
would be affected by loss to the firm, risk management can also help satisfy
the firm’s sense of social responsibility or desire for a good image.
2. Benefits of risk Management to a business
An effective risk management practice does not eliminate risks. Risk
management provides a clear and structured approach to identifying risks and
minimizing their negative impact on different aspects of a business activity. Risk
management has other benefits for an organization, including:
a) Saving resources: time, assets, income, property and people are all
valuable resources that can be saved if fewer claims occur.
b) Protecting the reputation and public image of the organization.
c) Preventing or reducing legal liability and increasing the stability of
operations.
d) Protecting physical, human and intellectual assets from bodily injury and
damage.
e) Protecting the environment.
f) Enhancing the ability to prepare for various circumstances.
g) Reducing liabilities.
h) Assisting in clearly defining insurance needs.
The various benefits of risk management can be broadly summarized in the
following diagram
Diagram 2: potential benefits of risk management
Quick Grasp
of New
Opportunities Support
strategic &
Business
Planning
Enhance
Communication
between
Departments
&Faculties
Res -
assurance
Stake
holders
Risk
Management
Potential
Benefits
Support
effective
use of
Resource
s
Fewer shocks
&Unwelcome
Surprise
Example
Joel, age 38, is the general manager of five fast food restaurants in Kampala,
Kabalagala. employee turnover is high, several employees have been fired for
stealing money, and several restaurants have been robbed and burglarized
repeatedly during the past three years. The company has also been fined by the
government for employing undocumented workers. The company’s accountant
recommends that the firm establish a risk management program to deal with
these problems. Risk management is a process that identifies the loss
exposures faced by a firm and uses a number of methods, including insurance,
to treat the exposures. After implementing the program, the restaurant
experienced dramatic results. Employee thefts declined sharply, robberies and
burglaries at the problem restaurant were reduced, employee turnover
declined, and the restaurant’s profit margin showed significant improvement.
The above example shows how a business firm benefited from its risk
management program. Other organizations have also recognized the merits of
a formal risk management program. Today, risk management is widely used by
corporations, small employers, non -profit organizations, and state and local
Promotes
Continual
Improvemen
t
Helps Focus
Internal Audit
Programme
governments. Students can also benefit from a personal risk management
program.
In this chapter, - the first of two dealings with risk management – we discuss
the fundamentals of traditional risk management. The following chapter
discusses the newer forms of risk management that are rapidly emerging,
including enterprise risk management and financial risk management. In this
chapter, we discuss the meaning of risk management, objectives of risk
management, steps in the risk management process, and the various
techniques for treating loss exposures. The chapter concludes with a discussion
of personal risk management.
CASE APPLICATION
Pioneer City Bus Corporation provides school bus transportation to private and
public schools in town.
City bus owns 50buses that are garaged in three different cities within the
county. The firm faces competition from two larger bus companies that operate
in the same area. Public school boards and private schools generally award
contracts to the lowest bidder, but the level of service and overall performance
are also considered.
a) Briefly describe the steps in the risk management process that should be
followed by the risk manager of city bus.
b) Identify the major loss exposures faced by City Bus.
c) For each of loss exposures identified in (b) , identify a risk management
techniques that could be used to handle the exposure.
d) Describe several sources of funds for paying losses if retention is used in the
risk management program.
e) Identify other departments in City Bus that would also be involved in the
risk management program.
Study Questions
1. What is the meaning of risk management?
2. Describe the steps in the risk management process
3. Explain the following risk-control techniques
a). Avoidance
b). Loss Prevention
c). Loss Reduction
4. What is formal system of risk threat
5. Explain five benefits of risk management to a business.
CHAPTER 4: STRATEGIC RISK AND RISK MANAGEMENT STRATEGIES
Introduction
Once risk factors have been identified, organizations need to go through the process of
implementing various risk responses. Risk management requires that at various stages
of the product and service, risk strategies are adopted and implemented to enable
organizations meet their goals and objectives.
In this chapter we shall take a deep dive into strategic risk and implementation of risk
strategies.
Learning objectives
1. To develop an understanding of risk management strategy
2. To develop an understanding of the strategic risk management
3. To develop an understanding of use of risk map
4. Explain the role of risk manager
5. To develop an understanding and application of risk profiling
RISK MANAGEMENT STRATEGY
As noted by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO), “In the aftermath of the financial crisis, executives and their boards realize that
ad hoc risk management is nolonger tolerable and that current processes may be
inadequate in today’s rapidly evolving business world.” However, especially for
nonfinancial companies that may be relatively new to these topics, enhancing risk
management can be a somewhat daunting task.
This topic focuses on two key aspects of the relationship between risk and strategy: (1)
understanding the organization’s strategic risks and the related risk management
processes, and (2) understanding how risk is considered and embedded in the
organization’s strategy setting and performance measurement processes. These two
areas not only deserve the attention of boards, but also fit closely with one of the primary
responsibilities of the board risk oversight.
The Advent of Strategic Risk Management
Enterprise risk management (“ERM”) and risk management in general can encompass a
wide range of risks that face any organization. Some risks may reflect exposures that,
although harmful, will not threaten the overall health of an organization or its ability to
ultimately meet its business objectives. For example, a temporary data center outage can
result in a short-term problem or customer dissatisfaction, but once recovered, the
organization can quickly be back on track. Other more significant risk events can be
catastrophic, resulting in losses that can not only impair an organization’s ability to meet
its objectives, but may also threaten the organization’s survival. The recent credit crisis is
an example of this type of risk. These more significant risk exposures have given rise to a
focus on “strategic risks” and “strategic risk management.” “Strategic risks” are those
risks that are most consequential to the organization’s ability to execute its strategies and
achieve its business objectives. These are the risk exposures that can ultimately affect
shareholder value or the viability of the organization. “Strategic risk management” then
can be defined as “the process of identifying, assessing and managing the risk in the
organization’s business strategy—including taking swift action when risk is actually
realized.” Strategic risk management is focused on those most consequential and
significant risks to shareholder value, an area that merits the time and attention of
executive management and the board of directors.
Standard & Poor’s included the following attributes for strategic risk management in its
2008 announcement that it would apply enterprise risk analysis to corporate ratings:
1. Management’s view of the most consequential risks the firm faces.
2. Their likelihood, and potential effect.
3. The frequency and nature of updating the identification of these top risks;
4. The influence of risk sensitivity on liability management and financial decisions
5. The role of risk management in strategic decision making.
Clearly the potential impact of strategic risks is significant enough to deserve the
attention of the board and its directors.
Strategic Risk Management and the Role of the Board
At the board level, strategic risk management is a necessary core competency. In Ram
Charan’s book, Owning Up: The 14 Questions Every Board Member Needs to Ask, one of
the questions posed is “Are we addressing the risks that could send our company over
the cliff?” According to Charan, boards need to focus on the risk that is inherent in the
strategy and strategy execution:
Risk is an integral part of every company’s strategy; when boards review strategy, they
have to be forceful in asking the CEO what risks are inherent in the strategy. They need
to explore ‘what ifs’ with management in order to stress-test against external conditions
such as recession or currency exchange movements.
Regarding risk culture, Charan provides the following insight: “Boards must also watch for
a toxic culture that enables ethical lapses throughout the organization. Companies set
rules—but the culture determines how employees follow them.” We believe that
corporate culture plays a significant role in how well strategic risk is managed and must
be considered as part of a strategic risk assessment.
Understanding an Organization’s Strategic Risks and Related Risk Management
Processes
A necessary first step for boards to understand their strategic risks and how management
is managing and monitoring those risks is a strategic risk assessment. A strategic risk
assessment is a systematic and continual process for assessing the most significant risks
facing an enterprise. It is anchored and driven directly by the organization’s core
strategies. As noted in a 2011 COSO report, “Linkage of top risks to core strategies helps
pinpoint the most relevant information that might serve as an effective leading indicator
of an emerging risk.”
Conducting an initial assessment can be a valuable activity and should involve both senior
management and the board of directors. Management should take the lead in conducting
the assessment, but the assessment process should include input from the board
members and, as it is completed, a thorough review and discussion between
management and the board. These dialogues and discussions may be the most beneficial
activities of the assessment and afford an opportunity for management and the directors
to come to a consensus view of the risks facing the company, as well any related risk
management activities.
The strategic risk assessment process is designed to be tailored to an organization’s
specific needs and culture. To be most useful, a risk management process and the
resultant reporting must reflect and support an enterprise’s culture so the process can be
embedded and owned by management. Ultimately, if the strategic risk assessment
process is not embedded and owned by management as an integral part of the business
processes, the risk management process will rapidly lose its impact and will not add to or
deliver on its expected role.
The Strategic Risk Assessment Process
There are seven basic steps for conducting a strategic risk assessment:
1. Achieve a deep understanding of the strategy of the organization
The initial step in the assessment process is to gain a deep understanding of the
key business strategies and objectives of the organization. Some organizations
have well developed strategic plans and objectives, while others may be much
more informal in their articulation and documentation of strategy. In either case,
the assessment must develop an overview of the organization’s key strategies and
business objectives. This step is critical, because without these key data to focus
around, an assessment could result in a long laundry list of potential risks with no
way to really prioritize them. This step also establishes a foundation for integrating
risk management with the business strategy. In conducting this step, a strategy
framework could be useful to provide structure to the activity.
2. Gather views and data on strategic risks
The next step is to gather information and views on the organization’s strategic
risks. This can be accomplished through interviews of key executives and directors,
surveys, and the analysis of information (e.g., financial reports and investor
presentations). This data gathering should also include both internal and external
auditors and other personnel who would have views on risks, such as compliance
or safety personnel. Information gathered in Step 1 may be helpful to frame
discussions or surveys and relate them back to core strategies. This is also an
opportunity to ask what these key individuals view as potential emerging risks that
should also be considered.
3. Prepare a preliminary strategic risk profile
Combine and analyze the data gathered in the first two steps to develop an initial
profile of the organization’s strategic risks. The level of detail and type of
presentation should be tailored to the culture of the organization. For some
organizations, simple lists are adequate, while others may want more detail as part
of the profile. At a minimum, the profile should clearly communicate a concise list
of the top risks and their potential severity or ranking. Color coded reports or
“heat-maps” may be useful to ensure clarity of communication of this critical
information.
4. Validate and finalize the strategic risk profile
The initial strategic risk profile must be validated, refined, and finalized. Depending
on how the data gathering was accomplished, this step could involve validation
with all or a portion of the key executives and directors. It is critical, however, to
gain sufficient validation to prevent major disagreements on the final risk profile.
5. Develop a strategic risk management action plan
This step should be undertaken in tandem with Step 4. While significant effort can
go into an initial risk assessment and strategic risk profile, the real product of this
effort should be an action plan to enhance risk monitoring or management actions
related to the strategic risks identified. The ultimate value of this process is helping
and enhancing the organization’s ability to manage and monitor its top risks.
6. Communicate the strategic risk profile and strategic risk management action
plan
Building or enhancing the organization’s risk culture is a communications effort
with two primary focuses. The first focus is the communication of the
organization’s top risks and the strategic risk management action plan to help build
an understanding of the risks and how they are being managed. This helps focus
personnel on what those key risks are and potentially how significant they might
be. A second focus is the communication of management’s expectations regarding
risk to help reinforce the message that the understanding and management of risk
is a core competency and expected role of people across the organization. The risk
culture is an integral part of the overall corporate culture. The assessment of the
corporate culture and risk culture is an initial step in building and nurturing a high
performance, high integrity corporate culture.
7. Implement the strategic risk management action plan
As noted above, the real value resulting from the risk assessment process comes
from the implementation of an action plan for managing and monitoring risk.
These steps define a basic, high-level process and allow for a significant amount of
tailoring and customization to reflect the maturity and capabilities of the
organization. As shown by Figure 1, strategic risk assessment is an ongoing process,
not just a one-time event. Reflecting the dynamic nature of risk, these seven steps
constitute a circular or closed-loop process that should be ongoing and continual
within the organization.
Integrating Strategic Risk Management in Strategy Setting and Performance
Measurement Processes
The second step for an organization is to integrate strategic risk management into its
existing strategy setting and performance measurement processes. As discussed above,
there is a clear link between the organization’s strategies and its related strategic risks.
Just as strategic risk management is an ongoing process, so is the need to establish an
ongoing linkage with the organization’s core processes to set and measure its strategies
and performance. This would include integrating risk management into strategic planning
and performance measurement systems. Again, the maturity and culture of the
organization should dictate how this performed. For some organizations, this may be
accomplished through relatively simple processes, such as adding a page or section to
their annual business planning process for the business to discuss the risks it sees in
achieving its business plan and how it will monitor those risks.
For organizations with more developed performance measurement processes, the
Kaplan- Norton Strategy Execution Model described in The Execution Premium may be
useful.
This model describes six stages for strategy execution and provides a useful framework
for visualizing where strategic risk management can be embedded into these processes.
Stage 1: Develop the strategy
This stage includes developing the mission, values, and vision; strategic analysis; and
strategy formulation. At this stage, a strategic risk assessment could be included using the
Return Driven Strategy framework to articulate and clarify the strategy and the Strategic
Risk Management framework to identify the organization’s strategic risks.
Stage 2: Translate the strategy
This stage includes developing strategy maps, strategic themes, objectives, measures,
targets, initiatives, and the strategic plan in the form of strategy maps, balanced
scorecards, and strategic expenditures. Here, the strategic risk management framework
would be used to develop risk-based objectives and performance measures for balanced
scorecards and strategy maps, and for analyzing risks related to strategic expenditures.
At this stage, boards may also want to consider developing a risk scorecard that includes
key metrics.
Stage 3:
Align the organization This stage includes aligning business units, support units,
employees, and boards of directors. The Strategic Risk Management Alignment Guide and
Strategic Framework for GRC (Governance, Risk and Compliance) would be useful for
aligning risk and control units toward more effective and efficient risk management and
governance, and for linking this alignment with the strategy of the organization.
Stage 4: Plan operations
This stage includes developing the operating plan, key process improvements, sales
planning, resource capacity planning, and budgeting. In this stage, the strategic risk
management action plan can be reflected in the operating plan and dashboards, including
risk dashboards. Organization ideally should develop a “resources follow risk” philosophy
to make certain that resources were appropriately and efficiently allocated. This
philosophy focused on ensuring that resources used in risk management are justified
economically based on the relative amount of risk and cost-benefit analysis.
Stage 5: Monitor and learn
This stage includes strategy and operational reviews. “Strategic risk reviews” would be
part of the ongoing strategic risk assessment, which reinforces the necessary continual,
closed-loop approach for effective strategy risk assessment and strategy execution.
Stage 6: Test and adapt
This stage includes profitability analysis and emerging strategies. Emerging risks can be
considered part of the ongoing strategic risk assessment in this stage. The strategic risk
assessment can complement and leverage the strategy execution processes in an
organization toward improving risk management and governance.
For more information about integrating risk management in the strategy execution model
and a discussion of risk scorecards, see “Risk Management and Strategy Execution
Systems.”
Final Thoughts: Moving Forward with Strategic Risk Management
Management teams and boards must challenge themselves and their organizations to
move up the strategic risk management learning curve. Developing strategic risk
management processes and capabilities can provide a strong foundation for improving
risk management and governance. Boards may want to consider engaging independent
advisors to advise and educate themselves on these matters. For organizations that are
early in this process, the seven keys to success for improving ERM as described in a 2011
COSO Thought Leadership Paper may be useful, and are applicable in strategic risk
management:
1. Support from the top is a necessity
2. Build ERM using incremental steps
3. Focus initially on a small number of top risks
4. Leverage existing resources
5. Build on existing risk management activities
6. Embed ERM into the business fabric of the organization
7. Provide ongoing ERM updates and continuing education for directors and
senior management[13]
However the board decides to proceed, their leadership, direction, and overall oversight
will be critical to the success of a strategic risk management process.
RISK MANAGEMENT RESPONSES
Once risks have been identified, organizations need to choose a strategy for dealing
with each risk. The organization will choose one or more of the following approaches for
dealing with the risks you decide to manage:
a) Avoidance
i) Totally eliminating an activity or exposure
ii) Issues arising with avoidance are;
1) It may be difficult to sell to management due conflicting with the
goals and affecting profits
2) It may be core process that defines the organization values
3) The risk manager may lack the appropriate decision making
b) Prevent
i) Reduce frequency of types of claims that cannot be eliminated.
ii) Actions taken to break the sequence of events make the event less
likely
iii) Allow an entity to engage in activities that would otherwise be avoided
c) Reduce
i) Reduce the severity of financial impact of the loss that is not prevented
ii) Pre-loss actions to prevent such as fire prevention equipment
iii) Post-loss such as claims administration
d) Duplicate/segregate/separate
i) The goal is to reduce overall severity
ii) Segregate ; isolation of an exposure form other exposure, perils &
hazards such as specialized access ; fire suppression equipment in a
computer room
iii) Separation the spread of various exposures over various locations; such
as a standby generator in a different location
iv) Duplicate the use of back up for critical processes not exposed to the
same loss!!
e) Transfer
i) The purpose is to transfer part or all of the risk to another party
ii) Physical transfer shits part of an operation to another outside party
iii) Contractual shifts responsibility or liabilities to another outside party
CONSIDERATIONS WHEN FORMULATING AND IMPLEMENTING RISK STRATEGIES
When tasked with supporting a specific risk management objective, a risk manager can
adopt a number of approaches and consideration. Below are a few considerations to
take into account;
It is usually difficult to demonstrate risk management value through traditional
investment metrics (return on investment, return on equity, return on assets, or
risk-adjusted return on capital), many companies make the business case.
However concepts such as shareholder value, risk mitigation, process
consolidation and silo elimination can drive the point home.
What value is an organization is trying to create, as well as protect. Is it simply
increased share price? Or is it reducing volatility to enable a more efficient use of
capital? Or perhaps, for non-profits, is it delivering more services to a broader
constituency?
Whether value is expressed as market share, profit, service provision, donor
levels, social impact or some other benefit, how does the risk management
competencies advance the organization’s mission and related objectives? In
other words, what business need will be met through a structured risk
management approach?
Many organizations already have controls in place for widely understood risks,
such as business disruption, environmental liability or worker injuries. It is likely
that the individuals responsible for these controls also conduct risk assessments.
While this is not risk management, it is a start.
And understanding what your organization is already doing allows you to
leverage existing practices within a broader RM environment.
Additionally, having a common, collective understanding concerning which risks
should be accepted, avoided, transferred (or shared), mitigated or exploited can
reduce organizational dissonance about what is acceptable to the organization’s
stated objectives.
Many parts of the organization have a legitimate stake in the discussion, and they
can become either powerful allies or forceful detractors. The “power of one”
comes into play in recruiting those who can make a positive difference in your
implementation.
Go for the quick wins. Don’t try to cover every possible risk. Start with those that
matter most for the success of your organization’s strategic objectives. By
identifying and analyzing the risks that may have a material impact on the ability
to execute strategy, the odds of creating value quickly are much higher. If you
prioritize by risk criteria—severity, importance or speed to onset—action plans
can be executed immediately and revisited to validate the chosen responses.
Understanding which risk criteria are important to leadership creates an
opportunity for frank discussions about just how much risk the organization
wishes to pursue, both for specific objectives and in the aggregate. These
leadership discussions tend to reveal where the organization may be culturally
when it comes to risk-taking or risk aversion. Overall, this exercise can go a long
way towards establishing a barometer of the organization’s risk appetite.
Delegate “fixes” to risk owners who will do something about the risks? The
obvious answer is whoever is accountable for managing the business functions
most closely associated with those material risks. For example, a chief
information officer may be accountable for managing risks associated with
potential data breaches.
Not all risks can be neatly compartmentalized, however. Risks such as
unauthorized social media releases may not find a “natural” owner, but a specific
individual still needs to be named. There always should be one identified owner
held accountable for the risk management plan decisions and execution. This
person will likely need to rely on others to make the plan work and manage
interconnected risks, but naming an individual risk “owner” will help move the
chosen response plan to action.
Report on progress - The risk owners should be reporting in their normal business
updates on key issues, such as the material risk outcome target, specific activities
that have taken place since the last report, challenges in executing the risk plan,
and a trend assessment in the risk profile against the targeted outcome. Periodic
reports to senior management on RM program progression might include
progress related to milestones for specific RM objectives.
PRE AND POST LOSS ORGANIZATION OBJECTIVES
An organization need’s to continually plan on how to manage risk factors before and
even after they materialize into an incident or claim.
The pre loss goals include;
1. Economy of operations – ensuring that all process and procedures are
documented and risk facing any operations have been identified and treated.
2. Legality of operations – ensuring that all operations are with the legal and
regulatory framework
3. People Focus – focus on people as being critical factors for the running of the
organizations
The key risk management goal is to obtain full management support and commitment
to the crisis management program
The Post-Loss Goal include;
1. To Restore and or maintain operations.
2. To sustain profits and earnings.
3. The organization needs to work towards growth.
4. The organization needs to maintain a good public image.
The risk management goals is to effectively and economically minimize the operational
and financial impact of a crisis.
ROLE OF RISK MANAGER
Risk managers advise organizations on any potential risks to the profitability or
existence of the company. They identify and assess threats, put plans in place to avoid,
reduce or transfer risks.
Risk managers are responsible for managing the risk to the organization, its employees,
customers, reputation, assets and interests of stakeholders.
They may work in a variety of sectors and may specialize in a number of areas including:
Enterprise risk
Corporate governance
Regulatory and operational risk
Business continuity
Information and security risk
Technology risk
Market and credit risk
Responsibilities of Risk Manager
The key responsibilities of the risk manager include;
1. Planning, designing and implementing an overall risk management process for
the organization.
2. Risk assessment, which involves analyzing risks as well as identifying, describing
and estimating the risks affecting the business.
3. Risk evaluation, which involves comparing estimated risks with criteria
established by the organization such as costs, legal requirements and
environmental factors, and evaluating the organization’s previous handling of
risks.
4. Establishing and quantifying the organization’s 'risk appetite', i.e. the level of risk
they are prepared to accept.
5. Risk reporting in an appropriate way for different audiences, for example, to the
board of directors so they understand the most significant risks, to business
heads to ensure they are aware of risks relevant to their parts of the business and
to individuals to understand their accountability for individual risks.
6. Corporate governance involving external risk reporting to stakeholders.
7. Carrying out processes such as purchasing insurance, implementing health and
safety measures and making business continuity plans to limit risks.
8. Conducting audits of policy and compliance to standards, including liaison with
internal and external auditors.
9. Providing support, education and training to staff to build risk awareness within
the organization.
What skills should a risk Manager possess?
1. Analytical skills.
2. Strong interpersonal skills.
3. Strong communication skills.
4. Negotiation skills.
5. Forward looking- This requires balancing insight from internal and external
providers, and using benchmarks to signpost opportunities and potential near-
term threats
THE CHANGING ROLE OF THE RISK MANAGER
1. Digital – a great change driver
Technological change is a powerful factor behind the changing role of the risk
manager. Related hazards include the growing menace of cybercrime and the
potential repercussions of security breaches and customer data loss. But today’s
corporate risk managers are also increasingly being consulted about technology
in a wider sense with respect to the risks of innovation and digital disruption, as
well as the business opportunities that well-managed technology can create.
2. Data – the great differentiator
Mastering data is critical for the future of the risk management profession. Risk
managers overwhelmingly believe that the use of data will transform the
function.
It is starting to do so now, as many risk professionals use analytics to inform such
practices as horizon scanning and scenario planning. Challenges abound,
however, particularly in obtaining accurate risk information and data.
3. Innovators and futurists.
In the past, risk management and innovation have to some extent been
perceived as being mutually exclusive. Risk managers know this perception is
changing, agreeing that “good risk managers must also be innovators” – in the
practice of risk management itself and in their support of other business
functions. Risk managers must also be forward-looking.
4. Expanding the range of expertise is imperative.
Gaining acceptance as a business partner requires the development of skills
beyond the traditional risk management remit. Knowledge of digital technology
and data is one, but so is the ability to communicate effectively with the board,
CEO and CFO as well as with line managers.
5. Professionalization
This is key to cementing hard-earned influence. Professional standards for risk
management are advancing, but practitioners believe certification is necessary
for the future of their profession. One outcome will be better training and more
learning materials for addressing the newer themes that risk.
Formerly associated with rules and control, the risk managers are increasingly and
encouragingly regarded as key business partners with the ability to influence strategic
decisions across the organization. And, if they aren’t considered as such today, then
they will need to be in the future.
This transition has major consequences for the future of the role:
• Risk managers are being called upon to support strategic growth;
• They are engaging in more frequent dialogue at board level;
• They are facing a growing number of complex, interrelated risks, many of which
are exacerbated by globalization;
• They are adopting a more forward-looking approach than in the past;
• This calls for greater diversity among practitioners.
RISK PROFILING
A Risk Profile describes an organization’s key risks, which include both threats and
opportunities. Risk is the expression of the likelihood and impact of an event with the
potential to affect the achievement of an organization’s objectives.
Use of Risk Profiles
1. Risk Profile enhances senior management’s analysis and decision making
related to priority setting and resource allocation.
2. A Risk Profile also provides staff, external partners, and advisors with a clear
'snapshot' of the organization’s key risks and, when implemented, can help
identify areas of efficiency and potential opportunity.
3. A risk profile supports strategic priority setting and resource allocation,
informed decisions with respect to risk tolerance, and improved results.
4. A risk profile is important in building the corporate view of risks, information
and knowledge at both the corporate and operational levels and assist
organizations understand the range of risks they face, their likelihood and
their potential impacts.
5. In addition, a risk profile identifies and assesses the existing organization’s
risk management capacity and capability. Obtaining an understanding of the
organization’s risk management capacity and capability will inform the Risk
Profile development process and enrich the contextual analysis.
As is the case with other risks identified on an ongoing basis, once key risks are
documented, the key focus is to integrate risk information into existing departmental
governance structures and planning and reporting cycles in a way that is simple and that
can communicate key risks effectively.
How an organization presents its corporate risks differs from organization to
organization, however, all Risk Profiles include fundamental qualities that make them a
valuable management tool.
A Risk Profile identifies risks that affect the achievement of objectives.
Risks, including threats and opportunities, must be forward looking and relate to
future uncertainty. A risk is not a business condition or a current issue or
problem. Sometimes, reoccurring issues may be interpreted as risks. In this
instance, organizations should identify the risks associated with managing those
reoccurring issues, rather than describing the issues themselves.
Risk Profile must reflect the organization’s particular circumstances and
objectives. It should reflect the current business conditions of the organization
as well as the size of the organization and the complexity of its mandate.
Risk Profile should be presented in a balanced way with enough detail to provide
context and a clear description of risks, including how these risks are being
managed within the organization. There should not be so much detail that it
overwhelms the reader or is not easily used to support effective decision-making.
Depending on the organization’s preference, this information may be outlined in this
section of the Corporate Risk Profile or separately.
The sections are:
Key Risks; and
Key Risk Matrix.
Key Risks
This section identifies the key risks to which the organization is exposed and provides a
description of each risk. This section also provides an overview of the risks to which
senior management should divert most of their attention and gives staff, external
partners and advisors a clear 'snapshot' of the organization’s key risks. Top risks should
be listed according to their residual risk exposure. Risks should be labelled or named
and accompanied by a risk description.
Key Risk Matrix
The Risk Matrix is a tool that illustrates the ranking of risks based on an assessment of
their likelihood and impact. The size of the matrix will depend on the organization’s
preference, some organizations use a 3x3 matrix while others use a 5x5 matrix.
Organizations are encouraged to select a matrix size according to their needs and
translate between matrices if required.
Given that the matrix demonstrates visually how each risk is ranked in accordance with
likelihood and impact criteria, and where risks stand in relation to other risks, it is
considered essential.
Risk
Category Risk Description
1 Legal There is a risk
that insufficient
legal and drafting
support will be
available to the
program.
2 HR
Capacity
There is a risk
that there will be
insufficient HR
capacity for
research.
3 Program
Delivery
There is a risk
that research
quality will
diminish.
4 Project
Design
There is a risk
that project
design will not
meet stakeholder
and industry
requirements.
5 Business
Processes
There is a risk
that contractual
STRATEGY MAP
An organization must clearly map mission, vision, and strategy in order to determine
what they want to accomplish. A strategy map is a one-page illustration that shows
what the organization hopes to accomplish in terms of the customer, financial, and
societal goals, and how it will achieve desired results using processes and resources. A
strategy map should include the following perspectives:
1. Financial – defines how much and what type of value the organization must
create to satisfy shareholders and stakeholders
instruments will
be used
inappropriately.
2. Customer – describes the value proposition the firm promises to deliver to its
customers and why customers should buy from the organization, rather than rival
competitors
3. Process – describes how the organization will efficiently and effectively deliver
value promised to customers
4. Learning and Growth – clearly describes the resources that enable the
organization’s employees to efficiently and effectively perform internal
processes.
Identify Risks using the Strategy Map
Since the strategy map describes initiatives the firm must successfully complete in order
to achieve the best possible outcome for shareholders and stakeholders, it can be used
to identify potential risks.
Categories of risks that should be assessed include:
Customer perspective – external events that may decrease the attractiveness of
the organization’s value for current and potential customers
Process perspective – events that may prevent the organization from creating
value promised to consumers
Learning and growth perspective – events that impair intangible human,
organizational, and informational resources that the organization relies on to
successfully complete internal processes
Assess Risks
Risks should be ranked based on financial impact and likelihood of occurrence. This
assessment will place risk events in one of four risk response categories:
1. Mitigate risk – activities with a high likelihood of occurring, but financial impact is
small. The best response is to use management control systems to reduce the risk
of potential loss.
2. Avoid risk – activities with a high likelihood of loss and large financial impact. The
best response is to avoid the activity.
3. Transfer risk – activities with low probability of occurring, but with a large
financial impact. The best response is to transfer a portion or all of the risk to a
third party by purchasing insurance, hedging, outsourcing, or entering into
partnerships.
4. Accept risk – if cost-benefit analysis determines the cost to mitigate risk is higher
than cost to bear the risk, then the best response is to accept and continually
monitor the risk.
Design a Risk-based Management Control System
Organizations should employ a comprehensive framework to enhance the
execution of strategies. Based on Simons’ (2000) “Lever of control” framework,
five controls should be engaged to manage risk:
Diagnostic controls – communicates to employees what activities lead to strategy
execution and reports if they were successfully completed
Boundary controls –constrains employee activities by making it clear what
actions are unacceptable
Belief controls – outlines what the organization stands for and inspires and
motivates employees to make a difference
Internal controls – ensures accurate record keeping, safeguards the
organization’s assets, and enhances compliance with laws and regulations
Use levers to control and manage risk – ensures that the organization is properly
mitigating, avoiding, transferring, and accepting risks
Management should regularly monitor the risks to ensure that the management control
system is working, as well as the appropriateness of the organization’s strategy.
Strategic execution capabilities will be improved by integrating strategy mapping with
control, compliance, and risk management activities. A risk-based control system
enhances management’s ability to properly manage risks, threats, and opportunities in
order to achieve the organization’s strategic plan.
Risk Mitigation Strategies
General guidelines for applying risk mitigation handling options are shown in the figure
below. These options are based on the assessed combination of the probability of
occurrence and severity of the consequence for an identified risk. These guidelines are
appropriate for many, but not all, projects and programs.
Questions
1. Describe three pre and post loss goals in risk management
2. Explain three risk responses in the insurance sector
3. What are the responsibilities of a risk manager
4. Develop a risk profile for a typical insurance company
5. Discuss the use of a risk profile
CHAPTER 5.0 IDENTIFYING AND ANALYZING LOSS EXPOSURES
Introduction
Risk identification is the most important step of risk management because exposures
need to be identified for them to effectively analyzed, controlled or financed.
Risks must be identified for them to be managed or treated. The identification process
will focus on the internal and external environment from which an organization carries
out its business. In this chapter we discuss a number of risk identification techniques
and how these can be applied to loss exposure analysis.
Learning objectives
1. Develop an understanding and application or risk identification techniques
2. Develop an understanding of the risk analysis process.
3. Develop an understanding of the various risk analysis tools
TYPE OF RISK IDENTIFICATION TECHNIQUES
When carrying out the risk identification process, the organization may chooses of the
following analyses
Source analysis
Risk sources may be internal or external to the system that is the target of risk
management (use mitigation instead of management since by its own definition
risk deals with factors of decision-making that cannot be managed).Examples of
risk sources are: stakeholders of a project, employees of a company or the
weather over an airport.
Problem analysis
Risks are related to identify threats. For example: the threat of losing money, the
threat of abuse of confidential information or the threat of human errors,
accidents and casualties. The threats may exist with various entities, most
important with shareholders, customers and legislative bodies such as the
government.
Risk can be identified using the following methods;
a. Check list and survey
Purpose: systematically using a check list to identify as many exposures
and hazards.
Method: Use of information gathering documents
Strengths
standardized
Used by non-risk management personnel with minimal required
training
Information can be classified and tabulated
Provides a history
Weaknesses
Cannot cover all areas or operations
Provide limited financial impact
Does not prioritize exposures
May not identify new exposures
Types of Check lists and survey
I. Preliminary survey list- gathers general information about the
organization such as ownership, structure, personnel and activities.
II. Asset checklist- identifies all physical and tangible assets
Strengths:
Identifies all resources and capacities
Identifies often over looked assets
Weaknesses
Seldom addressed liability exposures
Requires frequent updating
May use various valuation estimates
III. Activity Checklist- used for liability and human resources
Strengths
Provides thought process for loss prevention
Evaluates equipment, personnel and operations functioning
together
Identifies often over looked activities
Weaknesses
Tends to be too detailed
Does not identify financial impact
Operations and activities may vary by locale.
IV. Perils list – identifies original cause of loss – Human, Economic &
Natural Perils
Strengths
Provides a list of possible loss causes
Uses insurance nomenclature
Identifies often over looked perils
Weakness
New perils are not addressed
Upper management skepticism
Can be over lapping
V. Industry check list- specific to a certain operation or industry
Strengths:
Germane to specific exposures and perils
Allows comparison with peers
Utilized by others in the industry
Weaknesses
Focus may be too narrow or generic
May make mistakes of others
Industry may be close-minded
VI. Insurance company check list- Used to identify how a particular
company covers exposures and perils
Strengths
Connects insurance coverage with other check list used to
identify perils
Generally written in east-to-read language
Readily available by the insurance company underwriter or
marketing
Weakness
Biased towards the insurance company providing the
checklist.
Tends to suggest that other insurance companies do not or
cannot provide the desired coverage or at the same level of
quality
Often does not discuss exclusions, limitation in the same
detail as coverage.
b. Flow chart
Purpose – graphically and sequential to depict the activities of an
operation or process to identify exposures perils and hazards
Method: Product Analysis, Site Analysis, Decision Analysis, Dependency
Analysis & Critical path analysis
Strengths
Can illustrate interdependency within the organization
Can easily pin point bottle necks or choke points
Can determine critical paths or critical points
Weakness
Does not indicate frequency and severity
Does not show minor processes with major loss potential
Limited applicability to liability exposures
Too process oriented
c. Insurance Policy Review
Purpose: used to identify exposures and perils
Method; Internal and Outside expert review
Strengths
Many perils are given a precise definition
States what is specifically covered
States what is specifically not covered
Weaknesses
Policies are not standardized
Difficult to analyze before a loss
Case law may disregard what policy says
Addressed exposures covered by the policy
d. Physical Inspection
Purpose- information visits to the organization’s critical sites to identify
exposure, perils and hazards
Method
1. Internal – Safety department, operation personnel, risk
management
2. External – Regulatory agencies, consultants, insurance carriers,
community services
Strengths
Personal On-site inspection
Visualization of processes, locations
May find unreported hazards or assets
Weaknesses
Time consuming and often expensive
Situations always change
Subject to steering the local personnel
e. Compliance review
Purpose
1. To determine compliance with the regulations and laws
Statutory: Legal and State
2. Professional: Voluntary, Involuntary, Industry & Government
insurance programmes
Method: Key regulations or laws are identified and operations are
reviewed to ascertain compliance.
Strength
Most are free of charge
Provide an outside opinion whether you want it or not
Weaknesses
Laws and regulations have their own problems
Little or no control over compliance evaluation
May focus unwanted attention on organization exposing it to
liability, fines etc
f. Procedure and polices review
Purpose- Used to identify how an organization functions- Organizational
charter and by laws, Board minutes, Procedure manuals, Employee
manuals, code of ethics, Risk management polices
Method – Internal Review External Review and Legal Review
Strengths
Key to identifying exposures in the organization
Weaknesses
Organizational politics may prevent effective treatment
g. Contract Review
Purpose- To identify contractual obligations and compliance with
contractual requirements.
Method: Internal Review, External Review and Legal Review
Contracts, Leases, sales contracts, bill of lading, employment contracts,
hold harmless and indemnification agreements, advertising materials,
service contracts, insurance certificates
Strength- May identify “holes” in the risk management
plan
Weaknesses- Involvement of second party may prevent
control of exposures
h. Experts
Purpose- The use of experts to identify exposures, perils and hazards
Method – Internal- Staff/functional & operational External- Specialty and
Industry
Strengths
Saves time
Provides a level of expertise to focus on exposures, perils &
hazards
Weaknesses
External experts can expensive
May be difficult to find qualified experts
i. Financial Statement analysis
Purpose- to aid in exposure identification and valuation, financial
capabilities & financial based decision making
Method
Evaluation of revenue
Evaluation of expenses
Review of financial statements
- Outside Auditor’s opinion statement
- Notes to the financial statements
- Balance sheet
- Statement of income and expenses
- Cash flow statement
Review of level of indebtedness and outstanding loan
Financial ratios analysis
Strength
Useful in forecasting the financial loss from a specific event
Demonstrate the financial impact of loss on the other areas
of the organization
Serves as the basis for the development of a a crisis
contingency plans
Weaknesses
Usually does not address business risk
Unable to predict losses from sole of key suppliers customers
Can lead to manipulation of financial records
j. Loss data Assessment
Purpose- to identify exposures and their valuations based on history
Method
Insurance carrier or third party loss runs
Internal loss runs
Incident and accident reports
Indexing loss information against exposure information
Trend analysis in losses and exposures
Strengths
Can be used for bench marking
Can be used for forecasting losses
Weaknesses
Since data is historical, this method is reactive rather than
proactive
History does not always repeat itself
Losses may not have occurred in past
Data credibility may be an issue.
General rules applicable to risk identification methods
Risk identification is the most important part in the risk management process
because an unidentified exposure cannot be effectively managed and controlled
Risks is present in every business activity
Risk is not always self-evident
Risks are subject to diagnosis and treatment
A combination of risk identification techniques should be used diagnose and
identify risk.
Often one method will reveal the greatest number of risks.
QUALITATIVE AND QUANTITATIVE TECHNIQUES
Qualitative Analysis
Refers to the identification and evaluation of broad loss exposures that cannot be easily
measured by traditional statistical and financial method to help management
understand their impact on the organization’s ultimate risk and performance
Qualitative analysis is conducted using questionnaires, surveys, seminar and with
internal and external groups that are knowledgeable about the organization.
Frequently addresses the following question; should we do this? What is the impact on
the organization reputation or morale?
Quantitative analysis
Attempts to accurately measure risk using acceptable traditional methodologies that
calculate relative numeric relative values
Quantitative analysis is conducted by using analysis of cost, benefits, losses and financial
statements & exposures.
Frequently addresses the following questions; Can we do this? What is the financial
impact?
Qualitative vs Quantitative Analysis
Qualitative analysis
Quantitative analysis
Both quantitative and qualitative analysis are used when:
Exposure Analysis Evaluation/Ranking
Risk Analysis
Decision
Statistical Analysis
Financial Analysis
Management Appetite
Valid answers are needed to predict losses and value of claims
Cost and benefits are primary factors in the decision making process
When non-monetary factors are part of the decision making process e.g.
reputation morale and citizenship.
Measurement tools of qualitative risk exposures
Identification methods should be used to analyze those qualitative risks that have a
potential harmful exposure to the organization although they are not subject to
financial measurements.
Measurement skills depict relative values that are not easily quantified
Critical Risk- assigned to a level to capture their critical nature to the
organization. Losses that could bankrupt the organization, stop operations or
threaten survival
Important Risks – could result in losses that would require the organization to
borrow from external sources.
Less important risks – could result in losses with a low financial impact that would
not harm the organization or could be paid from existing cash flows.
Severity measurement scales – High, Moderate and Low Severity
Probability or frequency measurement scales – High, Moderate & Low
Probability.
There is no one absolute measurement scale; it varies from organization to industry
Areas of qualitative analysis
1. Management Appetite for risk will depend on
a) Company history
b) Long term organizational objectives,
c) stage in the life cycle
d) Established company
e) financial stability
f) Market Maturity
g) Competition and need to take risks
h) public image
i) Management appetite to take on risk versus the financial ability
2. Innovation, product development and marketing
a) Criticality to the organization
b) market position and market share
c) Competition
d) State of the art product development,
e) Business interruption exposure
f) Technology
g) Production capacity
h) Degree of automation
i) Nature of operations hazardous
3. Contractual obligations
a) Enforceability of hold harmless and indemnification agreements under
applicable jurisdictions
b) Willingness and financial ability of the other party
c) Financial capability and attitude of insurers providing additional insured status
4. Compliance and regulatory requirements
a) Industry legislation
b) Management awareness of government regulations
c) Possible industry or voluntary regulation
d) Penalties, fines and public image
e) History of enforcement
5. Safety (internal and external)
a) Union concerns to safety
b) Ergonomic audits and Existence of safety programs
c) Level of management support for safety programs
d) Ability to recruit and train
e) Implications on employee productivity
f) Disaster recovery
g) Crisis management plan
h) Security plan and possibility of terrorism
6. Social responsibility and citizenship
a) Industry profile high or low
b) Management concern with reputational risks
c) Effect of negative press and uses of outside auditors
7. Internal policies
a) Audit and over sight
b) internal, external and board involvement
c) Employment issues ; contract, leasing, seasonal and Employee Practices
Liability
d) Product recalls, product guarantee and ethic policies and procedures
Measurement tools of quantitative risk exposures
Quantitative risk analysis assigns a projected value (usually this value is stated in terms
of cost or time) to the risks.
Uses of Qualitative Risk analysis
1. Prioritization of risk factors
2. Verification of loss data
3. Classification of loss data
4. Prediction of losses and range of losses
5. Cost benefit decision making
6. Net Present Value (NPV) analysis
7. Review of insurance program structure to determine viability of a retention
program, amount of retention and insurance purchasing decisions including limits
of liability.
Tools to perform Quantitative risk analysis
Risk analysis tools are used to assess the various impact exposures have on the
organization.
Tools to access the likelihood of an event to occur
1. Loss analysis
2. Risk mapping or risk factor analysis
3. Probability analysis
4. Linear regression
Tools to assess the impact of an event should it occur
1. Payback analysis and accounting rate of return
2. Cost benefit analysis
3. Net Present values analysis (NPV)
4. Internal Rate of Return
There are five inputs to perform quantitative risk analysis:
The risk register. This contains a list of all of the identified risks so far on the
project, and includes information on each such as their responses, their records
and categories.
The risk management plan. This document is in fact the risk management
strategy because it defines the level of risk which is seen as tolerable, how such
risks will be managed, who will be responsible for carrying out the risk activities,
the time and cost aspects of each risk activity and how the communication of risk
is to occur.
Schedule management plan. Because the schedule timings are presented in a
quantifiable manner then risks concerned with timing and time scales can easily
be quantified within this process.
Cost management plan. Similar to the above, costs are also quantifiable and can
be used as an input for this process. Note that the scope management plan is not
quantifiable and is therefore normally used within the qualitative risk analysis
process.
Organizational process assets. These may consist of risk templates, policies
procedures or guidelines, lessons learned from previous or similar projects, and
any quantitative risk tools.
Advantages of Quantitative Risk Assessment
1. Using quantitative assessments managers are able to present the results of risk
assessment in a straight forward manner to support the accounting based
presentation of senior managers.
2. As results are statistical in nature, it aids in determining whether an expensive
safeguard is worth purchasing or not. The process requires the risk assessment
team to put great effort into assets value definition and mitigation as a result.
3. its results are based substantially on independently objective processes and
metrics.
4. Finally, carrying out a quantitative risk analysis is fairly simple and can easily
follow a template type approach.
Drawbacks of Quantitative Risk Assessment
1. Calculations involved in quantitative risk assessments are complex and time
consuming.
2. Its results are presented in monetary terms only and as such, may be difficult for
non-technical people to interpret.
3. The process requires expertise so participants cannot be easily coached through
it.
4. Impact values assigned to risks are based on opinions of participants.
Advantages of Qualitative Risk Assessment Technique:
1. Ease of calculation: when compared with quantitative technique, performing
calculations using a qualitative technique is relatively simple.
2. Monetary value of assets does not need to be determined: to perform a
qualitative risk assessment, managers don't need to come up with a monetary
value assets identified during the initial asset identification phase.
3. It is not necessary to quantify threat frequency: because this technique does not
require complex calculations, managers do not have to quantify the number of
times a certain threat is likely to occur
4. It is easier to involve non-security and non-technical staff: though it is important
to select as risk assessment team members, this technique does not require that
selected team members consist solely of technical members.
5. Flexibility in process and reporting
Drawback of Qualitative Risk Assessment Techniques
1. Qualitative techniques are subjective in nature- i.e. rather than relying on
'statistical data or evidence' for its results, it is dependent on the quality of the
risk management team that created it.
Striking a Balance
As already highlighted above, both approaches to risk management have their
advantages and disadvantages. Certain situations may call for organizations to adopt the
quantitative approach. Conversely, smaller organizations with limited resources will
probably find the qualitative approach better fitting.
Furthermore, in selecting a risk analysis technique, managers should select a technique
that best reflects the needs of the organization. The decision on which risk analysis
technique to use should depend on what the manager is attempting to achieve.
Capturing risks and selecting controls are important, however more important is an
effective risk assessment process establishing the risk levels. Before an organization can
decide on what to do, it must first identify where and what the risks are. Quantitative
risk analysis requires risk identification after which both qualitative and quantitative risk
analysis processes can be used separately or together. Consideration of time and budget
availability and the need for both types of analysis statements about risk and impact will
determine which method(s) to use.
PRIORITIZING AND MAPPING OF RISKS
Risk assessment is a process of assessing probabilities and consequences of risk events if
they are realized. The results of this assessment are then used to prioritize risks to
establish a most-to-lease critical importance ranking.
Risk Matrix
A Risk Matrix is a matrix that is used during Risk Assessment to define the various levels
of risk. This is a simple mechanism to increase visibility of risks and assist management
decision making. Although many standard risk matrices exist in different organizations
may need to create their own or tailor an existing risk matrix.
For example, the harm severity can be categorized as:
Catastrophic - Multiple Deaths
Critical - One Death or Multiple Severe Injuries
Marginal - One Severe Injury or Multiple Minor Injuries
Negligible - One Minor Injury
The probability of harm occurring might be categorized as 'Certain', 'Likely', 'Possible',
'Unlikely' and 'Rare'. However it must be considered that very low probabilities may not
be very reliable.
The resulting Risk Matrix could be :
Negligible Marginal Critical Catastrophic
Certain High High Extreme Extreme
Likely Moderate High High Extreme
Possible Low Moderate High Extreme
Unlikely Low Low Moderate Extreme
Rare Low Low Moderate High
The company or organization then would calculate what levels of Risk they can take with
different events. This would be done by weighing up the risk of an event occurring
against the cost to implement safety and the benefit gained from it.
Contents
The following is an example risk matrix with particular accidents allocated to
appropriate cells within the matrix:
Negligible Marginal Critical Catastrophic
Certain Stubbing Toe
Likely Fall
Possible Major Car Accident
Unlikely Aircraft Crash
Rare Major Landside
Problems with Risk Matrix
Poor Resolution. Typical risk matrices can correctly and unambiguously compare only a
small fraction (e.g., less than 10%) of randomly selected pairs of hazards. They can
assign identical ratings to quantitatively very different risks ("range compression").
Errors. Risk matrices can mistakenly assign higher qualitative ratings to quantitatively
smaller risks. For risks with negatively correlated frequencies and severities, they can
lead to worse-than-random decisions.
Suboptimal Resource Allocation. Effective allocation of resources to risk-reducing
countermeasures cannot be based on the categories provided by risk matrices.
Ambiguous Inputs and Outputs. Categorizations of severity cannot be made objectively
for uncertain consequences. Inputs to risk matrices (e.g., frequency and severity
categorizations) and resulting outputs (i.e., risk ratings) require subjective
interpretation, and different users may obtain opposite ratings of the same quantitative
risks. These limitations suggest that risk matrices should be used with caution, and only
with careful explanations of embedded judgments.
Risk mapping
A risk map is a data visualization tool for communicating specific risks an organization
faces.
Risk mapping is used to assist in identifying, prioritizing, and quantifying (at a macro
level) risks to an organization. This representation often takes the form of a two-
dimensional grid with frequency (or likelihood of occurrence) on one axis and severity
(or degree of financial impact) on the other axis; the risks that fall in the high-
frequency/high-severity quadrant are given priority risk management attention.
The goal of a risk map is to improve an organization's understanding of its risk profile
and appetite, clarify thinking on the nature and impact of risks, and improve the
organization's risk assessment model. In the enterprise, a risk map is often presented as
a matrix. For example, the likelihood a risk will occur may be plotted on the X-axis while
the impact of the same risk is plotted on the Y-axis.
Risk analysis builds on the risk information generated in the identification step,
converting it into decision-making information. In the analyzing step, three more
elements are added to the risk's entry on the master risks list: the risk's probability,
impact, and exposure. These elements allow operations staff to rank risks, which in turn
allows them to direct the most energy into managing the list of top risks.
Risk Probability
Risk probability is a measure of the likelihood that the consequences described in the
risk statement will actually occur and is expressed as a numerical value. Risk probability
must be greater than zero, or the risk does not pose a threat. Likewise, the probability
must be less than 100 percent, or the risk is a certainty-in other words, it is a known
problem.
The following table demonstrates an example of a three-value division for probabilities.
Risk Impact
Risk impact is an estimate of the severity of adverse effects, the magnitude of a loss, or
the potential opportunity cost should a risk be realized. Risk impact should be a direct
measure of the risk consequence as defined in the risk statement. It can either be
measured in financial terms or with a subjective measurement scale.
If all risk impacts can be expressed in financial terms, use of financial value to quantify
the magnitude of loss or opportunity cost has the advantage of being familiar to
business sponsors. The financial impact might be long-term costs in operations and
support, loss of market share, short-term costs in additional work, or opportunity cost.
Risk Exposure
Risk exposure measures the overall threat of the risk, combining the likelihood of actual
loss (probability) with the magnitude of the potential loss (impact) into a single numeric
value. In the simplest form of quantitative risk analysis, risk exposure is calculated by
multiplying risk probability by impact.
Exposure = Probability x Impact
The advantage of this tabular format is that it is easy to understand through its use of
colors (red for the high-risk zone in the upper-right corner, green for low risk in the
lower-left corner, and yellow for medium risk along the diagonal). It also uses a well-
defined terminology: "High risk" is easier to comprehend than "high exposure."
QUESTIONS
1. Differentiate between qualitative and quantitative analysis.
2. Define and risk map and give an example of its application.
3. What are the advantages of qualitative risk assessment?
4. Identify two risk identification techniques highlighting the pros and cons
CHAPTER 6.0 RISK FINANCING
Introduction
Chines merchants were among the earliest known business people to utilize risk
financing in the conduct of trade and commerce. Merchants who shipped their goods on
the Yangtze River could never be sure that their goods would safely arrive at the trading
centers down river. The merchant boats would sometimes sink with the cargo and ship.
To avoid a total loss, merchants would coordinate their shipments by distributing their
cargo on various ships. In case a ship sunk, it would only lose a portion of cargo
minimizing on the possibility of total loss.
The basic tenents of risk financing from the trip down the Yangtze river to how
organization finance risk have similarities such as;
1. Pooling of resources
2. Transfer of risk
3. Spread of risk
4. The need to anticipate the risk of the groups operations
5. A plan to financially deal with a loss if it occurred
6. Risk retention
7. Verbal or written contracts to substantiate financing in event of loss
8. Identifying the simplest, least expensive and most creative to finance risk without
jeopardizing the financial integrity of operations.
9. The ultimate goal to protect the assets of the business or personal lines.
Learning objectives
1. To develop an understanding an application risk finance techniques
2. To develop an understating of the best technique for an organization
Risk Financing
Risk financing involves the identification of risks, determining how to finance the risk,
and monitoring the effectiveness of the financing technique that is chosen.
Risk financing is designed to help a business align its desire to take on new risks in order
to grow, with its ability to pay for those risks. Businesses must weigh the potential costs
of its actions against whether the action will help the business reach its objectives. The
business will examine its priorities in order to determine whether it is taking on the
appropriate amount of risk in order to reach its objectives, whether it is taking the right
types of risks, and whether the costs of these risks are being accounted for financially.
Companies have a variety of options when it comes to protecting themselves from risk.
Commercial insurance policies, captive insurance, self-insurance, and other alternative
risk transfer schemes are available, though the effectiveness of each depends on the
size of the organization, the organization’s financial situation, the risks that the
organization faces, and the organization’s overall objectives. Risk financing seeks to
choose the option that is the least costly, but that also ensures that the organization has
the financial resources available to continue its objectives after a loss event occurs.
Companies typically forecast the losses that they expect to experience over a period of
time, and then determine the net present value of the costs associated with the
different risk financing alternatives available to them. Each option is likely to have
different costs depending on the risks that need coverage, the loss development index
that is most applicable to the company, the cost of maintaining a staff to monitor the
program, and any consulting, legal, or external experts that are needed.
RISK FINANCING TECHNIQUES
Risk Management Process
A) Retention of Risk
The financing of risks and losses is said to be “retained” if the funding source for
payment of the losses originates from and remains within the organization until the loss
is actually paid.
Financing risks through retention can be accomplished by any of the following
techniques.
Identification and
Analysis Exposure Treatment of Exposure
The Risk Management
Process
Risk Financing
Transfer Retention
Risk Control
1. Expensing of Losses
Current expensing of losses involves the payment of losses directly from the
current operating budget or appropriation. That is, the loss is “expended” or paid
out of the current year’s operating funds. Current expensing typically does not
provide for a formally recognized funding source from which losses are paid.
Therefore, expensing of losses is suitable only for payment of small losses such as
repairing or replacing a damaged laptop. Expensing is not suitable for funding
large losses.
2. Loss Reserves
A loss reserve can be established for the potential liability or payment of loses.
The reserve is typically based on expected losses and treated as an accounting
entry that identifies the potential liability on the organization’s financial
statement. This liability can be funded by cash, securities, or other liquid assets
that are earmarked as designate liabilities.
3. Borrowing
Borrowing is a method that may be utilized by an organization to pay for losses
that have not been previously funded or insured. The cost of this option is on the
high end considering that it attracts interest and ultimately the institution still
pays for the losses with its own earning and resources. This deprives the
organization of funds that would have otherwise been used for other revenue
generating activities.
4. Self-Insurance
Insurance whereby the organization finances its losses through a planned
strategy. The methods for this option include the below
a) Self-insurance trust is a funding vehicle that is a bank account administered by
an independent third party (trustee) the funds are designated sole for the
purpose of paying losses. The fund level is actuarially determined and through
a formalized agreement the statement of coverage and loss to be paid are
predetermined.
b) Captive is primarily controlled by its owners and in which the original
insured’s are the principal beneficiaries. Simply state, a captive is a
corporation for which the product is the payment of losses and the revenue is
premium payments.
Risk Transfer
The financial burden of losses can be transferred from the entity incurring the loss to an
outside entity for a premium fee or through a contract. This may be accomplished
through the purchase of commercial insurance or through a contractual transfer.
1. Insurance Transfer of Risk
Insurance is a contractual relationship that exists when one party (the Insurer) for
a consideration (the Premium) agrees to reimburse another party (the Insured or
third party on behalf of the Insured) for a loss to a specified subject (the Risk)
caused by designated contingencies (the Hazards or Perils).
When commercial insurance is purchased the insured entity pays premiums to
the insurer. The insurer then pools the premiums paid by all insured entities that
have purchased the same type of insurance. In this manner the risks are “spread”
among all insured, and premiums are kept to a minimum.
The insurer is then legally responsible for payment of all claims and losses,
subject to the terms, exclusions and limitations of the policy, rather than the
entity incurring the claim or loss.
From a practical point of view, insurance will nearly always involve some form of
risk retention. For instance the excess or deductible is a planned retention while
any limitation of scope of cover as a result of an adverse policy coverage
interpretation by the commercial insurer would be unplanned retention.
The insurance policy therefore should never be viewed as a “complete” transfer
of risk.
2. Contractual transfer
Involves a legal transfer of the financial responsibility for payment of losses, but
does not involve the purchase of insurance. Such non- insurance transfers
typically involve the use of a “hold harmless agreement. A hold harmless
agreement is an agreement between two parties defining an obligation or duty
resting on one party to make good the liability, loss, or damage that the other
party has incurred or may incur.
RISK RETENTION VERSUS RISK TRANSFER
The decision whether to transfer rather than retain risk will depend upon many factors
including;
1. The size and type of operation
2. The financial strength and resources
3. The type of risk to be treated
4. The risk taking philosophy of the organization
5. The organization future goals and objectives
6. The overall effectiveness of the risk management and loss control program
When evaluating the risk financing continuum two aspects are critical
a) Cost efficiency
b) Cost certainty
For instance an insurance program has cost certainty while cost efficiencies are minimal
considering that the organization will pay the for premium that will include
1. Insurance company profit
2. Overheads
3. Estimate of losses to be paid under the policy
4. Charges for use of their policy form
5. Reinsurance
6. Miscellaneous services
7. A charge for “risk” they are assuming for this exposure
This insurance option is suitable for smaller organizations with limited assets and
resources where maximum cost certainty is important for the financial wellbeing.
On the other end, a decision to retain for instance your professional liability claims
would provide cost efficiency and cost uncertainty. The cost efficiency arises for paying
for losses without having to incur the usual insures expenses. The cost uncertainty arises
due to having limited or no knowledge when a claim will arise and when it will be paid.
This also speaks into the availability of funds when required to pay for such losses.
The retention approach will make sense for large corporations that have resources their
risk management program in an effective manner and have sufficient assets to
accommodate the volatility of loss payments without impairment to the financial
strength of the organization.
Typical risk managers will utilize a combination of both options retaining risks that are
predictable and transferring risks that are unpredictable or catastrophic. This balance
hopefully should strike a balance between cost efficiency and cost certainty. However
for the success of this balance an organization need to have in place a robust risk
management and loss control program.
Guiding Factors when choosing risk transfer and risk retention
1. The risk taking philosophy of the organization. The senior managements need to
agree on what risk to accept or and what risks to transfer.
2. Self-insure the predictable layer of losses where possible. To do otherwise would
be trading shillings with an insurer with a loss of control over your program.
3. Transfer unpredictable or catastrophic layers of potential losses at limits
sufficient to protect the assets of your organization.
4. Any risk retained should have an effective risk management program in place to
control or minimize on risk.
5. Always take a long term view of the risk transfer versus retention strategy. For
instance if a soft market place, insurance costs will be lower, how sustainable will
this be for the future?
6. It is important to be prudent and conservative in funding your self-insurance
program. The payable losses can reduce if the loss control program is effective.
7. Choose your risk financing consultants such as brokers, actuaries, auditors and
legal carefully. They need to be your partners and advocates in safeguarding your
organization’s assets and reputation.
8. Research on the insurance carrier to determine the financial security,
management, policy services and record of paying claims.
Questions
1. Discussing retention as a risk transfer technique
2. Discuss the relationship between cost certainty and cost efficiency
3. Discuss the basic tenents of a risk financing program
CHAPTER. 7. ALTERNATIVE RISK TRANSFER (ART) MECHANISM
Introduction;
This chapter discusses alternative risk transfer mechanisms with respect to insurance and
related risk management. Risk transfer means causing another party to accept the risk,
for example through insurance, where risk is transferred from an entity to the insurance
company.
Learning Outcomes
After completion of this chapter you should be able to;
Describe alternative risk transfer mechanism and explain why the increased use.
Explain what falls under finite risk re-insurance
Explain integrated risk management
Show how capital markets work as an additional source of capacity.
Explain alterative risk transfer products
Unit structure
Definition and reasons for increased use
Finite risk management
Risk transfer to capital markets
Integrated risk management
Alternative risk financing products
Study Guide
You are expected to be familiar with the scope and objectives of risk management,
building up an effective risk management programme and the important steps in risk
management decision making process.
8.1 DEFINITION AND REASONS FOR INCREASED USE OF ALTERNATIVE RISK TRANSFER
MECHANISM
Alternative Risk Transfer (often referred to as ART) is the use of techniques other than
traditional insurance and reinsurance to provide risk bearing entities with coverage or
protection. The field of alternative risk transfer grew out of a series of insurance capacity
crises in the 1970s through 1990s that drove purchasers of traditional coverage to seek
more robust ways to buy protection.
Most of these techniques permit investors in the capital markets to take a more direct
role in providing insurance and reinsurance protection, and as such the broad field of
alternative risk transfer is said to be bringing about a convergence of insurance and
financial markets.
In addition, a number of approaches involve funding risk transfer, often within the
structures of the traditional reinsurance market. Captive insurance companies are formed
by firms and re/insurers to receive premiums that are generally held and invested as a
"funded" layer of insurance for the parent company. Some captives purchase excess of
loss reinsurance and offer coverage to third parties, sometimes to leverage their skills and
sometimes for tax reasons. Financial reinsurance in various forms (finite, surplus relief,
funded, etc.) consists of various approaches to reinsurance involving a very high level of
prospective or retrospective premiums relative to the quantity of risk assumed. While
such approaches involve "risk finance" as opposed to "risk transfer," they are still
generally referred to under the heading of alternative risk transfer
Alternative Risk Transfer mechanisms are designed to help you retain underwriting profits
and reduce insurance premiums paid under traditional plans.
Why more risk managers are using alternative risk transfer solutions
Alternative risk transfer (ART) is assuming more importance, as larger companies seek to
take more control over their risk management and transfer, smooth out volatilities in
pricing, broaden coverage, and gain deeper insight into their losses, near losses, claims
and overall risk profile.
ART presents risk managers with more opportunities to hedge risks in innovative ways
and to be less dependent on ‘classic’ insurance.
For companies with increasing revenues and large balance sheets, risk tolerance is
increasing. They can take on more risk and are looking to protect themselves against risks
that run into billions of dollars, which can be difficult to find cover for in the conventional
insurance market.
Furthermore, risk managers increasingly face emerging or new risks that can be difficult
to insure – such as non-damage BI, political risks, reputational risks, climate risks – all of
which can cost companies billions of dollars.
Several broader industry factors are also spurring increased ART: more data with which
to quantify and accurately price risks, greater focus on and more sophisticated ART
services among large (re)insurance carriers and an influx of alternative capital into the
(re)insurance sector.
Many options
The range of ART mechanisms available today is both wide and diverse, providing multiple
risk transfer alternatives to the traditional insurance market.
Risk financing vehicles such as captives, financial instruments and hybrid products that
incorporate characteristics of both financial instruments and reinsurance are all
commonly utilised ART structures, each providing differing strategic risk management
benefits.
The ability to blend traditional (re) insurance with forms of self-funding, access flexible
multi-year, multi-line, multi-trigger products and increased availability of capacity are the
key drivers in the growth in demand for ART.
Common strategies include:
• Loss-sensitive insurance plans, in which premiums are based on losses.
• Risk purchasing groups of individuals purchasing liability insurance.
• Captives, which are owned and controlled by their insured parties.
• Group captives, which are owned and controlled by multiple insureds (firms of a similar
size often pool risks in an industry captive with customised insurance plans).
• Protected cell captives, which allow a client to rent a captive while ensuring complete
separation of assets, capital and surplus between them and other participants.
• Self-insured retention plans.
• Self-insured groups and pools.
Organisations use a variety of capital sources to fund their risks: banks, insurers,
shareholders and others. By merging the best of capital market techniques with insurance
structures, ART solutions enable companies to select the most appropriate risk finance
and acquire contingent capital at economic cost.
ART solutions can fulfil a variety of needs, including:
• General earnings smoothing
• Managing speculative risks
• Risk hedging
• Deal facilitation
• Removal of specific balance sheet provisions.
In particular, they can be used to hedge risks (or accumulations of risks) considered by a
company to be intolerable or unacceptable – for example, commodity, exchange rate or
weather risks – or to gain a financing cost advantage over its competition, such as utilising
insurance structures that competitors may not have access to.
ART can also enable companies to reduce the cost of borrowing (in certain circumstances,
insurers’ contingent capital may be cheaper than standby lines of credit) and can be used
where a lender of capital stipulates some form of insurance coverage – for example, as
part of a credit enhancement deal.
Part of the reason why ART has gained popularity is because the insured:
a) does not subsidise others whose premiums are inadequate to pay their claims
b) gains access to profits generated from current insurance premiums, and
c) has more control of who shares their risk and is not subject to market swings – gaining
stability and predictability in premiums.
Broader contributing
New capital is not the only driver of change in this market – the far greater availability of
data nowadays creates opportunities to price and quote for new types of business.
Structured insurance is an example of an area where activity is increasing as companies
look to cover difficult or uninsurable risks over multiple balance sheet periods with a mix
of risk retention and risk transfer.
This is mainly a year-to-year solution for managing non-attributed exposures over
multiple balance sheet periods and can, for example, be particularly effective for
managing political risk.
Another area that is being explored by investors is operational risk for financial
institutions (such as fraud, employment practices, system failures and delivery
management failures), where potentially investors would be ready to ‘step in’ and take
some of the high-severity risk.
8.2. FINITE RISK INSURANCE
An insurance contract that shifts the risk of loss from an insured to an insurer during a
stated number of years. Such contracts are subject to a specific limit of liability and
include a "commutation feature" (i.e., a refund to the insured) if loss experience is better
than expected. Part of the investment income derived from the insured's premium
payment is also rebated to the insured. In lieu of an underwriting profit that an insurer
seeks from a traditional insurance policy, a finite risk insurance contract provides the
insurer with an administrative fee for writing and maintaining the contract plus a
relatively stable investment income, which is earned on the insured's premium payments.
Finite risk insurance is the term applied within the insurance industry to describe an
alternative risk transfer product that is typically a multi-year insurance contract where
the insurer bears limited underwriting, credit, investment and timing risk. The assessment
of risk is often conservative. The insurer and the insured share in the net profit of the
transaction, including loss experience and investment income. The premium is generally
well in excess of the present value of a conservative estimate of loss experience. The
policy generally contains retrospective rating provisions such as
Commutation provisions,
Additional premium provisions, or
An experience account
Finite risk insurance excludes products expressly sold as annuities.
The term "blended finite risk insurance" is often used to describe an insurance product
that has the characteristics of finite risk, but with more risk transfer included than
generally is the case for finite risk. While there is no brightline test for risk transfer, the
distinction would be most readily noted in the premium for blended finite risk insurance,
which must be less than the present value of a conseravtive estimate of loss experience
by a readily noticeable degree
"Additional premium provision" means, in the context of finite risk insurance, a provision
of an insurance or reinsurance contract that requires or strongly encourages the insured
to pay the insurer some calculable amount as a result of losses paid or incurred under
that insurance or reinsurance contract, excluding provisions for additional premium due
to changes in exposure or policy audit.
"Commutation provision" means a verbal or written agreement, whether or not formally
incorporated into an insurance or reinsurance policy, that allows the policyholder to
commute the policy, usually implying that all liabilities and rights created by that contract
are extinguished in return for the balance of an experience account. Generally provisions
such as "profit sharing" or "low claims bonus," which also produce a return of premium
that can be reduced by claims payments, are not considered Commutation Provisions if
they do not extinguish the contract. Loss-based return and additional premium provisions
in conventional loss-based rating plans, e.g., incurred loss retrospectively rated insurance
and so-called "retention plans" used commonly in insuring US Workers' Compensation,
are generally not considered Commutation Provisions for much the same reason.
Sample language for such a provision might resemble this:
Commutation by policyholder
This policy may be commuted by the policyholder (the “commutation”) effective as of
December 31, 200_ or on each two year anniversary of such date thereafter, upon not
less than ninety (90) days advance written notice to the Insurer. The date of the
Commutation (the "Commutation Date") shall be set forth in such notice. Effective the
Commutation Date, the Policyholder and the Insurer, finally and irrevocably release each
other from any and all liability and obligations to each other under or in connection with
this Policy, whether billed or unbilled, whether reported or unreported and whether
known or unknown; provided that, upon the Commutation, the Insurer shall pay to the
Policyholder an amount equal to the Loss Experience Account. Such Loss Experience
Account shall be due and payable to the Policyholder on the Commutation Date
"Experience account" when used in the context of finite risk refers to a provision in an
insurance or reinsurance contract that, using some function of premium, insurer charges,
losses paid or payable under the contract, subrogation proceeds, and interest rates, forms
the basis of an explicit or notional fund that can then be used to calculate the amount
due under an additional premium provision.
An example, appropriate for a finite risk insurance policy, might look like this:
Loss experience account
A notional loss experience account will be created at the Inception Date, for use in
evaluating amounts due under the commutation provision, which shall be updated
annually thereafter as of the last day of each calendar year so long as this Policy remains
in effect. The notional loss experience account will be determined as follows:
1. Beginning balance; minus
2. Payments of ultimate net loss made by the Insurer as of the immediately preceding
loss payment date; plus
3. Interest income on any positive daily balance calculated using an interest rate
equal to the one-year treasury rate effective on the inception date (for the first
calculation) and effective at each one-year anniversary for each subsequent
twelve-month period.
As of the inception date, the beginning balance will be equal to 100 percent of the
premium, less brokerage fees, less the insurer margin. The beginning balance for each
subsequent year will be the total of (1) through (3), above, from the prior year's
calculation.
Finite risk reinsurance is a form of reinsurance that specifically incorporates the time
value of money. Unlike most reinsurance contracts, finite risk contracts are usually
multiyear. In other words, they spread risk over time and generally take into account the
investment income generated over the period.
In one type of finite risk reinsurance, for example, an insurance company transfers its
claims to the reinsurer, paying a premium that corresponds to the present value of the
claims transferred. Present value is a financial formula that recognizes the potential
investment income generated by the premium dollars. Generally, the claims transferred
are for medical malpractice or other so-called long-tail coverages, where the harm caused
may not be apparent for some time and the final cost of claims may not be known for
years. The timing risk is the key element here. If the claims are settled earlier than
anticipated, investment income will be lower and the reinsurer could lose money on the
transaction.
In another type of finite reinsurance, claims that have not yet been settled are
transferred. The risk to the reinsurer is that the claims will be more expensive than
expected over the long-term – that injured workers’ medical expenses will be twice as
high as anticipated, for example. The main benefit of this kind of finite reinsurance
contract is that they facilitate mergers since the acquiring company no longer has to be
concerned about whether reserves for losses are adequate.
Other types of finite reinsurance involve a greater element of financing losses but the
contract must meet requirements as to the amount of risk transfer to qualify the
arrangement as reinsurance for accounting purposes.
Finite risk contracts are reported to regulators along with traditional reinsurance
contracts. They are not broken out separately. Finite risk products are estimated to
represent less than five percent of total reinsurance premiums.
8.3. RISK TRANSFER TO CAPITAL MARKETS
The terms 'alternative risk transfer' and 'non-traditional risk transfer' are used loosely to
embrace a range of instruments that enable an organization to transfer financial risk to a
professional risk carrier, other than by way of an insurance contract. Professional risk
carriers in this case are capital markets, rather than insurance and reinsurance markets.
Financial risk transfer is about spreading financial risk across a large number of entities
capable of absorbing a substantial loss more easily than a single organization. Insurance
has been the traditional way of doing this but there has been a movement into capital
markets for transfers of very high value catastrophe risks. This is because a string of very
high catastrophe losses has exposed inability of the insurance industry to respond
adequately. The spread and scale of capital markets means that catastrophe exposures
can be spread over a wider capital source, instead of solely within the insurance and
reinsurance markets.
Capital market risk products are still evolving and each has to be assessed on its individual
merits. They differ between countries because of different regulations and tax treatment.
They are most commonly used with large economic risks, rather than for those of
individual companies. The financial market failures of 2008 caused massive damage to
the liquidity and asset strength of many of these markets, and this is causing companies
to take greater care in understanding the risks involved.
Example
An example of alternative risk transfer would be that arranged by Swiss Re, which a few
years structured, placed and reinsured earthquake cover for FONDEN (the Mexican
Government's natural catastrophe
fund). If an earthquake exceeds certain thresholds (e.g. magnitude, depth and location)
the cover provides financing for disaster relief and post-disaster reconstruction. A sum of
US$160 million of cover was placed in the the capital markets through a catastrophe bond
and the remainder was reinsured.
Remember that alongside the advantage of access to a wider range of funding products
these are also disadvantages, which include the following.
Payment is not necessarily linked to indemnity. The amount received, therefore
may be short or in excess of loss amount.
Capital markets do not always bring the claims skills and resources that come with
insurances. These may need to be sourced internally or subcontracted, both at
cost.
The instruments may not be treated sympathetically by regulators, taxation
regimes or by accounting standards.
8.4. INTEGRATED RISK MANAGEMENT
Integrated risk management is a process that takes into consideration the degree of risk
that is found at all levels within a given organization. The idea is to assess the risk inherent
with the operation in general, including how risk factors in one area of the operation may
trigger specific responses in other areas of the operation. This all-inclusive approach to
risk management can often help to minimize factors that could create ongoing
operational issues that have long-term consequences for the business.
When used effectively, integrated risk management is a very proactive process. As the
first step to the process, it is necessary to identify risk as it exists at various levels within
the business. From there, risk must be assessed in terms of what that risk means to each
phase of the operation. Once the assessment is completed, it is essential to address risk
at each step in the business process, and determine what options are viable for dealing
with that risk factor. Finally, steps are taken to reduce risk within each area of the
operation, which in turn leads to increased efficiency and productivity, while at the same
time limiting the potential for losses.
It is important to note that integrated risk management is not a one-time event, or even
one that is conducted once or twice per calendar year. Instead, this type of all-inclusive
risk management is an ongoing process that relates to the day-to-day activities of the
company. From assessing risk in each phase of the manufacturing process to
understanding possible risk factors involved during service delivery and face to face
interactions of employees with customers, the risk evaluation is a constant aspect of the
ongoing effort to make the company as stable and profitable as possible.
There is no one ideal approach to the process of integrated risk management. The exact
processes used and the policies that govern those processes will vary somewhat from one
business setting to another. A constant with integrated risk management is that all
aspects of the operation are evaluated on a continual basis, identified risk factors are
evaluated in light of the overall operation, and resolutions that ultimately benefit the
entire business are the ultimate goal of the management process. As the circumstances
of the business change over time, the strategies that are used as part of the integrated
risk management process must also evolve in order to position the company to enjoy
additional growth in the future.
8.5 ALTERNATIVE RISK FINANCING PRODUCTS
Alternative risk financing products can be divided roughly into two principal categories:
Alternatives to insurance companies and
Alternatives to insurance products
1. Alternatives to Insurance Companies
In this section, we will identify different types of risk financing alternatives to insurance
companies and we will explain their benefits.
Example
a) Self-insurance
It is one of the oldest alternatives to insurance companies and remains one of the most
popular.
The term is self-explanatory: rather than purchasing an insurance policy, a company will
decide to retain an eligible risk while designating an amount of money calculated to
compensate for the potential future loss.
Self-insurance typically provides the first layer of coverage, and a policy is purchased from
the commercial insurance market to cover losses in excess of the self-insurance.
Following the 9/11 terrorist attacks, coverage for certain risks became much more
difficult to acquire and was only available at substantially increased costs.
Example
For example, airline insurers immediately increased premiums and cut their coverage for
third-party war and terrorism liabilities to a maximum of $50 million per airline, per
"event."
Workers' compensation carriers began to look very carefully at catastrophic exposures,
especially in locations with more than 250 employees and some life insurance reinsurers
exited the market entirely.
As a result of these developments, many companies have increased the amount of risk
that they self-insure.
For instance, coverage for catastrophic losses might be secured by designating a $75
million a year self-insured retention and by combining this retention with traditional
insurance; this strategy would provide coverage in excess of the retention amount at
greatly reduced premiums.
b) Insurance pools, or self-insurance groups
These are an extension of self-insurance and are employed by companies to underwrite
their collective exposure to high-occurrence, low-cost risks. These groups tend to be
comprised of companies with similar risk profiles (either by type of industry or by
geography or both), because each member of a pool shares the profits and losses of the
pool through a so-called joint and several liability arrangements.
Members contribute premiums to a fund, the proceeds of which are invested and paid
out for claims and administrative expenses. Surplus funds may, at the members'
discretion, be repaid by members or reinvested in the fund.
c) A captive insurer
This, in general terms, is a licensed insurance company established by a noninsurance
parent company to insure the risks of the parent company, its affiliates or other entities
doing business closely with the parent company.
Captives are considered to have a number of advantages over traditional insurance
coverage. Companies' utilizing captives enjoy cash flow benefits from lower insurance
costs and retention within the corporate group of premiums and investment income.
Captives can also provide tax benefits.
For example, payments to captives that provide employee benefits insurance are
deductible as insurance premiums in certain circumstances.
Additionally, the company's control over the captive subsidiary allows it to deal with
reinsurers directly, instead of through an insurance company, thereby lowering the cost
of access to the reinsurance market. Perhaps in response to these perceived benefits, the
use of captives has grown tremendously in recent years.
d) Risk retention groups
These are similar to multi-owner captive insurance companies or self-insurance groups.
They are liability insurance companies owned by their insureds (which must be engaged
in a similar business or exposed to similar risks) and they are authorized by the Liability
Risk Retention Act of 1986, which permits the insurance company - once licensed by its
state of domicile - to insure members in all states.
These groups enjoy many of the benefits ascribed to captives - such as the ability of
members to control their own program, the ability to maintain coverage at affordable
rates where typical insurance is hard to obtain and the ability to access reinsurance
markets directly - without the hassle of having to set up the corporate structure of a
captive insurance company as a subsidiary.
These groups now underwrite significant portions of the medical malpractice market,
following the insolvencies between 2001 and 2003 of many of the traditional malpractice
insurers.
However, it is important to note that these groups cannot underwrite certain risks, such
as an employer's liability with respect to its employees, or loss or damage resulting from
any personal, familial or household responsibilities or activities.
2. Alternatives to insurance products
Credit securitizations, CAT bonds, weather derivatives and finite risk products are among
the available alternatives to insurance products.
Many of these instruments are products of the capital markets: a consensus is emerging
that the global capital markets have capacity exceeding that of the insurance markets by
several degrees of magnitude and, consequently, can handle at a lower cost and with less
shock to the system the occurrence of natural disasters and other severe risks.
In this section, we will explain the benefits of different types of risk financing alternatives
to insurance products.
a) Credit securitization
This involves the transfer of assets subject to credit risk, such as receivables, to a specially
created investment vehicle (Le. a special purpose company). The vehicle in turn issues
securities "backed" by the transferred The proceeds of the sale of the asset-backed
securities are remitted to the transferor of the assets - the entity that otherwise would
have purchased insurance to defray its credit risk - and the purchasers of the securities
assume the risk of recovery of the assets.
b) CAT bonds
These more formally known as catastrophe bonds, are risk-linked securities designed to
transfer a specified set of risks from the issuer to the investors.
They are usually structured as corporate bonds whose repayment of principal is forgiven
if certain specified trigger conditions are met.
These conditions are generally linked to some sort of catastrophic event, such as a
hurricane hitting Florida. If no hurricane hits, the investors enjoy a return on their
investment through interest payments (typically at a coupon rate much higher than the
risk-free rate) and the principal repayment over the life of the bond.
But if the triggering event occurs, then the investors may lose their rights to some portion
of the principal or the entire principal, which is retained by the issuer to pay the loss.
As the hurricane example suggests, CAT bonds are most frequently used where the risk
sought to be defrayed is a high-severity, low-frequency event.
c) Weather derivatives
Definition
Weather derivatives are financial instruments that can be used by companies as part of a
risk management strategy to reduce the risk associated with adverse or unexpected
weather conditions.
The derivative, in this case, is some objective measure of the weather, such that the
weather derivative pays based on the variability of the observed weather from an index.
So, for example, a weather derivative might pay based on the number of days when a low
(or high) temperature was exceeded.
Example
Farmers, for instance, would use weather derivatives to hedge against poor harvests that
result from a lack of rain or unseasonable snowstorms. Theme parks, on the other hand,
might use weather derivatives to insure against rainy weekends during peak season.
Energy companies, in particular, have been at the forefront of the development of the
weather derivative market.
d) Finite risk products
Finite risk products are similar to traditional insurance, but with a twist. Unlike typical
insurance contracts, which are typically of 12 months' duration, finite risk insurance
products have a longer term - say, 10 years.
These products are particularly useful where the risk sought to be insured against is a
high-severity, low-frequency event, such as an oil spill.
Example
For example, if we assume an actuarial analysis predicts the occurrence of an oil spill
within the next 10 years, the probability of such an event occurring in anyone year within
that period is 1 in 10 (or 10%).
The oil producer could, of course, insure that risk by purchasing an annual insurance
policy.
If the risk did not occur in that first year, the oil producer would be out its premium, which
the insurance company would have invested to produce income for its shareholders.
The oil producer would then need to renew the insurance policy for the following year. If
the risk also did not materialize in that second year, the result would be the same as the
first, and this would continue for each year the annual policy is renewed and the oil spill
did not occur. Alternatively, the oil producer could procure at the outset a finite risk
contract that covers the entire 10-year period. If the oil producer and its insurer estimated
that the oil spill would occur in year seven, they could reduce to present value the
resulting liability.
In exchange for the payment of a premium approximating that liability estimate, the oil
producer and its insurer would agree to share the investment income generated by the
premium. The oil producer also would be entitled to deduct the premium paid at the
outset of the transaction and - if the insured risk did not materialize during the term of
the contract - to the return of a substantial portion of the premium paid.
These benefits have made finite risk products increasingly popular, despite the negative
press attention these products have received as a result of alleged abuse by certain
insurers and reinsurers.
I Case study
Article by Rachel S. Kronowitz and Chidi J. Ogene - Legal Experts, USA
This article by Rachel S. Kronowitz and Chidi J. Ogene, looks at Alternative Risk Financing
aspects with a little different focus of categorizing the options into-
1. Alternatives to insurance companies &.
2. Alternatives to insurance products.
"Organizations typically purchase insurance policies to mitigate risks. However,
businesses beset by higher premiums or by the inability of insurance companies to cover
their risks adequately have sought other options. Increasingly, they find that they can
manage risk using financial instruments and other arrangements in addition to insurance
policies. Known as alternative risk financing, these arrangements combine risk transfer
and risk retention techniques with self-insurance to provide alternative (or
complementary) options to traditional insurance.
Certain alternative risk financing techniques have been around for quite some time, and
their popularity has followed or been affected by the vagaries of the insurance market.
However, recent events have contributed to renewed, and quite possibly more
permanent, interest in alternative risk financing. For example, catastrophes such as the
WTC terrorist attacks of September 11, 2001, and natural disasters such as the 2005
tsunami and Hurricane Katrina have led many to believe that similar catastrophic events
will occur with increasing frequency and that the hardening of insurance markets that
occurred following these disasters threatens to be permanent.
In addition, recent corporate scandals led to the passage of the Sarbanes-Oxley Act of
2002, in USA, which requires chief executive officers and chief financial officers of publicly
traded companies to certify that their companies have adequate internal controls. This
statutory requirement has, in turn, convinced many companies of the value of a strategic,
business- wide approach to risk management and has also led to elimination of the
traditional barriers between a company's finances and insurance-buying operations.
These trends have prompted business executives to seek out other risk mitigation
options, such as alternative risk financing.
In addition, recent corporate scandals led to the passage of the Sarbanes-Oxley Act of
2002, in USA, which requires chief executive officers and chief financial officers of publicly
traded companies to certify that their companies have adequate internal controls. This
statutory requirement has, in turn, convinced many companies of the value of a strategic,
business- wide approach to risk management and has also led to elimination of the
traditional barriers between a company's finances and insurance-buying operations.
These trends have prompted business executives to seek out other risk mitigation
options, such as alternative risk financing.
In this article, we will examine a variety of different alternative risk financing techniques
and products that companies now use to mitigate or transfer risk outside of the traditional
insurance-based model.
Study Questions.
1. What are the main goals of ART?
2. What does finite risk insurance mean and which products fall under it?
3. Define what multi-owner captive insurance companies are?
4. How is self-insurance done and how does it offer ART mechanism.
CHAPTER 9: BUSINESS CONTINUITY MANAGEMENT’’
Introduction
This chapter looks at business continuity management, the differences between the
terms disaster, emergency and catastrophe. It also looks at disaster phases, the
emergency threats and the business continuity planning process.
Learning outcomes
After completion of this chapter you should be able to;
Explain what Business Continuity Management is
Give the differences between emergency, disaster and catastrophe
Give the major emergency threats
Explain the disaster phases
Describe the Business continuity management planning process.
Unit Structure
Definition of business continuity management
Emergency, disaster and catastrophe
Emergency threats
Disaster phases
Business continuity planning
Study guide
You are expected to be having proper understanding of how to identify and analyse loss
exposures.
9.1 DEFINITION OF BUSINESS CONTNUITY MANAGEMENT
Business continuity management (BCM) is a framework for identifying an organization's
risk of exposure to internal and external threats.
The goal of BCM is to provide the organization with the ability to effectively respond to
threats such as natural disasters or data breaches and protect the business interests of
the organization. BCM includes disaster recovery, business recovery, crisis management,
incident management, emergency management and contingency planning.
According to ISO 22301, a business continuity management system emphasizes the
importance of:
Understanding continuity and preparedness needs, as well as the necessity for
establishing business continuity management policy and objectives.
Implementing and operating controls and measures for managing an organization’s
overall continuity risks.
Monitoring and reviewing the performance and effectiveness of the business
continuity management system.
Continual improvement based on objective measurements.
Illustration of Business Continuity Management
9..2 EMERGENCY THREATS TO BUSINESS CONTINUITY
Emergency preparedness is a process. It’s not just about having a plan to do a fire drill
once a quarter, but how to keep the business going during and after a crisis. This fact
grows more relevant every day as companies face the challenges of a riskier society.
Business continuity is about ensuring your company is prepared for any crisis.
Before you get started with defining a business continuity plan, you must conduct a
vulnerability assessment to understand your company’s major weak points in the
response during a crisis and the subsequent recovery period. A business impact analysis
is a way to understand how threats will affect business functions. After documenting the
risks to your organization, research which tools such as an emergency notification
system, document storage, and training would be most in critical for your emergency
prevention and disaster recovery.
The most common threats to consider in your emergency management plans.
1. Workplace Violence
The threat of an active shooter entering into an office is a scary reality. What would your
employees do in the event a gunman started shooting in your building?
.
2. Winter Storms
As some countries continue to get hammered with snow and ice by Winter Storm your
business needs to have a plan in place for employees to work remotely.
3. Hurricanes
If businesses learned anything from Hurricane Sandy, it’s the importance of having a
backup plan in place to continue operations well before a hurricane hits land.
4. Earthquake
The East Coast earthquake showed they can happen almost anywhere and most don’t
know what to do. Over 45 states in the U.S. are at risk for earthquakes. According to
FEMA, your risk can be assessed by considering your hazard, exposure, and vulnerability
6. Office Fire
On Jan. 27, more than 200 people were killed when a fire broke out in a Brazilian
nightclub. Fire alarms, extinguishers and escape routes aren’t enough unless your
employees know what to do.
7. Wildfire
The ongoing drought plaguing Midwest and Southern states since 2010 has cost the
economy more than $35 billion plus impacted the gross-domestic product by even more.
Another cause for concern is when dry conditions spark wildfires. In 2012, the Colorado
wildfire caused 32,000 people to be evacuated and destroyed hundreds of buildings. Is
your business located in one of the areas impacted by drought and at risk for wildfire?
8. Flood
Flooding is one of the most common natural disasters in the world and it can happen
pretty much anywhere at any time. But your office can flood simply by the sprinkler
system malfunctioning. Do you have your documents backed up in the event important
papers are destroyed in a flood?
9. Influenza
The Center for Disease Control estimates up to 50,000 deaths from flu are possible in
2013. Our trained emergency management consultants have tips on how to prevent flu
from spreading in your office. The most important way to prevent the spread of disease
in your office is to encourage employees to stay at home at the first sign of illness, plus
have alcohol-based hand sanitizer located around the workspace. Your business
continuity plan should also focus on working with a depleted workforce.
10. Blackout
There are many different types of power outages in various ranges of severity but a key
component of handling a blackout is ensuring your data is secured in a location outside
the walls of your office. A full list of classifications of power outages, what to do in the
event of a blackout, and the subsequent recovery process is available
11. Cyber Attacks
12. Act of terrorism
13.New laws and regulations
14. IT-related threats continue to provide the greatest concern for organisations,
according to a new report published by the Business Continuity Institute (BCI), in
association with the British Standards Institution (BSI).
The annual BCI Horizon Scan has pitted such threats above other threats like natural
disasters, security incidents and industrial disputes.
Three quarters (77%) of business leaders said they fear the possibility of an unplanned IT
and telecoms outage, whilst 73% worry about the possibility of a cyber-attack or data
breach.
The report has also identified long-term trends, with 73% seeing the use of the internet
for malicious attacks as a major threat that needs to be closely monitored, and 63%
feeling the same way about the influence of social media.
9.3 EMERGENCY/DISASTER/CATASTROPHE
Emergency
An emergency is unplanned event that significantly
Disrupts normal operations
Poses serious threat to persons or property
Cannot be managed by routine response
Requires a quick and coordinated response across response across multiple
departments or divisions.
DISASTER
Disaster can be defined as an event of natural or manmade causes that lead to sudden
disruption within society, causing damage to life and property to such extent that is
beyond the capacity of normal social and economic mechanism to cope up with.
Industrial disaster
Industrial disasters are caused by chemical, mechanical, civil electrical, or other process
failures due to accident, negligence or incompetence, in an industrial plant which may
spill over to the areas outside the plant causing damage to life and property.
Chemical disasters
Chemical disasters are occurrences of emission, fire or explosion involving one or more
hazardous chemicals in the course of industrial activity or storage or transportation or
due to natural events leading to serious effects inside or outside the installation likely to
cause loss of life and property including adverse effects on the environment
CATASTROPHE
Catastrophe is not the same as disaster. It is a sudden and widespread disaster. Any
natural or manmade incident, including terrorism, that results in extraordinary levels of
mass causalities, damage or disruption severely affecting the population, infrastructure,
environment, economy, national morale, and/or government functions.
9. 4 Phases of Disaster
A model to help emergency managers prepare for and respond to a disaster, also known
as the ‘life cycle’ of comprehensive emergency management has been designed. The four
phases of disaster: 1) mitigation; 2) preparedness; 3) response; and 4) recovery.
The model helps frame issues related to disaster preparedness as well as economic and
business recovery after a disaster. Each phase has particular needs, requires distinct tools,
strategies, and resources and faces different challenges. The issues addressed below
relate to the resiliency and recovery of the local economy and business community before
and after a major disaster.
MITIGATION
Pre-Disaster Mitigation Efforts
PREPAREDNESS
Education, Outreach and Training
Business Continuity & Emergency
Management Planning
RESPONSE
Immediate Response to
Stakeholders
Establish Business Recovery
Centre
RECOVERY
Post-Disaster Economic Recovery
Plan
-
The issues addressed below relate to the resiliency and recovery of the local economy
and business community before and after a major disaster.
Phases of Disaster
Mitigation
Mitigation involves steps to reduce vulnerability to disaster impacts such as injuries and
loss of life and property. This might involve changes in local building codes to fortify
buildings; revised zoning and land use management; strengthening of public
infrastructure; and other efforts to make the community more resilient to a catastrophic
event.
Preparedness
Preparedness focuses on understanding how a disaster might impact the community and
how education, outreach and training can build capacity to respond to and recover from
a disaster. This may include engaging the business community, pre-disaster strategic
planning, and other logistical readiness activities. The disaster preparedness
activities guide provides more information on how to better prepare an organization and
the business community for a disaster.
Response
Response addresses immediate threats presented by the disaster, including saving lives,
meeting humanitarian needs (food, shelter, clothing, public health and safety), cleanup,
damage assessment, and the start of resource distribution. As the response period
progresses, focus shifts from dealing with immediate emergency issues to conducting
repairs, restoring utilities, establishing operations for public services (including
permitting), and finishing the cleanup process.
Triage efforts assess and deal with the most pressing emergency issues. This period is
often marked by some level of chaos, which can last a month or more, depending on the
nature of the disaster and the extent of damage. Federal resources, such as action from
the Federal Emergency Management Agency (in the case of a major disaster declaration)
and non-profit resources such as the Red Cross are deployed immediately
Business re-entry into the economy begins during this phase. Businesses initially may
face issues with access to their site, preliminary damage assessment, and
communications with staff, vendors, suppliers and customers. Ongoing issues may
include access to capital and workers, the repair of damaged property or inventory, and
a diminished customer base. It is in this phase that long-term future of a region’s business
base will be saved or lost.
Business Recovery Centres are quickly set up in a community to centralize small business
recovery resources.
.
RECOVERY
Recovery is the fourth phase of disaster and is the restoration of all aspects of the
disaster’s impact on a community and the return of the local economy to some sense of
normalcy. By this time, the impacted region has achieved a degree of physical,
environmental, economic and social stability.
The recovery phase of disaster can be broken into two periods. The short-term phase
typically lasts from six months to at least one year and involves delivering immediate
services to businesses. The long-term phase, which can range up to decades, requires
thoughtful strategic planning and action to address more serious or permanent impacts
of a disaster. Investment in economic development capacity building becomes essential
to foster economic diversification, attain new resources, build new partnerships and
implement effective recovery strategies and tactics. Communities must access and deploy
a range of public and private resources to enable long-term economic recovery.
9.5 BUSINESS CONTINUITY MANAGEMENT PLANNING
Business continuity planning (or business continuity and resiliency planning) is the
process of creating systems of prevention and recovery to deal with potential threats to
a company
Any event that could negatively impact operations is included in the plan, such as supply
chain interruption, loss of or damage to critical infrastructure (major machinery or
computing /network resource). As such, risk management must be incorporated as part
of BCP
Illustration of Business Continuity Management planning lifecycle.
ANALYSIS
The analysis phase consists of impact analysis, threat analysis and impact scenarios.
Business impact analysis (BIA)
A Business impact analysis (BIA) differentiates critical (urgent) and non-critical (non-
urgent) organization functions/activities. Critical functions are those whose disruption is
regarded as unacceptable. Perceptions of acceptability are affected by the cost of
recovery solutions. A function may also be considered critical if dictated by law. For each
critical (in scope) function, two values are then assigned:
Recovery Point Objective (RPO) – the acceptable latency of data that will not be
recovered. For example, is it acceptable for the company to lose 2 days of data?
Recovery Time Objective (RTO) – the acceptable amount of time to restore the
function.
The recovery point objective must ensure that the maximum tolerable data loss for each
activity is not exceeded. The recovery time objective must ensure that the Maximum
Tolerable Period of Disruption (MTPoD) for each activity is not exceeded.
Next, the impact analysis results in the recovery requirements for each critical function.
Recovery requirements consist of the following information:
The business requirements for recovery of the critical function, and/or
The technical requirements for recovery of the critical function
Threat and risk analysis (TRA)
After defining recovery requirements, each potential threat may require unique recovery
steps. Common threats include:
Epidemic
Earthquake
Fire
Flood
Cyber attack
Sabotage (insider or external threat)
Hurricane or other major storm
Utility outage
Terrorism/Piracy
War/civil disorder
Theft (insider or external threat, vital information or material)
Random failure of mission-critical systems
Power cut
The impact of an epidemic can be regarded as purely human, and may be alleviated with
technical and business solutions. However, if people behind these plans are affected by
the disease, then the process can stumble.
Impact scenarios
After identifying the applicable threats, impact scenarios are considered to support the
development of a business recovery plan. Business continuity testing plans may
document scenarios for each identified threats and impact scenarios. More localized
impact scenarios – for example loss of a specific floor in a building – may also be
documented. The BC plans should reflect the requirements to recover the business in the
widest possible damage. The risk assessment should cater to developing impact scenarios
that are applicable to the business or the premises it operates. For example, it might not
be logical to consider tsunami in the region of Mideast since the likelihood of such a threat
is negligible.
Recovery requirement
After the analysis phase, business and technical recovery requirements precede the
solutions phase. Asset inventories allow for quick identification of deployable resources.
For an office-based, IT-intensive business, the plan requirements may cover desks, human
resources, applications, data, manual workarounds, computers and peripherals. Other
business environments, such as production, distribution, warehousing etc. will need to
cover these elements, but likely have additional issues.
The robustness of an emergency management plan is dependent on how much money an
organization or business can place into the plan. The organization must balance realistic
feasibility with the need to properly prepare. In general, every $1 put into an emergency
management plan will prevent $7 of loss.[8]
SOLUTION DESIGN
The solution design phase identifies the most cost-effective disaster recovery solution
that meets two main requirements from the impact analysis stage. For IT purposes, this
is commonly expressed as the minimum application and data requirements and the time
in which the minimum application and application data must be available.
Outside the IT domain, preservation of hard copy information, such as contracts, skilled
staff or restoration of embedded technology in a process plant must be considered. This
phase overlaps with disaster recovery planning methodology. The solution phase
determines:
crisis management command structure
secondary work sites
telecommunication architecture between primary and secondary work sites
data replication methodology between primary and secondary work sites
applications and data required at the secondary work site
physical data requirements at the secondary work site.
IMPLEMENTATION
The implementation phase involves policy changes, material acquisitions, staffing and
testing.
TESTING AND ORGANIZATIONAL ACCEPTANCE
The purpose of testing is to achieve organizational acceptance that the solution satisfies
the recovery requirements. Plans may fail to meet expectations due to insufficient or
inaccurate recovery requirements, solution design flaws or solution implementation
errors. Testing may include:
Crisis command team call-out testing
Technical swing test from primary to secondary work locations
Technical swing test from secondary to primary work locations
Application test
Business process test
MAINTENANCE
Biannual or annual maintenance cycle maintenance of a BCP manual is broken down into
three periodic activities.
Confirmation of information in the manual, roll out to staff for awareness and specific
training for critical individuals.
Testing and verification of technical solutions established for recovery operations.
Testing and verification of organization recovery procedures.
Issues found during the testing phase often must be reintroduced to the analysis phase.
Information/targets
The BCP manual must evolve with the organization. Activating the call tree verifies the
notification plan's efficiency as well as contact data accuracy. Like most business
procedures, business continuity planning has its own jargon. Organization-wide
understanding of business continuity jargon is vital and glossaries are available.[9] Types
of organisational changes that should be identified and updated in the manual include:
Staffing
Important clients
Vendors/suppliers
Organization structure changes
Company investment portfolio and mission statement
Communication and transportation infrastructure such as roads and bridges
Technical
Specialized technical resources must be maintained. Checks include:
Virus definition distribution
Application security and service patch distribution
Hardware operability
Application operability
Data verification
Data application
Testing and verification of recovery procedures
As work processes change, previous recovery procedures may no longer be suitable.
Checks include:
Are all work processes for critical functions documented?
Have the systems used for critical functions changed?
Are the documented work checklists meaningful and accurate?
Do the documented work process recovery tasks and supporting disaster recovery
infrastructure
Study questions
1. Give the detailed explanation of business continuity management.
2. Differentiate between disaster and catastrophe,
3. Explain the phases of disaster.
4. What falls under the business continuity planning process?
5. Give the major emergency threats in business continuity.
CHAPTER .10. ENTERPRISE RISK MANAGEMENT
Introduction
Enterprise risk management is a comprehensive risk management program that
addresses an organization ‘s pure risks, speculative risks, strategic risks and operational
risks. By packing all of these risks in a single program, the organization offers one risk
against the another and in the process reduces its overall risk.
Learning Outcomes
After completion of this chapter you should be able to;
Explain what Enterprise Risk Management is all about
Give the Limitations of Risk Management Enterprise
Show how ERM impacts on management practices
Describe the ERM process
Unit Structure
Enterprise Risk Management definitions and its application
Limitations of Enterprise Risk Management
ERM impact on management practices
Other ways that ERM can contribute to value creation
ERM process
Study Guide
You are expected to have clear understanding of the risk management process and
the concept of risk management.
10.1. ENTERPRISES RISK MANAGEMENT DEFINITIONS AND ITS APPLICATIONS CII 3/7 &
3/10
In chapter 2 we saw that risk management in an organization is an integrated process
aimed at identifying and controlling risks that may affect the achievement of corporate
goals. It depends on:
• a clear statement of objectives from the board of directors;
• a systematic approach to risk identification in changing circumstances;
• an analysis of risks against criteria set by the board; and
• effective management of selected risks.
Responsibility for risk management remains with the board so there is need for a clear
communication and reporting structure. The purpose of this is twofold: to assure the
board the system is working as intended and to enable them to exercise necessary
control.
The structure an organization sets up to control risk management across the whole of its
organization is known as enterprise risk management (ERM). As well as being a framework
to control risk management activities, ERM systems allow all the risks involved in an
organisation to be looked at together and from different perspectives. This is known as a
holistic approach.
ERM has been recognized as an important element of strong corporate governance.
Today its use in large organizations is internationally supported by laws, regulations and
compliance requirements. For large or public organizations, ERM is no longer an option.
Moreover, all public companies are required to report on risk factors, and potential
investors and their advisers will take into account how well risk management standards
are applied. Regulators demand effective ERM and stakeholders such as lenders,
customers, suppliers and staff organizations often ask for evidence that risk taking is
under control.
As a result, it is important that not only must ERM systems be in place and working, they
must be seen and proved to be working by independent assessors. Regular audits are
essential, not only to provide assurance that processes function to specified standards,
but also to monitor results.
However successful risk management is not just about compliance and assurance. There
are a number of benefits that successful risk management provides, including:
• better informed strategic decisions;
• successful management of change and higher operational efficiency; •organizations can
expect more accurate financial reporting;
• reduced borrowing costs; and
• improved competitive advantage.
Small and medium-sized organizations may not have the resources to implement full ERM
systems and may not have pressure from outside to conform. However, similar
advantages can accrue for any organisation prepared to analyze all types of risk on a
regular basis, even if their systems are skeletal and concentrate only on significant items.
A successful ERM
system has two
key elements:
ERM framework is important. It shows how essential functions of an organisation
combine to create an integrated system for managing risk across the whole organisation.
It specifies required information flows and procedures for achieving them. It identifies
where overlapping responsibilities might occur and altogether with the job descriptions,
will clarify who is responsible for initiating action plans and ensuring their success.
ERM is a dynamic management system which states that people be organized and trained
to carry out delegated tasks within specified boundaries and specified communication
and reporting channels.
However, this takes place in an environment that is subject to continual change.
Maintaining integrity of the framework throughout a large organisation is often a full time
task, requiring constant monitoring of the system to see if it is working and measurement
of performance against intended results.
In a typical ERM system, a group risk management function would be responsible for:
• setting up and maintaining the ERM framework; and
First is a workable
framework clarifying
functional responsibilities
and interactions, and the
systems for internal
communication, reporting
and control
Second, personalizing this
framework, is a set of terms of
reference for key staff. This clarifies
individual requirements for
communications, reporting and
control.
• managing all risk management functions within the group.
The head of this function might be called chief risk officer, group risk manager or some
equivalent title. The chief risk officer would fulfil their responsibilities through a number
of subordinate risk officers, each with a designated area of interest and specified tasks to
address. In large organizations a number of risk officers could be supervised by an
intermediate risk manager if appropriate.
Depending on the organisation, the group risk management can be a central
coordinating and collation unit, and will have the minimum number of staff required
to operate efficiently. Individual function managers would still own processes,
controls and technical aspects of all work related to their function, cut would liaise
with group risk management when reviewing risk controls.
10.2. Limitations of Enterprises Risk Management
ERM does not provide absolute assurance that the organization’s objectives will: be met
as actual risk events are subject to the uncertainty of the future. -stead. ERM identifies
and monitors risk events deemed significant to the originations’ mandates.
Further, ERM is limited by the imperfections of the people entrusted with its
implementation.
Five factors influence the quality of ERM:
1. Judgment: Human judgment can falter under the pressures of time and information
constraints.
2. Breakdowns: Mistakes and errors can result from fatigue, distractions, or lack of
training and experience.
3. Collusion: Two or more individuals may collude to circumvent controls, conceal activity
or alter data.
4. Cost versus Benefit: The benefit of a risk concern must be weighed against resource
constraints. Valuation of costs and benefits may be directly measurable or may be
subjective assessments.
Example
For example, the cost of a training program to assess creditworthiness is quantifiable,
whereas customer response to cumbersome qualification procedures is not.
5. Management Override: Management override suspends prescribed controls for
illegitimate purposes. Whereas management intervention may be necessary for
processing exceptional transactions, management override misuses authority for
proscribed activities.
10.3. ERM impact on Management practices
Enterprise Risk Management standards must accommodate a range of company
environments from small to large, decentralized to hierarchical, and informal to formal
lines of authority. Also, because different industries face, and tolerate different risk
profiles, controls that are appropriate for one industry may not be meaningful to another.
Rather than controlling risk from a canned prescription, a company’s management team
must design ERM around a set of guiding principles.
The company's mind-set toward ERM determines the efficacy of the risk management.
Developing a culture of risk management rallies company-wide cooperation, talent and
expertise to bear on any and every aspect of risk.
Perhaps no single effort can produce greater results than developing the risk
management culture-training, supporting, communicating, and compensating risk smart
behavior.
Employees persuaded of the company's attitude toward risk can contribute to the design
of risk practices within their areas of expertise and are better equipped to detect hidden
risks in routine operations.
With an ERM infrastructure in place, line management can be relied on to perform the
initial risk analysis. Competent managers, already experts in their unit's role within the
company, can fold risk controls into business decisions to protect the company from
inappropriate risk exposure.
Under a strong RM culture, the value of RM is broadly recognized within the company
and no competent manager would suggest a product that inappropriately exposed the
company to risk.
The results of the risk analysis mayor may not roll up to the formal ERM team depending
on how they can be used; the analysis may facilitate the unit's own business decisions, or
it may reveal risks that should be considered in aggregate with the company's portfolio
of risk by the ERM team's executive management.
Ideally, risk information is shared where risks are most strongly linked. To be truly
embedded in the company culture, ERM must have a voice at the executive management
level.
The board of directors is responsible for making certain that senior management
establishes RM strategies that optimize available resources. Senior management must
have sufficient knowledge of and expertise in the company's activities to develop RM
systems and controls and to judge their success.
As an ERM expert serving at the executive level, the Chief Risk Officer (CRO) establishes a
channel for two-way communication throughout the organisation. Responsibility for RM
must be independent of risk-taking functions to prevent conflicts of interest.
The role of oversight for ERM must be clearly documented, and relationships between
compliance, internal audit and management functions should be unambiguous.
Company culture, involvement by line management, two-way communication, support at
the executive level, and expert use of appropriate ERM guidelines determine the efficacy
of RM in achieving the company's goals. Once in place, the ERM team charged with
overseeing RM affords the company an enterprise wide view of opportunities and threats.
By understanding individual unit risk, or silo risk, and by assessing the individual risks in
aggregate, the ERM team can evaluate an accurate cost of the company's risk exposure.
The company can then charge back the cost of risk to the individual business units by
requiring them to hold appropriate reserves (economic capital). Equivalent to the capital
budgeting process, the allocation of risk capital according to the reserve requirement
achieves an efficient use of company resources.
The ERM team can yet again add value by taking further advantage of the portfolio view
of risk. The mitigation of silo risk viewed through the lens of corporate strength may
reveal opportunities for new products and investment strategies that would otherwise
remain hidden.
Diversification of division risk may expose lucrative opportunities for the company in
instances that show no or negative significance for the individual unit; pooled risks
present a different profile than the constituent risks at the individual level, as discussed
in the Introduction-Enterprise Risk Management Defined.
As an example of integrating risk management across an organisation, consider a
company's liquidity- its ability to raise cash. This key element of financial strength can be
a source of profit or drain. Failure to meet obligations can quickly throw a company into
financial ruin.
Yet even generous reserves and economic capital cannot obviate liquidity risk. instead,
an oversupply of cash may harm the company by tying up limited resources needed to
realize the company's objectives. A well-designed risk management strategy is essential
to preparing for uncertain events without undermining corporate strength.
10.4. Other ways that ERM can contribute to value creation
ln the past decade, there have been many mergers of companies of all sizes. Companies
have combined with companies within their industry as well as outside their industry, i.e.
banks with insurance companies. When a company is small, there are few employees and
even fewer at the helm. It is easy for a handful of people to manage both the assets and
liabilities at small companies.
Whether or not, the asset and liabilities are properly handled is another matter. However,
as companies grow, more people are employed to run the different departments that
begin to emerge. Along with the growing pains, employees begin to have a better
understanding of their particular department but tend to know less and less about the
workings and issues of other departments. This compartmentalization magnifies with
growth and mergers.
Large companies tend to have departments just to manage debt portfolios, equity
portfolios, and different product lines, i.e. life versus health, and the very large companies
have companies within companies. Although, practitioners of each component of an
enterprise may be quite skilled, there must be an overall risk management plan and
system for an entire enterprise.
All enterprises have operational and financial risks thereby needing capital to cover these
risks. Managing capital implies that there will be enough financial resources to cover
operational and financial risk and managing risk implies that operational and financial
risks are covered by capital. Thus, efficiently managing capital and risk together is
essential to survival and will reduce the enterprise risk.
The first step is to outline risks of the firm and quantify each one. Next, a dynamic financial
model can be developed. Most importantly, the model should recognize all courses of
capital available-including equity (for capital adequacy), debt (for financial leverage), and
insurance (for risk leverage).
F. Organizational objectives for pursuing ERM
1. Competitive advantage
For organizations that are in the business of taking risks, risk management plays a crucial
role in the success and survival of the organizations. Traditionally, companies treat
different types of risks as separate matters and deal with them independently. Enterprise
Risk Management, on the contrary, treats all risks as a combined portfolio and manages
them holistically.
This holistic approach agrees with the Modern Portfolio Theory, which states that it is
possible to construct a portfolio that is reasonably safe even if it contains a number of
uncorrelated high-risk investments.
Organizations using integrated ERM obviously have competitive advantages over
companies using traditional risk management in the sense that ERM not only passively
engages risk controls, but also actively pursues risk optimizations, which further
translates into value creation.
2. Strategic goals
In order to succeed, organizations need to set business strategies, both offensive and
defensive. Sometimes being a market pioneer and taking on specific risks might pave the
way to become the market leader. However, organization needs to make sure it
understands what it gets itself into before jumping in.
On the other hand, merely maintaining the market share and playing safe might not be
the best way to utilize capital. ERM can influence business strategies by identifying
potential adjustments related to previously unidentified opportunities and risks.
In addition, ERM provides a way for senior executives to not only translate the vision into
sound strategies, but also makes sure these strategies achieve sustainable competitive
advantages.
Aligning ERM resources and actions with the business strategy can maximize
organizational effectiveness. Moreover, by linking ERM with business strategy, risk
process can be carried out in the context of where a business is headed, not just based
on where it is today.
3. Shareholder value
Enterprise Risk Management can help an organisation achieve its business objectives and
maximize shareholder value. Companies that undertake a risk based program for
shareholder value management typically can add 20- to 30- percent or more to
shareholder value.
Tip
A 1998 study by George Allayannis and James Weston has suggested that active risk
management contributes to shareholder value.
Risk management adds value not only to individual companies, but also supports overall
economic growth by lowering the cost of capital and reducing the uncertainty of
commercial activities.
Organizations that develop an ERM framework for linking critical risks with business
strategies can become highly formidable competitors in the quest to add value for
shareholders.
4. Transparency of management (reduction of agency costs)
ERM involves:
Setting risk appetite and policy,
Determining organizational structure, and
Establishing corporate culture and values
These three tasks are closely allied to the work of the board. With ERM in place, they can
be more easily communicated to the employees and further increase the transparency of
management. Senior executives with a significant portion of their wealth tied up in
company stocks and options have a direct financial interest in the success and survival of
the firm. These incentives, if structured appropriately, work to put the "skin in the game"
for managers, resulting in a strong alignment between management and shareholder
interests.
Risk management provides managers with a higher degree of job security and protects
their financial interests in their firm. This substantially reduces the agency cost.
5. Decision-making
In order to make sound and effective decisions, senior managers need sufficient
information. When making business decisions, risk adjusted return plays an important
role. Senior managers need to evaluate business opportunities based on not only total
returns, but also the risks associated with them, i.e., risk adjusted return.
ERM, which controls risks in a combined portfolio approach, substantially enhances the
decision making process. Furthermore, ERM requires the integration of risk management
into the business processes of a company. Rather than the defensive or control-oriented
approaches used to manage downside risk and earnings volatility, ERM optimizes
business performance by supporting and influencing pricing, resource allocation, and
other business decisions. It becomes an offensive weapon.
6. Policyholder as a stakeholder
When people think about a company's stakeholders, they often think only about those
who hold its equity and perhaps those who hold its debt. However, a truer picture is that
the stakeholders include any group or individual that supports and participates in the
survival and success of a company.
In the case of an insurance company, individual policyholders are an important
stakeholder. After all, an insurance company cannot survive without policyholders, and
hence there is obviously a great need for customer management. For traditional
insurance business, a company normally incurs upfront investment when issuing a policy
and it needs to keep policies in force to recoup the cost.
With an ERM infrastructure in place, the insurance company can improve the risk
transparency to regulators, rating agencies and equity analysts. Through timely and
effective communication and reporting, the insurance company provides assurance to its
policyholders that appropriate risk management strategies are in effect. Policyholders, as
a stakeholder, will have confidence in the company's ability to meet future obligations
and are less likely to lapse.
10.5. ERM Process
With an ERM infrastructure in place, the insurance company can improve the risk
transparency to regulators, rating agencies and equity analysts. Through timely and
effective communication and reporting, the insurance company provides assurance to its
policyholders that appropriate risk management strategies are in effect. Policyholders, as
a stakeholder, will have confidence in the company's ability to meet future obligations
and are less likely to lapse.
ERM process
The activities of ERM can be organized into four themes as shown in the below diagram:
Diagram 2: Activities of ERM
1. Risk control
Definition
Risk Control is the process of identifying, monitoring, limiting, avoiding, offsetting and
transferring risks.
The primary objective of Risk Control is to maintain the risks that have been retained by
the enterprise at levels that are consistent with company risk appetites and company
plans.
Risk Control is most effective if it is applied universally throughout the organisation, but
can still be very useful if applied separately to divisions or business units of an enterprise.
2. Strategic risk management
Definition
Themes of the activities of ERM
Risk control
Strategic Risk management Catastrophic
Risk
management
Risk
Management
culture
Strategic Risk Management is the process of reflecting risk and risk capital in the strategic
choices that a company makes.
Strategic Risk Management usually has as its objective the optimization of risk adjusted
results for the organisation. That is accomplished by choosing the strategic alternatives
that have the best return for the level of risk that is associated with them.
Strategic Risk Management is only effective if it is applied universally throughout the
organisation. In fact, uneven application of Strategic Risk Management can actually hurt
the risk adjusted return of the company by thwarting options with moderate risk reward
profiles in areas that are practicing Strategic Risk Management white allowing areas
without strategic Risk Management discipline to pursue plans that have poor risk adjusted
returns.
The Risk Control process is used in conjunction with the Strategic Risk Management
process to ensure that risks that are retained by the company do not exceed expectation
during implementation of the company's plans.
3. Catastrophic risk management
Definition
Catastrophic Risk Management is the process of envisioning and preparing for extreme
event’s that. could threaten the viability of the enterprise.
The primary objective of Catastrophic Risk Management is to anticipate potential
disasters that could destroy the enterprise for the purpose of developing contingency
plans to minimize the impact of those disasters on the enterprise and to produce the
environmental monitoring that would provide potential advance warning of the disasters.
Catastrophic Risk Management Process involves:
a) Trend analysis
Looking for patterns that suggest potential emergence of negative situations
b) Stress testing
Determine the impact on the firm of imagined extreme adverse Impacts include financial,
reputational, regulatory, credit ratings etc.… Stress tests are often repeated periodically
and changes in the impact in the company from successive tests are noted.
c) Contingency planning
For some or all of the scenarios that are being stress tested and/or are suspected
possibilities from trend analysis, the company develops a set of specific action plans
detailed enough to be helpful in a fast moving situation, but flexible enough to be useful
in an emergency that is not exactly the same as what was anticipated.
d) Active catastrophic risk management
When catastrophe strikes, the firm is prepared to take decisive timely action and clear
communications to all stakeholders and media about those actions and does initiate and
complete those actions and communications effectively.
e) Problem post mortem
After any serious problem situation, whether it results in a loss or if the loss is forestalled
by the ERM process, the firm uses the situation as a learning opportunity and identifies
what went well and poorly with the ERM process and communicates that learning broadly
f) Catastrophic risk transfer
Involves consideration of insurance or capital markets transactions that would transfer
catastrophic risk exposure to either insurance companies or the capital markets.
4. Risk management culture
Definition
Risk Management Culture is the general approach of the firm to dealing with its risks.
A positive Risk Management Culture will incorporate ERM thinking automatically into all
management decision making.
The primary objective of Risk Management Culture is to create a situation where
Operational, Strategic and Catastrophic Risk Management take place in an organization
without the direct oversight or intervention of the Risk Officer or the Risk Committee.
In a positive Risk Management Culture, management across the firm will be aware of the
risk tolerance, the risk governance process and the return for risk expectations of the firm.
Who are your stakeholders and what do they demand?
Key stakeholders would include the board of directors and management, employees,
policyholders and stockholders. Each type of stakeholder has a different perspective that
influences what each considers most important. However, the company mission/culture
will exert strong influence--
Establishing the organization’s risk management culture will help create a shared high-
level view by all key stakeholders that will promote consistent goals, better decision-
making, coordinated efforts and greater results.
10.6 Case Study
‘Higgins? My office now!” those words summoned risk manager Chuck Higgins to the
office of Steve Davis, president of Third National Bank six months ago. When he was hired,
Higgins pledged to institute an enterprise risk management program at the bank. When
Higgins responded to the president’s message, he got fired!
After the joining the bank, Higgins reviewed the traditional property, liability, and
personnel-related loss exposures faced by the bank. When he tried to learn about the
bank’s financial risks, the chief loan officer and chief financial risks. He was angry when
he learned that 30 percent of the bank’s montage loans were in default, and the bank
would have to take $25 million charge for bad montage loans. He was livid when he
learned the bank would have to pay $20 million to a a hedge fund because the bank
guaranteed that an auto parts company would not default on bonds it issued.
When news of the mortgages loan write-off and loan guarantee loss became public, the
bank’s stock price plummeted. As discussed in chapter 3, a risk manager’s job involves
more than simply purchasing insurance. A risk manager must identify the loss exposures
faced by the organization, analyze those exposures, select and implement a combination
of risk treatment measures, and monitor the success of the risk management program.
This chapter builds on the discussion of risk management in chapter 3 and discusses some
advanced topics in risk management. Topics discussed include the changing scope of risk
management, insurance market dynamics, loss forecasting, financial analysis in risk
management decision making, and application of several risk management tools.
Study Questions.
Explain what ERM is all about
How does ERM impact on Management Practices?
What are some of the Limitations of ERM?
Give the ways that ERM can contribute to value creation.