|
|
|
|
|
|
|
| Managing Risk on a Shoestring Budget: The Importance of Risk Management to Midsize Companies |
|
| by Stuart Bassett |
|
| Effective identification, prioritization, and management of risk must be a priority for all organizations, not just large ones. |
|
|
 |
|
|
Risk, its potential impact to an organization and the costs associated with it, is not something that only large, multi-billion dollar companies need to proactively manage. It can impact a business of any size and given the fewer resources available to small and midsize companies to counteract it, can have far more devastating consequences. The reality is that a multi-national company with multiple product lines, thousands of employees and billions of dollars in revenue may be able to weather the storm surrounding a product recall, for example, whereas a mid-sized firm with two product lines, and a staff of 350 may not.
The current business environment presents companies of all sizes with a host of potential risks, from both internal and external sources. Some of these can be anticipated and proactively managed, others can not. In either case, the very organizations that tend to not focus on risk management because of the perceived costs involved are exactly the ones that need to be more aggressive about it … midsize companies.
This white paper looks at the issue of risk, how midsize organizations need to be managing it, and some of the solutions to help them do that.
Measuring Risk
How can the impact of risk be measured and managed? Risks are measured on two criteria, the likelihood that an event will occur and the consequences if it does. The likelihood criteria range from rare (event may only occur in exceptional circumstances) to almost certain (event is expected to occur in most circumstances). The consequence of a certain event ranges from insignificant to catastrophic. A risk event can impact a company in several ways, including:
- People — killed, injured, absent or inefficient
Assets — under-utilized, damaged, stolen, (including intellectual property issues)
- Corporate reputation — damage to brand
- Surrounding environment — including land, air, and water
- Business operations — current and change management issues
- Revenue — cash flow management
The steps a company takes to identify, prioritize, assess, manage, and transfer risk can have a profound impact on its ability to minimize its impact, even take advantage of certain opportunities that risk may present.
Why Risk Management Matters
A senior executive at a midsize company may think that risk is something that he/she can not or does not need to proactively manage. However, some basic questions will illustrate the significant impact of risk to an organization and the importance of proactive risk management:
- Do I know my chief risks and have I prioritized them?
- What impact would a business interruption have to the loyalty of my customer base?
- Do I have contingency plans in place to address sudden, unexpected business disruptions?
- What provisions has my organization made for a failing business strategy or plan?
- Does staff absence create a drain on my organization's bottom line?
- Is my working environment hazardous to employees? Do my existing management controls effectively identify and tackle workplace stress?
- Am I doing everything I can to meet regulatory requirements in the area of risk management? How easy would it be for staff to breach these controls?
- Do I miss opportunities to grow the business because I do not have more effective governance practices in place?
- Do I have a risk management information system in place? Does it adequately collect and analyze pertinent data and provide the information in need to manage risk?
- Does my purchase of insurance reflect fairly on my level of risk? Is there an opportunity for me to manage risk another way and reduce the burden of increasing insurance costs?
The answer to these questions will help identify current vulnerabilities and the steps that companies need to take to address them.
Managing Risk
When considering risk management, company executives need to consider three broad issues:
- Management’s knowledge level of current risks
- The effectiveness and efficiency of current risk management strategies
- The alignment of the current insurance program to deal with identified risk
A. Management’s knowledge of and actions dealing with current risks to an organization
- Having a risk inventory provides a central source of risk information that can be used to plan, review, and monitor the success of risk action plans and other risk management activity. It also helps risk information to be factored into day-to-day management decision-making and so contributes to good governance.
- Shared risk management values are important for a company and can be achieved by using common methods to measure risks, an organization-wide approach to prioritizing risk mitigation, and a consistent internal communication program.
- The integration of risk management responsibilities into managers’ key performance indicators will ensure there is both direction and accountability for risk management performance.
- Critical risks warrant continual and consistent attention across the organization. An external perspective to reviewing the consistency of controls and, where there is no consistency, devising an appropriate mix of improvements is a key component to risk management.
B. The effectiveness and efficiency of risk management strategies can be captured in a formalized risk management program
- A formal risk management policy is intended to set out the organization’s approach to risk. It introduces a common language and understanding of risk, demonstrates management ownership and endorsement of an approach and helps ensure that all staff has a sound basis for risk management decision-making.
- If controls are not documented, it is impossible to take a proactive approach to managing risks or to formally delegate responsibility for implementation or train staff, and it is unlikely that there will be consistent application of the controls.
- Members of the Board of Directors must be aware of the organization’s key risks, so keep them apprised of risk identification efforts. Directors cannot fulfill responsibilities for good governance unless they are aware of the organization’s key risks.
- A sound risk management practice will only be achieved when the staff is appropriately trained and there is consistent and regular reinforcement of training.
C. The purchase of various policies of insurance should be determined by sound risk management practices:
- Insurance is often purchased centrally even though most of the risks that influence the premium exist in the operating divisions. Allocating the premium costs to the business units helps ensure that they have a truer picture of its cost and thus will have an incentive to reduce risk exposures.
- Every decision or management action has the effect of in some way changing risks. To manage risks proactively, it is important to routinely identify and measure risks at the time that the business decisions are made. Additionally, it is prudent to review risks periodically, particularly if there have been changes in the external or internal environment or if the company has changed its strategic focus.
- Hiring professionals to provide advice on the limits of liabilities and other risk issues is key in risk management. This also applies to risk control systems and the integration of workers’ compensation insurance with the design of employee safety programs.
- Having a business continuity plan that prepares for unexpected business disruptions should enable the company to operate as usual. Such a plan establishes key procedures and work programs that can be implemented in the event of a sudden business disruption.
- Insurers need to be made aware of these risk management efforts as they will impact both premiums and availability of coverage for different insurance products.
Assessing a Company’s Risk: Where to Start?
For most organizations, getting to grips with the risks that prevent them succeeding can be an onerous, time-consuming and costly business. Without the resources available to larger organizations, risk management often fails to address key threats in the most efficient way. This can result in wasted investment and continued exposure to unidentified or unmanaged risks.
Making risk management work is about identifying and assessing the risks, and being assured that existing controls, including insurance, help to monitor, reduce and manage these risks in a way that provides the maximum payback for the organization.
This approach need not be complex and bureaucratic. It need not be expensive. But senior management must drive it, and in a way that encourages active participation in the long-term.
Processes exist to help organizations organize their risk management approaches. Specifically, they help identify and allocate meaningful management action around the risks that matter most. By providing fast, automated analysis of the risks, this process quickly delivers a tangible return while freeing up valuable management time.
Through a series of interviews and a workshop, every risk identified by management can be assessed for its likelihood and potential impact, building a picture of risks requiring priority action across the organization. The availability and performance of current controls next to these risks can be analyzed and further recommendations can then be developed on risk management and insurance issues. Companies also can use the information as a benchmarked view of their risks and controls next to clients of a similar size and industry, which can help to support subsequent investment decisions on risk management.
The risks a company faces then can be categorized and prioritized. This gives the management of companies a good and comprehensible tool for continued prioritization of resources and thus results in greater efficiency and value.
The Benefits of Risk Identification
Engaging in a risk identification exercise brings valuable benefits to companies:
- It supports the achievement of business goals by making management more conscious of the factors that could impair success then allowing for proper planning to address them.
- It helps to achieve compliance with regulation and with the expectations of other third parties, such as investors and customers while also identifying gaps in the current risk management program.
- It provides opportunities to cut costs. Immediate cost savings can be achieved through eliminating duplicate processes where risk has previously been managed in an arbitrary fashion. Further savings can be achieved by specific risk management actions that lead to improved efficiencies, such as a reduction in employee accidents or sickness absence.
- It delivers a range of potential insurance benefits. It starts to generate a better quality of risk information that can support underwriting submissions. It opens up discussions on alternative ways in which specific risks can be managed outside the realm of insurance, and with a potentially improved return to the organization. Follow-on actions can work to significantly reduce claims. An entire insurance program can even be redesigned where it is found to be misaligned with key exposures.
- It ensures genuine business ownership from the start. It demystifies the science of risk management by giving it clear business justification.
Conclusion
Effective identification, prioritization, and management of risk must be a priority for all organizations, not just large ones. However, it does not have to be an expensive, exhausting process. Proper utilization of internal resources coupled with sophisticated third-party risk management resources can combine to create an extensive risk management approach. Out of an assessment of the risk management culture and the dollars currently spent on related management/transfer activities a company can take some very concrete steps that will lead to reduced costs, more certainty around the achievement of business goals, and the achievement of governance obligations.
|
|
|
|
|
