The Integrated Risk Management Paradigm

Risk Identification and Control

What Is Risk?


Risk is a condition in which there is a possibility of an adverse deviation from a desired outcome that is expected . (Vaughn) the threat that any event or action will adversely affect an organizations ability to achieve its business objectives and execute its strategies. (Kloman)

Interpretations


 

Any (-) deviation from what is expected (pure risk) Any (+/-) deviation from what is expected (speculative risk) Expected total losses Variability of total losses around their expected value Exposure, peril, hazard

Traditional Risk Management



Traditional RM is a formal approach to dealing with pure risks by anticipating possible accidental losses and designing and implementing procedures to minimize the occurrence of losses and the financial impact of the losses that do occur.

Traditional Risk Management

    

Board of directors focuses on strategic issues. Treasurer focuses on credit/financial risks. Strategic units focus on operational risks. HR focuses on employment risks. RM focuses on pure or insurable risks.

Traditional RM Paradigm
   

Determination of objectives Identification of risks Evaluation of risks Consideration of alternatives - risk control vs. risk financing Implementation of decisions Evaluation and review

 

Integrated Risk Management



Integrated (enterprise, holistic) RM is a formal approach to the problem of dealing with all risks that endanger the strategic mission.

Integrated RM Paradigm
  

Risk assessment is a continuous activity. All in organization are involved in managing risk. Business risk assessment and control are coordinated and overseen by senior management. Control focuses on:  avoiding unacceptable risk  managing other business risks to reduce impact to acceptable levels  formal risk control policy approved by senior management. and widely distributed/understood  anticipating/preventing (i.e., monitoring controls).

Integrated RM Paradigm


Ineffective processes are the primary source of business risk. Where does risk manager fit into the organization? i.e., who is the CRO ?

Adopting Integrated RM


The CRO must:

     

define consistent approach to RM create organization-wide awareness measure operational and financial risk develop organizational risk map develop other methods, tools, and practices develop outcome measurements

Adopting Integrated RM


Integrated RM involves:


strategic systems - to identify significant risks and determine root causes management systems - to disseminate business risk assessment/control methods throughout the organization, and establish accountability process systems - to establish a common language of risk and RM methods

Risk Management Objectives

Post-Loss Objectives Survival Continuity of Operations Earnings Stability Continued Growth Social Responsibility Pre-Loss Objectives Economic Efficiency Reduction in Anxiety Meeting Externally Imposed Obligations Social Responsibility

Cost of Risk


Some firms use Cost of Risk as objective or performance standard. The Cost of Risk is the total expenditure for RM, including insurance premiums paid and losses retained, expressed as a percentage of revenues. RIMS publishes annual studies on the Cost of Risk, which makes it convenient for risk managers to compare RM costs.

Cost of Risk


Although Cost of Risk varies from industry to industry, it generally averages ~ 1 % of revenues. For a firm whose net profit is 10 % of revenues, the Cost of Risk represents about 10 % of profit.

RM Policy Statement


Once RM objectives have been identified, they should be put into practice through a formal RM policy statement. Such a policy should, inter alia, outline the exposures to be insured and those to be retained, so that serious gaps do not develop in the future.

RM Policy Statement


Objectives and RM policy should be determined by board of directors (or other highest policy-making body in the organization). Risk manager acts as staff advisor to board in formulating RM policy.

Sources of Pure Risk

  

Legal interests in property Dependency issues Tort law

  

intentional torts negligence strict liability

Personnel

Sources of Pure and Speculative Risk



Financial issues


prices: interest rates, commodities, foreign exchange rates credit

  

Regulatory issues Executive protection Strategic issues

Risk Identification
 

Role of an RM policy manual Use of an RM Information System (RMIS) Use of an intranet

Risk Identification


Interviews - some practical advice



 

Use open questions: Ask what, how, why, etc.; avoid questions that can be answered with one word. Use closed questions to bring closure: Ask can, would, do, are, etc. Ask one question at a time. Explore breadth and depth of issues.

Risk Assessment


   

Estimate loss frequency, severity, and annual aggregate losses Frequency - probability of loss Severity - expected size of loss that occurs Account for variability Use confidence levels (how much accuracy is necessary?) Estimate property/business interruption losses

Risk Assessment
 

Special issues with liability risks Damages can be a moving target:

   

Economic v. non-economic damages Punitive damages Collateral source rules Contingency fees

Loss Forecasting


What are expected total (aggregate) losses? Why are fluctuations in expected total losses a concern for risk managers? Why do we need to know when losses will be paid out?

Loss Forecasting


What are we measuring?



 

Average frequency (number of claims) for a certain period of time Average severity (size of claims) for a certain period of time Variability in our forecasts Loss development and pay-out patterns

Risk Mapping


A Risk Map:


identifies risks that may materially and negatively affect a companys earnings quantifies risks in terms of frequency and severity (and may also provide annual aggregate information) illustrates the risks in a manner that facilitates further analysis

Risk Mapping
Low # High $ High # High $

Low # Low $

High # Low $

Risk Mapping


Benefits of Risk Map



 

Identifies in one place all risks facing the firm Permits cross-discipline analyses Focuses attention on areas that are material to the companys financial viability Quantifies magnitude of required level of protection

Risk Mapping


How to construct a Risk Map

  

Determine scope of project Create a team Collect (secondary) data



Public information - financial statements, business periodicals, Nexis/Lexis, etc. Internal documents - business plans, procedure manuals, consultants reports, etc. Benchmark against competitors

Risk Mapping


How to construct a Risk Map (cont.)



Collect (primary) data

 

Questionnaires and interviews Historical loss data - RMIS Policy checklist and exclusions

 

Begin analysis with senior management Include business operations and managers, auditors, engineers (loss prevention)

Risk Mapping


How to construct a Risk Map (cont.)



Consider
 

Plans to grow the business New products and services What keeps management up at night Changing client base Materiality thresholds (i.e., what is significant?) What would cause the firm to go out of business

Remember traditional sources of risk

Risk Mapping


A common way to classify risks



Natural/Property
Earthquakes, fires, bad weather, business interruptions

Legal/Liability
Business practices, products sold, associated vendors, transportation mechanisms

Risk Mapping


A common way to classify risks (cont.)



Employment/Human Resource
Employee benefits, work-related injuries, employment practices, discrimination

Operational/Marketplace
Product-tampering, employee dishonesty, theft of inventory, mergers and acquisitions, supply/demand shifts

Risk Mapping


A common way to classify risks (cont.)



Political
War/insurrection, rioting, nationalization of industry, abrogation of contracts

Financial
Foreign exchange, interest rate, credit, research and development, intellectual property, earnings

Risk Mapping


Determine significance


Look at impact of large potential losses

 

capital impairment interruption of earnings and/or funds material impact on operations

Look at smaller risks in terms of annual aggregation

Displaying Identified Risks



Present all exposures/risk of loss to the organization Map these exposures from a frequency, severity, and annual aggregate perspective Code according to current RM treatment alternatives

Computation of Relative Map Positions



  

Perform actuarial analysis of firmss historical losses Employ industry-wide data Create statistical distributions Perform Monte Carlo simulations
 

How often will losses occur? How severe will they be?

End result - detailed map that presents uninsured and insured losses by risk quadrant

Final Risk Map

Low # High $ (Finance/Transfer) Low # Low $ (Ignore) High # High $ (Control/Avoid) High # Low $ (Finance/Transfer)

RM Techniques


Risk Control
 

Risk Avoidance Loss prevention (Risk reduction) Engineering Education Loss reduction (Risk reduction) Physical engineering Crisis planning Claims management
    

RM Techniques


Risk Financing


Risk transfer Insurance Contract - hold harmless/indemnification Risk retention Planned vs. unplanned Funded vs. unfunded
   

RM Decision Making


How should we evaluate an RM decision?



Buy physical damage coverage for an old car worth $1,000. Premium = $350. Car stolen and you collect $1,000. Property deductible of $100,000. Save $35,000 in premium. Loss valued at $200,000 occurs. Decide not to buy excess products liability coverage. No loss occurs. Save $450,000.

RM Decision Making


Basic approach


Cannot evaluate a decision made under uncertainty in light of what happens after the decision is made Evaluation must be made on the basis of information available at the time the decision is made On what basis should the decision be judged? The impact on the firm if you are wrong? How much risk the firm can afford to take?
 

RM Decision Making


Tools
         

Cost-benefit analysis Evaluation of frequency/severity After-tax net present value analysis Risk Map Total Cost of Risk Ethical considerations Legal requirements Commercial requirements Do not risk more than you can afford Do not risk a lot for a little

Risk Avoidance


Avoidance occurs when decisions are made that prevent a risk from even coming into existence. Risks are avoided when the organization refuses to accept the risk for even an instant. Example: A firm that considers manufacturing some product but, because of the hazards involved, elects not to do so.

Risk Avoidance


While avoidance is the only alternative for dealing with some risks, it is a negative rather than a positive approach. If avoidance is used extensively, the firm may not be able to achieve its primary objectives. For this reason, avoidance is, in a sense, the RM technique of last resort.

Risk Avoidance


Avoidance should be used in those instances in which the exposure has catastrophic potential, and the risk cannot be reduced or transferred. Generally, these conditions exist in the case of risks for which both the frequency and the severity are high.

Risk Reduction


Risk Reduction describes a broad set of efforts aimed at minimizing risk. Other terms that were formerly used, and have been displaced by this more general term, include loss prevention and loss control.

Risk Reduction


Loss Prevention efforts are aimed at preventing the occurrences of losses. Loss Control efforts are directed at reducing the severity of those losses that do occur.

Neglect of Risk Control



Although the situation has changed with the evolution of the RM field, there was a time when Risk Control was largely ignored. In theory, Risk Control measures should be used when they are the most effective technique for dealing with a particular risk. Risk Control should be used up to the point at which each dollar spent on such measures produces a dollar in loss reduction.

Marginal Cost/Benefit Analyses



Applying marginal-benefit/marginal-cost analyses to the Risk Control process is a complex undertaking. The benefits of Risk Control accrue in the future, and require the measurement of something that does not happen (losses). Given the uncertain future benefits from Risk Control, and the immediate cost, it is not surprising that these efforts often lose out in competition with other funding needs.