What Is Risk?
Risk is a condition in which there is a possibility of an adverse deviation from a desired outcome that is expected . (Vaughn) the threat that any event or action will adversely affect an organizations ability to achieve its business objectives and execute its strategies. (Kloman)
Interpretations
Any (-) deviation from what is expected (pure risk) Any (+/-) deviation from what is expected (speculative risk) Expected total losses Variability of total losses around their expected value Exposure, peril, hazard
Traditional RM is a formal approach to dealing with pure risks by anticipating possible accidental losses and designing and implementing procedures to minimize the occurrence of losses and the financial impact of the losses that do occur.
Board of directors focuses on strategic issues. Treasurer focuses on credit/financial risks. Strategic units focus on operational risks. HR focuses on employment risks. RM focuses on pure or insurable risks.
Traditional RM Paradigm
Determination of objectives Identification of risks Evaluation of risks Consideration of alternatives - risk control vs. risk financing Implementation of decisions Evaluation and review
Integrated (enterprise, holistic) RM is a formal approach to the problem of dealing with all risks that endanger the strategic mission.
Integrated RM Paradigm
Risk assessment is a continuous activity. All in organization are involved in managing risk. Business risk assessment and control are coordinated and overseen by senior management. Control focuses on: avoiding unacceptable risk managing other business risks to reduce impact to acceptable levels formal risk control policy approved by senior management. and widely distributed/understood anticipating/preventing (i.e., monitoring controls).
Integrated RM Paradigm
Ineffective processes are the primary source of business risk. Where does risk manager fit into the organization? i.e., who is the CRO ?
Adopting Integrated RM
define consistent approach to RM create organization-wide awareness measure operational and financial risk develop organizational risk map develop other methods, tools, and practices develop outcome measurements
Adopting Integrated RM
Integrated RM involves:
strategic systems - to identify significant risks and determine root causes management systems - to disseminate business risk assessment/control methods throughout the organization, and establish accountability process systems - to establish a common language of risk and RM methods
Cost of Risk
Some firms use Cost of Risk as objective or performance standard. The Cost of Risk is the total expenditure for RM, including insurance premiums paid and losses retained, expressed as a percentage of revenues. RIMS publishes annual studies on the Cost of Risk, which makes it convenient for risk managers to compare RM costs.
Cost of Risk
Although Cost of Risk varies from industry to industry, it generally averages ~ 1 % of revenues. For a firm whose net profit is 10 % of revenues, the Cost of Risk represents about 10 % of profit.
RM Policy Statement
Once RM objectives have been identified, they should be put into practice through a formal RM policy statement. Such a policy should, inter alia, outline the exposures to be insured and those to be retained, so that serious gaps do not develop in the future.
RM Policy Statement
Objectives and RM policy should be determined by board of directors (or other highest policy-making body in the organization). Risk manager acts as staff advisor to board in formulating RM policy.
Personnel
Financial issues
Risk Identification
Risk Identification
Use open questions: Ask what, how, why, etc.; avoid questions that can be answered with one word. Use closed questions to bring closure: Ask can, would, do, are, etc. Ask one question at a time. Explore breadth and depth of issues.
Risk Assessment
Estimate loss frequency, severity, and annual aggregate losses Frequency - probability of loss Severity - expected size of loss that occurs Account for variability Use confidence levels (how much accuracy is necessary?) Estimate property/business interruption losses
Risk Assessment
Economic v. non-economic damages Punitive damages Collateral source rules Contingency fees
Loss Forecasting
What are expected total (aggregate) losses? Why are fluctuations in expected total losses a concern for risk managers? Why do we need to know when losses will be paid out?
Loss Forecasting
Average frequency (number of claims) for a certain period of time Average severity (size of claims) for a certain period of time Variability in our forecasts Loss development and pay-out patterns
Risk Mapping
A Risk Map:
identifies risks that may materially and negatively affect a companys earnings quantifies risks in terms of frequency and severity (and may also provide annual aggregate information) illustrates the risks in a manner that facilitates further analysis
Risk Mapping
Low # High $ High # High $
Low # Low $
High # Low $
Risk Mapping
Identifies in one place all risks facing the firm Permits cross-discipline analyses Focuses attention on areas that are material to the companys financial viability Quantifies magnitude of required level of protection
Risk Mapping
Public information - financial statements, business periodicals, Nexis/Lexis, etc. Internal documents - business plans, procedure manuals, consultants reports, etc. Benchmark against competitors
Risk Mapping
Questionnaires and interviews Historical loss data - RMIS Policy checklist and exclusions
Begin analysis with senior management Include business operations and managers, auditors, engineers (loss prevention)
Risk Mapping
Consider
Plans to grow the business New products and services What keeps management up at night Changing client base Materiality thresholds (i.e., what is significant?) What would cause the firm to go out of business
Risk Mapping
Natural/Property
Earthquakes, fires, bad weather, business interruptions
Legal/Liability
Business practices, products sold, associated vendors, transportation mechanisms
Risk Mapping
Employment/Human Resource
Employee benefits, work-related injuries, employment practices, discrimination
Operational/Marketplace
Product-tampering, employee dishonesty, theft of inventory, mergers and acquisitions, supply/demand shifts
Risk Mapping
Political
War/insurrection, rioting, nationalization of industry, abrogation of contracts
Financial
Foreign exchange, interest rate, credit, research and development, intellectual property, earnings
Risk Mapping
Determine significance
Present all exposures/risk of loss to the organization Map these exposures from a frequency, severity, and annual aggregate perspective Code according to current RM treatment alternatives
Perform actuarial analysis of firmss historical losses Employ industry-wide data Create statistical distributions Perform Monte Carlo simulations
How often will losses occur? How severe will they be?
End result - detailed map that presents uninsured and insured losses by risk quadrant
RM Techniques
Risk Control
Risk Avoidance Loss prevention (Risk reduction) Engineering Education Loss reduction (Risk reduction) Physical engineering Crisis planning Claims management
RM Techniques
Risk Financing
Risk transfer Insurance Contract - hold harmless/indemnification Risk retention Planned vs. unplanned Funded vs. unfunded
RM Decision Making
Buy physical damage coverage for an old car worth $1,000. Premium = $350. Car stolen and you collect $1,000. Property deductible of $100,000. Save $35,000 in premium. Loss valued at $200,000 occurs. Decide not to buy excess products liability coverage. No loss occurs. Save $450,000.
RM Decision Making
Basic approach
Cannot evaluate a decision made under uncertainty in light of what happens after the decision is made Evaluation must be made on the basis of information available at the time the decision is made On what basis should the decision be judged? The impact on the firm if you are wrong? How much risk the firm can afford to take?
RM Decision Making
Tools
Cost-benefit analysis Evaluation of frequency/severity After-tax net present value analysis Risk Map Total Cost of Risk Ethical considerations Legal requirements Commercial requirements Do not risk more than you can afford Do not risk a lot for a little
Risk Avoidance
Avoidance occurs when decisions are made that prevent a risk from even coming into existence. Risks are avoided when the organization refuses to accept the risk for even an instant. Example: A firm that considers manufacturing some product but, because of the hazards involved, elects not to do so.
Risk Avoidance
While avoidance is the only alternative for dealing with some risks, it is a negative rather than a positive approach. If avoidance is used extensively, the firm may not be able to achieve its primary objectives. For this reason, avoidance is, in a sense, the RM technique of last resort.
Risk Avoidance
Avoidance should be used in those instances in which the exposure has catastrophic potential, and the risk cannot be reduced or transferred. Generally, these conditions exist in the case of risks for which both the frequency and the severity are high.
Risk Reduction
Risk Reduction describes a broad set of efforts aimed at minimizing risk. Other terms that were formerly used, and have been displaced by this more general term, include loss prevention and loss control.
Risk Reduction
Loss Prevention efforts are aimed at preventing the occurrences of losses. Loss Control efforts are directed at reducing the severity of those losses that do occur.
Although the situation has changed with the evolution of the RM field, there was a time when Risk Control was largely ignored. In theory, Risk Control measures should be used when they are the most effective technique for dealing with a particular risk. Risk Control should be used up to the point at which each dollar spent on such measures produces a dollar in loss reduction.
Applying marginal-benefit/marginal-cost analyses to the Risk Control process is a complex undertaking. The benefits of Risk Control accrue in the future, and require the measurement of something that does not happen (losses). Given the uncertain future benefits from Risk Control, and the immediate cost, it is not surprising that these efforts often lose out in competition with other funding needs.