What is risk assessment?
Risk assessment represents the second step in the risk-management process. It follows the first and initial step of identifying all possible risk exposures faced by the organization. Risk assessment allows for the systematic evaluation and prioritization of risks in terms of the likelihood of occurrence and the potential consequence when and if the particular risk event occurs.
Risk assessment is a collaborative process that attempts to answer the following questions: What assets need to be protected? What are the threats and vulnerabilities? What are the implications if the assets were damaged or lost? What is the value of the assets to the company? What can be done to minimize exposure to the loss or damage?
Organizing and prioritizing risk exposures
Once the identified risk exposures are gathered, they must be organized, quantified and prioritized. Organizing risk exposures requires reviewing and categorizing them into groups with common elements. One method is to place risk exposures into classes that represent potential losses to:
- Property exposures
- Liability exposures
- Net income exposures
- Human resource exposures
This phase also includes quantifying the loss potential that may result from the identified exposures. This may be accomplished by estimating the dollar amount of future losses. One method of projecting future losses is to review past loss experience and then extrapolate past experience into the future by using statistical probability and trend analysis. Quantification also helps the risk manager prioritize handling possible loss exposures.
Qualitative analysis of risk exposures
Analysis of a risk exposure is accomplished using a systematic, qualitative method that assigns a risk score or value to the exposure. This numerical value enables the risk manager to prioritize exposures and loss events in relation to others. Once the exposures and losses are categorized and prioritized, priority attention can be given to identifying the proper risk control and risk financing techniques to avoid, eliminate, transfer or control the problem.
During this analysis, risk exposures are analyzed by combining estimates of consequences and likelihood in the context of absolute risk, disregarding any controls (inherent risk) and risk with treatment considered (residual risk).
The level of risk is determined by the relationship between the likelihood and the consequence if the risk occurs. Each risk exposure is assigned a numerical value (risk score) based on its expected frequency and severity, which in turn becomes the basis to prioritize risk and select appropriate risk treatment techniques.
Frequency/severity qualitative risk rating system
The tables above present two examples of a numerical frequency/severity rating system that is used to assign priorities to the frequency and severity of exposures and losses. The first table addresses the financial impact of a loss and defines the consequences for a consequence range. The second table addresses the expected likelihood of a loss occurring and defines the frequencies for a frequency range.
Because assessing risk is becoming a more critical measure in today’s environment, organizations will do well to implement standard processes for evaluating, classifying and prioritizing risks to better mitigate the effects on their business. Having the data to analyze business risks positions a company for success in developing the appropriate responses to potential risks and increasing overall organizational value.
Robert Higgins, CPCU, ARM, ARMP, CRM, CIC, FRM, CRIS is a vice president with Schiff, Kreidler-Shell in their risk services department and has more than 25 years experience in insurance and risk management. Reach him (513) 977-3188 or email@example.com.
But a risk-intelligent organization’s proactive approach to identifying, understanding and effectively managing risk makes the difference between creating value and jeopardizing success. It is crucial to be a risk-intelligent organization. Stakes are high, and losses can be catastrophic. Senior executives and board members are increasingly challenged to ensure that appropriate risk-assessment and risk-management practices are in place.
Beyond traditional risk management
Risk management is the process of planning, organizing, leading and controlling the activities of an organization to minimize the effects of risk on an organization’s capital and earnings. Enterprise risk management expands the traditional risk-management process to include the entire range of risk faced by the organization, not just the risks associated with accidental losses. The expanded concept of enterprise risk incorporates financial, strategic, hazard, operational and socio-political risks.
Based on this comprehensive approach to risk, enterprisewide risk management evolves an organization’s risk management capabilities from a fragmented, ad hoc and reactive process to an integrated, systematic and proactive approach to master business risks. This integrated risk management process enables the organization to better evaluate and prioritize its risks and make appropriate strategic decisions to manage these risks efficiently.
Enterprise risk management can be viewed as a comprehensive process that helps companies identify major risks and create consistent, enterprisewide solutions for dealing with those risks.
- Identifying relevant risk exposures faced by the organization
- Quantifying the risk exposures in terms of impact and likelihood
- Mapping and scoring the risk exposures to prioritize management action
- Establishing a company’s risk appetite given its overall corporate strategy
Developing a risk-management framework and implementing effective infrastructure and process
Enterprise risk management’s benefits
Risk appetite is the degree of uncertainty an enterprise is willing to accept to reach its goals. Risk appetite is a key factor in evaluating strategic options. Enterprise risk management helps management consider risk appetite when setting goals that align with overall corporate strategy and manage risks related to that strategy.
Enterprise risk management creates robust risk information, which allows management to deploy resources more effectively, thereby reducing overall capital requirements and improving capital allocations.
To determine if enterprise risk management is relevant to your organization, ask yourself four questions.
- What risks does your organization currently face?
- Who are your risk owners?
- What is the value of your risk-management investment?
- Have you evaluated nontraditional risk exposure?
Clearly, no risk management program, no matter how well designed and executed, can guarantee results. Nevertheless, adopting an enterprise risk management framework can bring significant benefits to an organization seeking to manage its risk exposures efficiently.
Robert Higgins, CPCU, ARM, ARMP, CRM, CIC, FRM, CRIS is a vice president with Schiff, Kreidler-Shell in its risk services department and has more than 25 years of experience in insurance and risk management. He is a graduate of the University of Kentucky and Xavier University’s MBA program. Reach him at (513) 977-3188 or http://firstname.lastname@example.org.
While the frequency or severity of adverse outcomes from any particular risk will vary with each business, the challenge remains to manage risks to reduce their adverse impact on business value. Management of these risks requires a coordinated, disciplined approach to eliminate or control risks. This managerial approach is called risk management.
What follows are some general guidelines that can help form the direction and basis for developing and implementing a comprehensive risk-management program in your organization.
What is risk management?
Risk management is the formal process by which an organization establishes its risk-management goals and objectives, identifies and analyzes its risks, and selects and implements measures to address its risks in an organized and coordinated fashion. The fundamental objective of risk management is to protect the assets and profits of the organization by reducing the potential for loss before it occurs, and by financing, through insurance and other means, potential exposures to catastrophic loss.
Risk management may be as uncomplicated as asking and answering three basic questions.
- What can go wrong?
- What will we do (both to prevent the harm from occurring and in the aftermath of an incident)?
- If something happens, how will we pay for it?
The benefits of risk management
There are consistent objectives and end results of any good risk-management program.
- A reduction in the number and size of accidental losses
- Established financial arrangements for unpredictable and catastrophic losses
- Appropriate financing arrangements for a predictable loss
- A reduction of the firm’s cost of risk to the absolute minimum
- Avoidance of high-loss-potential situations, where possible
The risk-management process
Risk management is a process a progression or series of actions that are taken with the purpose of minimizing losses or injuries in the organization. These actions may be set forth as a series of steps that lead to the goal of reduced losses and injuries. The six steps in the risk-management process are identified below.
- Establish the context. Establish the strategic, operational and other risk-management context within which the rest of the process will take place. Criteria for evaluating risk should be established and the structure of the analysis defined.
- Risk identification. Identify risk exposures (potential losses) and their causes.
- Risk analysis. Evaluate and measure the risk exposures. Prioritize the risk exposures by their significance to the organization.
- Design a risk-treatment strategy. Review risk-treatment alternatives and select appropriate risk-treatment methods, choosing an appropriate mix of risk-control and risk-financing techniques that are both effective and efficient.
- Implementation. Carry out the details of the risk-management plan.
- Monitor, review and report. Provide regular reporting on risk and risk treatments. Modify the risk-treatment strategies as needed to support organizational objectives.
Insurance may be the first way or the last way organizations seek to manage risk, but rarely is it the best way of handling risk. Risk management is an all-encompassing approach to dealing with risk by identifying, analyzing, controlling and financing risk, and seeking the most efficient methods for doing so.
Effectively done, risk management, whether through planning pre-loss activities, preparing the organization for losses or executing post-loss activities, offers a thorough and efficient approach to address the expenses of potential losses.
Robert Higgins, CPCU, ARM, ARMP, CRM, CIC, FRM, CRIS is a vice president with Schiff, Kreidler-Shell in their risk services department and has more than 25 years experience in insurance and risk management. He is a graduate of the University of Kentucky and Xavier University’s MBA program. Reach him at (513) 977-3188 or email@example.com.