Risk is present in every phase of business, but is not always self-evident. The creation, effective implementation and maintenance of a risk management program can significantly reduce and in some cases eliminate the possibility of a claim against a company, says Michael J. Lucas, CIC, CRM, a partner with Millennium Corporate Solutions.
“Risk management is important to protect the company’s assets from lawsuits and claims,” Lucas says. “Taking a systematic approach to a risk management program will make the process go more smoothly.”
Smart Business spoke with Lucas about how to make the risk management process more effective in your organization.
What are the steps in the process?
The risk management process can be expressed in five general steps: risk identification, risk analysis and prioritization, risk control and loss prevention, risk financing, and risk implementation/administration. Many companies focus on one or two of these and fail to effectively use all of the steps in considering operational, strategic and financial risks that can impact the company at many levels.
Are there keys to effective risk management?
Some of the keys include identifying the company’s hazards/exposures, incorporating all levels of the organization into the process, and elevating the importance of risk management companywide.
There are six general classes of risk that an organization must consider when developing and implementing its own risk management program: economic, legal, political, social, physical and juridical risks. Within these general classes, risks can come from many sources. To make matters worse, risks are changing faster than companies can keep up with ways to manage them.
There are several tactics that risk management professionals can use to help companies stay ahead of the curve. Identifying the company’s corporate culture is a good start. Next, it is very important to establish the company’s risk appetite and tolerance level. This helps determine just how much risk an organization is comfortable allowing. Risk management projects such as installing risk control programs, advanced engineering techniques, and increasing or decreasing deductibles should be strongly considered if the potential benefits outweigh the projects’ costs on a short-term and/or long-term basis.
How does corporate culture affect risk management?
Some corporations are willing to retain more risk than others. Through a risk analysis and by identifying the corporate culture, you can identify whether a specific exposure coincides with the culture relative to the organization’s tolerable risk levels. For example, if a company’s corporate culture is to have high retention on its programs, as far as deductibles are concerned, then it is going to be more comfortable taking on risk because it has controls in place. The company will put more emphasis on and funding into risk management and will elevate its importance in an effort to coincide with its corporate culture and ultimately control its exposures.
Why is it important to elevate the importance of risk management companywide?
Due to the catastrophic effect some exposures can have on an organization, it’s important for the risk management to be implemented consistently companywide. Risk retention can and may vary from department to department within an organization outside of the normal company culture, but only after a thorough risk analysis has been performed on the specific hazard/exposure. Corporate culture may dictate that the organization carry higher retentions, but if the organization is unable to control frequency, higher retentions become cost prohibitive.
How does a company’s level of risk tolerance impact risk management?
Identifying the company’s risk tolerance zone is important and will be considered when determining what solution best fits the organization for each exposure identified.
As different projects, changes in operations, exposures or hazards arise, a risk analysis should be performed to completely understand and identify the potential impact of the exposure to the organization. If the risk analysis falls within the tolerance corridor and is deemed acceptable to the organization, it can move forward with the appropriate risk management tool. Insurance is just one solution to risk management. Once the hazard or exposure is identified, the company will choose to eliminate, retain, reduce, transfer, minimize, avoid or control the risk.
How do you evaluate the data?
Data will be gathered at various stages of the risk management process based on historical data, industry data, flowcharts, inspections, compliance review, surveys or policy/procedure review. There are several ways to evaluate the data. This can be done by determining the likelihood and impact of the event occurring. When determining the likelihood, loss analysis, risk mapping, forecasting or probability analysis can be used. When determining the impact on the organization, cost benefit, payback analysis, net present value analysis or internal rate of return analysis can be used. Understanding the importance of the administration phase of the risk management program is critical and requires an organization to look at loss trends, or a trend in certain other factors. This is when the organization will use the data and make changes from an implementation or procedural standpoint to mitigate future losses. Many companies will effectively identify an exposure and will put a policy or procedure in place, but fail to monitor or revisit this exposure from time to time to measure the effectiveness of the program.
Exposures and hazards to an organization appear and change quickly, forcing companies to be reactive instead of proactive through their risk management program. Again, this is why it’s crucial to elevate the importance of risk management companywide.
Michael J. Lucas, CIC, CRM, is a partner with Millennium Corporate Solutions. Reach him at (909) 456-8911 or firstname.lastname@example.org.