What is Risk Management?

Risk management is one of the most critical processes in modern business. In essence, it is a process that identifies loss exposures faced by an organization and selects the most appropriate techniques for treating these risks. Because the term risk is ambiguous and has different meanings, risk managers typically use the term loss exposure to identify potential losses.

Loss exposure in any situation or circumstance in which a loss is possible, regardless of whether a loss occurs. In the past, business risk managers generally considered only pure loss exposures faced by their companies. However, new forms of risk management have emerged that consider both pure and speculative loss exposures.

Objectives of Risk Management

Risk management has essential objectives. These objectives can be classified as pre-loss and post-loss objectives.

1. Pre-Loss Objectives: These are important objectives before a loss occurs, including economy, reduction of anxiety, and meeting legal obligations:

• Economy: This objective means that the company should prepare for potential losses in the most economical way. This preparation involves an analysis of the cost of safety programs, insurance, and the costs associated with the different techniques for handling losses.
• Reduction of Anxiety: Specific loss exposures can cause greater fear and worry for the risk manager and key executives. For example, the threat of a catastrophic lawsuit because of a defective product can cause more significant anxiety than a slight loss from a minor fire. Having a risk management plan in place reduces fear and worry.
• Meeting Legal Obligations: State laws mandate that workers’ compensation benefits be available to workers injured at work. For example, government regulations might require a company to install safety devices to protect workers from harm, dispose of hazardous waste materials properly, and label consumer products appropriately. The company must see that these legal obligations are met.

2. Post-Loss Objectives: Risk management also has particular objectives after a loss occurs. These objectives include the survival of the company, continued operations, stability of earnings, continued growth, and social responsibility:

• Survival of the Company: Survival means that after a loss occurs, the company can resume partial operations within some reasonable time.
• Continue Operating: For some companies, the ability to run after a loss is vital. Otherwise, the business will be lost to competitors.
• Stability of Earnings: Earnings stability can be maintained if the company continues to operate. However, a company might incur additional expenses to achieve this goal (such as operating at another location), and perfect earnings stability might be challenging.
• The Continued Growth of the Company: A company can grow by developing new products and markets or acquiring or merging with other companies. Therefore, the risk manager must consider the effect that a loss will have on the company’s ability to grow.
• Social Responsibility: This objective minimizes the effects a loss will have on others and society. A severe loss can adversely affect employees, suppliers, customers, investors, creditors, and the community. For example, an arduous failure that shuts down a plant in a small town for an extended period can cause considerable economic distress in the local area.

Steps in the Risk Management Process

The risk management process consists of four steps:

• Step 1: Identify loss exposures.
• Step 2: Measure and analyze the loss exposures.
• Step 3: Select the appropriate combination of techniques for treating the loss of exposure.
• Step 4: Implement and monitor the risk management program.

Identify Loss Exposures

The first step in the risk management process is identifying all major and minor loss exposures. This step involves an exhaustive review of all potential losses. Significant loss exposures include the following:

• Property loss exposures, including building, equipment, inventory, etc.
• Liability loss exposures such as defective products, environmental pollution
• Business income loss exposures such as extra expenses, loss of income after a direct loss, etc.
• Human resources loss exposures such as death or disability of key employees
• Crime loss exposures such as holdups, burglaries, etc.
• Employee benefit loss exposures
• Foreign loss exposures, such as foreign currency and exchange rate risks, political risks, such as expropriation of property, etc.
• Intangible property loss exposures, such as damage to the company’s public image
• Failure to comply with government laws and regulations

A risk manager can use several sources of information to identify the preceding loss exposures. They include the following:

• Risk analysis questionnaires and checklists: Questionnaires and checklists require the risk manager to answer numerous questions identifying major and minor loss exposures.
• Physical inspection: A physical assessment of company plants and operations can identify major loss exposures.
• Flowcharts: Flowcharts can trace the flow of raw materials, production, and distribution of products. A flowchart might reveal bottlenecks and areas where losses could occur and cause financial harm to the company.
• Financial statements: Analysis of financial statements can identify the significant assets that must be protected, the company’s financial obligations, loss of income exposures, key customers and suppliers, and other important exposures.
• Historical loss data: Historical loss data can be valuable in identifying major loss exposures.

In addition, risk managers must keep abreast of industry trends and market changes that can create new loss exposures and cause concern.

Measuring the Loss Exposures

The second step is to measure and analyze the loss exposures. Measuring and quantifying the loss exposures is essential to managing them properly. This step requires an estimation of the frequency and severity of a loss. Loss frequency refers to the probable number of losses that might occur during some given time. Loss severity refers to the possible size of the losses that might occur.

After the risk manager estimates the frequency and severity of loss for each type of loss exposure, the various loss exposures can be ranked according to their relative importance. For example, a loss exposure with the potential for bankrupting the company is much more important in a risk management program than exposure with a small loss potential.

For example, if certain losses occur regularly and are relatively predictable, they can be budgeted out of a company’s income and treated as a standard operating expense. If the annual loss experience of a specific type of exposure fluctuates widely, however, an entirely different approach is required. In addition, each loss exposure’s relative frequency and severity must be estimated so that the risk manager can select the most appropriate technique, or combination of techniques, for handling each exposure.

Although the risk manager must consider loss frequency and severity, severity is more important because a single catastrophic loss could destroy the company. Therefore, the risk manager must also consider all losses resulting from a single event. Both the maximum possible loss and probable maximum loss must be estimated. The maximum possible loss is the worst loss that could happen to the company during its lifetime. The probable maximum loss is the worst loss that is likely to happen.

Catastrophic losses are difficult to predict because they occur infrequently. However, their potential impact on the company must be given high priority. In contrast, certain losses, such as physical damage losses to vehicles, occur with greater frequency, are usually relatively small, and can be predicted with greater accuracy.

Select the Appropriate Combination of Techniques for Treating the Loss Exposures

The third step in the risk management process is to select the appropriate combination of techniques for treating the loss exposures. These techniques can be classified broadly as either risk control or risk financing. Risk control refers to techniques that reduce the frequency or severity of losses. Risk financing refers to techniques that provide for the funding of losses. Risk managers typically use a combination of techniques for treating each loss exposure.

Risk Control

As noted, risk control is a generic term to describe techniques for reducing the frequency or severity of losses. Major risk-control techniques include the following:

• Avoidance: Avoidance means a certain loss exposure is never acquired or undertaken, or an existing exposure is abandoned. The major advantage of avoidance is that the chance of loss is reduced to zero if the loss exposure is never acquired. In addition, if an existing loss exposure is abandoned, the chance of loss is reduced or eliminated because the activity or product that could produce a loss has been abandoned. Abandonment, however, might leave the company with a residual liability exposure from the sale of previous products. Avoidance has two major disadvantages. First, the company might not be able to avoid all losses. Second, avoiding exposure might not be feasible or practical.
• Loss Prevention: Loss prevention refers to measures that reduce the frequency of a particular loss. Measures that reduce lawsuits from defective products include the installation of safety features on hazardous products, the placement of warning labels on dangerous products, and the use of quality-control checks during production.
• Loss Reduction: Loss reduction refers to measures that reduce the severity of a loss after it occurs.
• Duplication: Duplication refers to having backups or copies of important documents or property available in case a loss occurs. Backups of important property might also be kept on hand. Duplication can also be applied to human resources.
• Separation: Separation means dividing the assets exposed to loss to minimize the harm from a single event.
• Diversification: Diversification refers to reducing the chance of loss by spreading the loss exposure across different parties (for example, customers and suppliers), securities (for example, stocks and bonds), or transactions. Having different customers and suppliers reduces risk. If there are foreign and domestic customers, this risk is reduced. Similarly, having contracts with several suppliers can minimize the risk of relying on a single supplier. Investment risk is diminished by holding different assets. Finally, risk can be reduced by diversifying transactions.

Implement and Monitor the Risk Management Program

The fourth step is to implement and monitor the risk management program. This step begins with a policy statement. A risk management policy statement is necessary to have an effective risk management program. This statement outlines the risk management objectives of the company, as well as company policy concerning the treatment of loss exposures. It also educates top-level executives concerning the risk management process, establishes the risk manager’s importance, role, and authority, and provides standards for judging the risk manager’s performance.

In addition, a risk management manual might be developed and used in the program. The manual describes in some detail the risk management program of the company. It can be a handy tool for training managers, supervisors, and new employees participating in the program. Preparing the manual also forces the risk manager to state precisely their responsibilities, objectives, available techniques, and the responsibilities of other parties. A risk management manual often includes a list of insurance policies, agent and broker contact information, who to contact when a loss occurs, emergency contact numbers, and other relevant information. Manuals are frequently available online, which facilitates ease of use and allows frequent content updates.

Periodic Review and Evaluation

The risk management program must be periodically reviewed and evaluated to be effective and to determine whether the objectives are being attained or if corrective actions are needed. In particular, risk management costs, safety programs, and loss prevention programs must be carefully monitored. Loss records must also be examined to detect changes in frequency and severity.

Retention and transfer decisions must also be reviewed to determine whether these techniques are adequately used. Finally, the risk manager must determine whether the company’s overall risk management policies are being carried out and whether the risk manager is receiving cooperation from other departments. 

Final Thoughts

The process of identifying, assessing, and controlling threats to an organization’s capital and earnings is known as risk management. These risks stem from a variety of sources, including financial insecurity, legal liabilities, technological issues, strategic management mistakes, accidents, and natural disasters.

A successful risk management program assists an organization in considering all of the risks it faces. Risk management also investigates the relationship between risks and the potential consequences for an organization’s strategic goals.