Risks pose threats to a broad range of your organization’s resources, such as assets, company reputation or time. These resources are spread throughout a variety of potential risk owners. In turn, each risk owner may have access to only certain capabilities for addressing risk. For example:
- The construction crew is maintaining and safeguarding the heavy equipment,
- The marketing department vets its communications for any hint of insensitivity,
- The IT department controls access to proprietary programs.
The Enterprise Risk Management (ERM) approach introduces a Risk Register to this situation. The Risk Register, at its heart, is a list of risks that your company faces. The value of the Risk Register is that it combines the risk and mitigation information harbored in various departments and functions of your company and makes it possible for your staff to coordinate their efforts to view and centrally manage risk.
Parsing an Example
If your company provides services to clients, regardless of the industry or how experienced you are, there is always risk that circumstances beyond your control could get in the way: equipment breaks down, a new and substantial client opportunity strains your resources, a key person in your company becomes seriously ill. Any one of these circumstances could result in your company not being able to fulfill its obligations for a given project. A thoughtful approach to risk will lead you to contemplate that situation.
As different as the three causes listed above are – a breakdown, a large unexpected project, an illness – they all seem to result in just one effect: Non-performance. So, is non-performance just a single item on your Risk Register? If you are using the register to its fullest advantage the answer is a resounding “no.”
One of the great powers of the Risk Register is that it clarifies your thinking and helps you parse such a risk into its true, distinct risks. The Risk Register gets you and your staff to consider the effects of risk on the assets and other valuable aspects of your business such as your company’s reputation, or time that is diverted from the core business. Here’s a snapshot of how the category of “Contract Non-Performance” risk could be initially detailed in the Risk Register.
The value of breaking down risks in this way is that each distinct risk can be addressed by different methods of mitigation or prevention. In the parlance of ERM, we categorize these methods as Treatment and Transfer.
Adding Treatment to the Risk Register
“Treatment” encompasses the range of activities your company can undertake to prevent the consequences of the risk or mitigate those consequences. Let’s take a software company, for example. The risk of having to reperform work may be greatly reduced through the use of a tool: A standardized template for capturing and evaluating user requirements and testing modules. By contrast, however, the risk of straining the company’s design staff with an unwieldy load of projects would have to be addressed by a planning process: A projection of resource requirements and a comparison with current resources.
Our Risk Register reflects these prevention and mitigation strategies this way:
Adding Transfer to the Risk Register
The most commonly thought of method for “Transfer” of risk is that of insurance. In return for your premiums, your insurance carrier takes on the risk of having to pay a claim for an error or omission via your company’s Error & Omission (E&O) or Professional Liability coverage.
There is also another method that may not spring to mind as a technique to transfer risk: Contracting. In addition to broadening your resources, contracting can also serve to transfer risk to the contracted party. Using our software company again as an example, this company may have chosen to augment its resources by subcontracting a project to an outside firm. A contract with the proper protections will successfully transfer much of the risk of errors and omissions to the third-party. The contracting process will entail requiring the third party to demonstrate that it has retained satisfactory insurance coverages of its own. (i.e., What types of coverage? What dollar amounts of coverage?)
The Risk Register is extremely useful for clearly illustrating the interplay between your treatment and transfer techniques. Our emerging Risk Register now shows how well the “web” of treatment and transfer techniques addresses the well-parsed list of risks:
The Power of the Register
Risk management efforts are necessarily shared among a variety of departments and functions. In the simplified Risk Register extract we built above, we can see different risk owners (human resources, project management, finance, marketing, the general counsel) and their different concerns (human capital shortage, subcontracting terms, performance bonds, reputation, litigation). The Risk Register is the common tool that unites their concerns and coordinates their efforts.
Contact us for help in getting your arms around your risks, your mitigation options and your insurance needs.