This is the second chapter in a series of articles focused on strategies that should be part of any company’s risk management plan to, effectively, manage the Total Cost of Risk (“TCoR”).
Our previous chapter on the subject introduced basic concepts in risk management: including risk identification and risk impact, Enterprise Risk Management (“ERM”), and how to, better, forecast and be prepared for “risk events”. This paper will focus on ways in which a company can capture and measure the impact of their major risks using a risk register. By creating a risk register, an organization will have a more structured framework to capture and measure the financial impact of risks. A Risk register also becomes a place where the mitigation strategy can be stated. That mitigation strategy is how management controls the risks and, in many cases, is the subject of internal audit. A risk register is a useful tool to organize the approach to risk identification and management. The mitigation strategy serves as a sustainable solution to their most challenging operational risks.
Many organizations will use their existing business management structure to create a Risk Management Working Group. If a company is thinking about risk, then tapping into the knowledge of the operational business leaders to raise risk awareness makes perfect sense. I am a big proponent of a Risk Management Working Group to spearhead these efforts and will elaborate on forming this structure in later chapters.
TCoR is a quantifiable, controllable number that can be identified and reduced. Simply put, TCoR is the total cost of your insurance premiums, retained losses (deductibles/uninsured losses), and internal/external risk control costs. By identifying these costs, businesses can plan and implement risk management strategies to reduce them. Insurance premiums are the most visible costs associated with risk, but they are hardly the only ones. There are many other costs associated with risk that are either not tracked or are viewed as fixed costs. All the costs related to risk can be tracked and monitored. In addition, there are operational strategies that when implemented will manage and, ultimately, reduce these costs.To start thinking about risk in quantifiable terms, the company needs to establish parameters and a common lexicon for the Risk Management Working Group. Standards such as Likelihood, Consequence, and Financial Impact must be specifically defined so the metrics captured in the risk register make sense. Here are a couple of suggestions for Likelihood and Consequence measures:
There is an innate risk associated with being a business, meaning there is always the potential risk of financial loss for just existing. Let’s focus on operational risk and steps to limit or reduce the likelihood of experiencing a financial loss from operations. Operational risk mitigation can be accomplished in several ways – below are a few examples:
- Purchase insurance – while this is a common risk mitigation method, it does not work well if the risk is not managed to avoid frequency.
- Safety Programs – having a robust Health and Safety Program (“HASP”) supported by the company culture and championed by the CEO is an excellent way to manage risk exposures.
- Contract Management – shifting risk appropriately in every contract is a terrific best practice to adopt which is often overlooked in smaller vendors or, seemingly, insignificant transactions.
The next historic area of confusion is defining the “financial impact” of an event. That is tricky and coming up with a 1-5 scale is even harder, however, it is an ESSENTIAL part of the process. An effective approach we have used for our clients is to create a consequence table that will highlight the areas of the business and identify the consequences of an event which will allow that consequence to be measured. Below are categories and what a 5-rating and 4-rating may look like.
The critical thing is to quantify these items in hard measures so they can be measured.
So now we have some basis for Likelihood and Consequence which, when assigned a (multiplied) score, will nicely fit into our risk register and we can use the Red/Amber/Green (“RAG”) system to visually demonstrate which of the risks will be the most material and should take priority.
So…finally let’s get to the star of the show – THE RISK REGISTER!
A risk register is a useful way to capture and report on the risks for the company. As I stated earlier, I like using the business leaders as the Working Group, which makes them the “risk owner” and creates accountability. The fact that the company has now standardized the measurement for the risks will add consistency and credibility to the scores.
You will see the above example uses one measure for INHERENT RISK and another for RESIDUAL RISK. There are debates about this within the risk community, but I find it to be useful to highlight the effectiveness of the risk mitigation technique. Some will add a cost to implement that risk mitigation as the proposed budget, clearly, identifies the result of having the [mitigation] expense approved. This is a powerful way to show the results expected from spending a few dollars on risk management.
As I mentioned above, all these efforts to manage operational risk are important to a business; however, these are not without cost. The cost of risk mitigation needs to be assessed in terms of Return on Investment (“ROI”). Thinking about “risk management” and “sustainability” together as part of the solution frames the company’s commitment to addressing risk issues. This is a key factor in determining what risk mitigation strategy best fits an organization.
In the third chapter of The ALS Group’s Total Cost of Risk series, we will focus on contracts, and how to use a structured approach to, effectively, transfer risk away from your company.
If you need more information on any of the topics covered in this article, need help with any risk-related issues, or are interested in a Risk Management Assessment (“RMA”) please contact me, at 732.395.4251 or [email protected].