We now come to the heart of the matter. We look at how we go about managing risks.
I have tried to avoid being too prescriptive, as it is important to find an approach that you are comfortable with, and therefore actually use, rather than struggle to do it the allegedly correct way and give up. Risk management is there to serve businesses, not vice versa.
What Is Embedded Risk Management and How Do You Do It?
Internal or External?
You may have heard that risk management should be embedded in an organization. This means that it should become part of the culture, the way everything is done, and not just an add-on. If that is true, you may wonder how there can be any point in using the services of external risk management consultants. I believe they can contribute something valuable to any organization, but that can never be a substitute for the involvement and commitment of the organization’s own management at all levels. Consultants achieve most when they can work with management. They find it very frustrating when managers try to push all their responsibilities onto them. Their reports end up on shelves and scarcely read let alone implemented.
Ownership
It is essential that, in addition to top management, whoever is responsible for managing any part of the business, or a particular activity, accepts responsibility for managing the risks involved. That is called owning the risk. It is the opposite of passing the buck.
People, Procedures, and Training
People at all levels need to understand their roles in managing risks and be actively involved in the process.
Risk management should be built into all the procedures of the organization, and these need to be communicated if they are to be followed. Risk management should be part of everyone’s training, both at induction and ongoing.
Sometimes, someone, such as a potential client, backer or partner, may require a statement of your risk management policy. These vary considerably. Some are so vague and general as to be meaningless. Others go into so much detail about everyone’s responsibilities and all the company’s procedures as to make reading them a major task. They quickly become out of date. I would advise producing something in the middle, which sets out how risks are managed and by whom. Aim at being informative and readable.
Lines of Defense
Risk management professionals recommend that businesses have three lines of defense against their risks. These are:
What if you cannot achieve this? What if you are the only line of defense in your business? Then, it is all the more important that this one line is robust. You need to be sure you are managing your risks actively. Perhaps, you cannot afford a full-time risk manager, but what about using the services of an external one, at least once a year, just to give you an independent view? Or, how about getting someone in your business trained in risk management?
What Is a Risk Assessment and How Do You Do It?
A risk assessment is your assessment of the nature and significance of a particular risk and the measures you have chosen to control it. It should show the process by which you came to your decision. Here is how to go about it.
How to Assess Probability and Severity
Probability
This is the likelihood of a thing happening. It can be expressed in various ways:
Where relevant statistics are available, probability can be expressed as a frequency, referring to the average number of accidents annually. Where possible, it is worth comparing any statistics you compile in your business with national ones. Where no information is available, taking a guess at likely or unlikely is better than nothing.
Severity
Risk Analysis: How to Estimate the Value of a Risk
Table 2.1 Risk analysis
Low probability |
Medium probability × 2 |
High probability × 3 |
|
High severity × 3 |
3 × 1 = 3 |
3 × 2 = 6 |
3 × 3 = 9 |
Medium severity × 2 |
2 × 1 = 2 |
2 × 2 = 4 |
2 × 3 = 6 |
Low severity × 1 |
1 × 1 = 1 |
1 × 2 = 2 |
1 × 3 = 3 |
Link to Insurance
This exercise should help you plan your insurance program, as well as manage the underlying risks.
Three More Questions About Evaluating Risks
What Is Risk Gearing?
When we try to evaluate a risk in order to prioritize it or to decide how much money to spend on controlling it, it is tempting to look only at the immediate cost of the thing occurring, for example, the amount of money that could be stolen in a break-in or the cost of compensating someone who blamed you for his or her injuries. The point is that there might be secondary costs that were much bigger than the immediate ones, such as the damage done to your property in breaking in, the damage to your reputation from the accident, the time and effort you or your staff has to put in so as to sort out the claim. Gearing is the ratio between the obvious immediate costs and the overall final costs of an incident. It is important to take the bigger picture into account when making decisions about priorities and the amount you are prepared to pay to reduce the risk.
How Can You Measure the Unknown?
This sounds bizarre, but unknown variables can be measured, even if they cannot be identified. How?
This may help you predict changes in the number of accidents. It may also direct your attention to trying to identify the unknown factor(s) so as to see how you might be able to influence it or them. Even if you cannot, knowing the size of the unknown can be important. It can stop you putting too much effort into managing the known factors, or getting into the blame game if your efforts in that direction are unsuccessful.
What Is Risk Appetite?
Risk appetite (or risk tolerance) is the extent to which you are prepared to live with risk. How near the top right of the risk analysis table are you willing to go? Can you put a number on it and say you will take risks up to a certain level only? Even people who are ready to take big risks should go through an exercise like this first. There is a huge difference between making a decision in the light of all the facts and just going ahead blindly.
What Is a Risk Register and Do You Need One?
A risk register is a summary of all your risk assessments and should be cross-referenced to each of them. It should show:
The level of detail can vary considerably. Different managers find they have different needs. Unless someone else has specified it, you should opt for whatever you find helpful.
It is often kept in order to meet someone’s requirements: a potential client, funder, or partner. It may be a condition in a tender specification. For me, its most important use is that it helps prioritize risk control measures and target expenditure where it is most likely to be effective. It is also useful for new managers to see what has been done and what needs doing, in order to hit the ground running.
How to Avoid Missing Any Risks
Set them out in a table something like this. Mark N/A to any that do not apply, but only after you have made sure it is the case. Add other categories of risk and other departments. Cross-reference to risk assessment files.
Table 2.2 Risk register, summary page
Property |
People |
Financial |
Cyber |
Motor |
|
Production |
1.1–1.5 |
2.1–2.7 |
3.1–3.2 |
4.1–4.3 |
5.1–5.4 |
Supplies |
6.1–6.2 |
7.1–7.3 |
8.1 |
9.1–9.2 |
10.1–10,2 |
Sales |
11.1 |
12.1–12.5 |
13.1 |
14.1–14.3 |
15.1 |
Admin |
16.1–16.2 |
17.1–17.3 |
18.1–18.2 |
19.1–19.7 |
20.1 |
Directors |
N/A |
21.1 |
22.1–22.2 |
23.1 |
24.1 |
What Do Your Controls Control?
I keep coming across controls that do not control anything. Or, at least, not the things they are meant to control.
I recently visited an establishment where the good, old-fashioned signing-in book had been replaced by a computerized system. Even a slow writer like me could sign in before in a tenth of the time taken to do it on the touchscreen. Even my half-legible scrawl was nearer to my name than the on-screen version, where a character could easily be omitted or duplicated. I was told that the main reason for the change was that the new system was to be used in the event of a fire to check who was in the building. I would have thought the best thing to rely on was the knowledge of individual managers as to who was in or out and what visitors were there. My faith in the accuracy of computerized systems is low.
To err is human: to make a real mess, you need a computer! Review your risk control measures to see which ones are actually worth keeping. Risk management is not only about adding to your controls. Often, it is the opposite.
Six Reasons Why We Usually Underestimate Our Business Risks and Our Insurance Needs
If we do not have a realistic view of our risks, we will not be able to make the right decisions as to what insurances we need, nor will we be able to make the right decisions about the measures to take, so as to control the risks. Most of us underestimate both the likelihood and the possible severity of the risks with which we are faced in life, and especially in business, but failing to have a reasonable understanding of our risks usually has two results:
It is probably not difficult to see what further consequences such wrong thinking might have.
What are the reasons for this?
It is always worth remembering that premiums do not go up pro-rata to sums insured. The first million dollars of cover costs more than the second and so on. In addition, being able to demonstrate that you have identified your risks and taken reasonable steps to control them can only help you in negotiating premiums. Do not be underinsured and do give serious risks serious attention. In the next section, we look at an example of risks being different from our perceptions.
What Have Horse Riding Accidents in the United Kingdom Got to Do With Your Business?
I have read a report on accidents involving horses in the United Kingdom, produced by the British Horse Society. It deals with accidents involving other parties, which includes road accidents. Much of it is aimed at the riding fraternity, as you might expect, but I think two of the findings have implications we all need to consider, even if you never go near a horse. They are especially worth considering, precisely because they are not what most people, including myself, would expect.
First, let us also note one of the findings that came as no surprise to me.
Most accidents occur on minor roads in the countryside.
Now let us consider the two surprising facts the report threw up:
So why is this? The short answer is that nobody knows. But, we can try to speculate intelligently. Let us ask ourselves a few questions:
Are you still wondering what this has to do with your business?
Ask yourself these three questions:
When you have thought how this applies to your business, please remember to drive wide and slowly past horses whether at noon in June or late on Christmas Eve.
If you want to see more about horse riding accidents in the United Kingdom, go to: www.bhs.org.uk/safety-and-accidents
Are You Taking Enough Risks? Or Is Undue Caution Holding Back Your Business?
An interpretation of risk management as an attempt at eliminating or minimizing every risk, sometimes leads businesses or other organizations to miss out on opportunities to maximize profits or achieve other desirable goals. This view fails to see the need to balance one risk with another or to fully evaluate the costs and benefits of different courses of action. I am concerned that overzealous or one-sided risk management can be harmful to business and other activities. Please do not misunderstand me. I do not advocate a cavalier attitude that would treat lightly anything which could lead to someone’s death or serious injury, to extensive damage to property, to the loss of large sums of money, or to serious damage to the environment; neither do I underestimate the harm an ill-judged word or deed can do to a hard-won good reputation. However, it is easy to over-react and take excessive defensive measures. I suspect that the man who said, “I’m not afraid of flying … just of crashing” probably thought the only way to be safe was not to fly, not knowing that in fact modern airlines have such good safety arrangements that the most dangerous part of your flight is likely to be the drive to the airport.
What Are the Causes of This Over-Cautious Attitude?
Is a Strong Dislike of Taking Risks Wrong?
The actual risk may be very different from our impression, and so our response may be inappropriate: many New Yorkers would rather drive in frustratingly slow traffic than take the often faster subway, out of fear of mugging, when more people are killed in road accidents than in violent robberies.
General McClellan commanded the main U.S. Army in the early part of the Civil War. As he was concerned for the welfare of his men and wanted to avoid throwing lives away needlessly, he always waited for the ideal opportunity before going on the offensive. Sadly, he lost more men to disease in his large static encampments than were killed by the enemy. He was too focused on one risk to the exclusion of another. More recently, there was some controversy in the United Kingdom over the failure of some schools and other organizations to carry on during the big freeze of 2010–2011. There was a need to balance the risks to people in trying to work, or even get in to work, in those conditions, against the risks to the organization, as well as to those using its services, in failing to maintain some of its activities.
What Can You Do About It?
Do not let undue fear of risk stop you making a success of your business or organization. Wherever possible, think in terms of positively managing rather than avoiding risks. In Britain, when the motor transport was first invented, there was a requirement to have a man carrying a red flag in front of every motor vehicle. It might have prevented a lot of accidents in its day, but most of us would agree that removing that restriction has benefitted society a great deal, and other measures have been brought in to improve road safety whilst allowing cars to travel faster than pedestrians.
Three Questions to Help You Decide Which Kind of Risk Management Consultant Your Business Needs
Most businesses could benefit from being studied by a risk management consultant from time to time. If you think yours has such a need now, there are three main choices you will need to make if you are to get the right one and so avoid the sort of disappointment that can lead to an undeservedly poor image of the profession, when a consultant fails to deliver what the client was expecting. There are many risk management consultants around, and it is not easy to choose the right one for your business. It is easy to spend a lot of money without getting the result you need, but this is not always the consultant’s fault. Although stereotyping any professionals can be misleading, you may find that thinking in terms of the following categories will help you in your search.
You can probably see that there is no all-purpose ideal consultant. What matters is finding the one who best meets your needs and those of your business at this time. Think carefully about the aforementioned three questions and try to decide first what you want and need before trying to decide who can best advise you on managing the risks you are trying to deal with. Do not be afraid to tell your risk management consultants that you think they are not the right ones for a particular exercise: most would rather lose a client than have a dissatisfied one. Here is hoping you find the right one.
What Has Seeing the Elephant Got to Do With Managing Risks?
I once heard someone saying that children these days do not seem to show as much awe and wonder at the marvelous creatures that they see in the zoo as we did. I am not sure who we included, but never mind.
I can think of two reasons why this remark may hold some truth.
During the American Civil War, there was an expression to see the elephant, meaning to experience a battle. The point of the metaphor was that anyone who had not been in a battle could not know what it was like. No description did it justice. [Sorry if you are a War Poet or even a War Correspondent: I did not mean to offend.] In the same way, if you had never seen an elephant, no description quite conveyed what one was like, but once you had seen one, you knew. Sometimes, the problem for a risk management consultant is to enable the client to see what the risk is. It may sound unrealistic or it may sound trivial. If it has never happened to you, it may be hard to imagine how it would affect you or your business. That is why, you may need a consultant.