CHAPTER 1

The Setting

In this chapter, we set the scene by looking at what risk management is and what it is not, why do it, what it costs, and what are the risks we are talking about.

Are Any of These Eight Myths About Risk Management Keeping You From Managing Your Business Successfully?

If you have a negative view of risk management, it is probably the result of one or more of a number of wrong beliefs. Some are quite understandable, but they are all wrong. Here are the eight most popular misconceptions and why they are wrong.

1. Risk management is another name for insurance. The world was full of risks from the start: insurance has been around for only a few hundred years. Not all risks are insurable, but they all need to be managed. It is better to prevent the fire, accident, or other loss than to receive an insurance payment after the event.
2. Risk management is another name for health and safety. There are many kinds of risk: property, financial, reputational, environmental, physical, cyber, and business. Health and safety deals with only one kind. An essential element in good risk management is the balancing of one risk with another, for example, the risk of a car crash versus the risk of being robbed on the subway.
3. Risk management is a fancy name for common sense. If only sense were so common! It is true that good managers have often managed risks successfully without using that term, but there is a danger of overlooking something potentially serious, but not obvious. You also need to write down your informal assessment of risk for the benefit of others who may not have your common sense.
4. Risk Management is bureaucratic and time-consuming. Only if you want it to be. Some people make every process bureaucratic and every task time-consuming. If you do everything else efficiently, you can do risk management efficiently. Keep it simple.
5. Risk management is too expensive. It depends on the risk and the way you decide to manage it. If you cannot find a satisfactory way of controlling a serious risk cheaply, you may have to go for an ­expensive solution. Compare that with what an accident or whatever would cost. Take a balanced view of the options. Often, ­however, better risk management improves efficiency, effectiveness, and ­profitability.
6. Risk management is someone else’s responsibility. It can be a good thing to take advice from someone inside or outside your organization to bring in an objective view, but the responsibility for managing risk must belong with the responsibility for managing the activity. Whatever is your level of seniority, you should be responsible for those risks which you control. Most businesses have finance managers, but all managers must be responsible for managing the costs of their departments.
7. Risk management is something you do to comply with someone’s requirements. This is the saddest comment I have heard on this subject. Of course, we all have to do whatever is needed to please senior management, auditors, funding bodies, or investors, but if that is your focus, you will be missing the opportunity to improve your performance and protect your business, yourself, and others from the risks you live with.
8. Risk management is an attempt at making a risk-free world. Apart from being utterly unattainable, such a world would not be desirable. Risk management is about balancing one risk with another and deciding which risks are acceptable and to what extent. In your business, only you can decide those things.

   Forget the myths and think about the risks which could affect your business. Then think about ways to manage them—sensibly, realistically, and profitably.

Can You Be Asking the Wrong Question?

One question I am often asked is, “What risks do you manage?” If that is the question on your mind, you are right to ask it. It is obviously not a silly question. So, how can it be wrong? When I talk to business owners and managers, they usually tell me they think they are managing their risks successfully. Most of them probably are regarding those risks they are managing. The danger to the business usually lies in the ones they are not managing at all, or only by default. It often seems that most managers either ignore certain risks or fail to take them as seriously as would be advisable, for three quite understandable reasons:

• Awareness. Most people manage most effectively the risks they are most aware of. These usually relate to things that happen fairly often or that are drawn to their attention by the insurance industry, the media, or by the relevant regulator. These factors are generally not related to the likely seriousness of the event in question, and not always to its probability either. So, minor thefts and vandalism tend to be overrated.
• Probability. Most people greatly underestimate the probability of relatively unlikely events. I was surprised to learn how many people are actually struck by lightning each year and have recently met someone who has been struck twice!
• Severity. Most people underestimate the potential severity of their most serious risks. Thus, loss of data and loss of reputation are very often underestimated, resulting in inadequate control measures being in place.

You may wish to ask yourself what types of risk are important in your business. I have written about the 12 categories of risks threatening most businesses in a later chapter. Can anyone deal with all of them? You may well ask. Nobody can be an expert in everything. What you need to do is to set up a process, so you can identify, analyze, and control the risks in and around your business. Start off on the right track, by carrying out a survey of your activities and asking questions about the ways in which the risks you observe are being managed. You might go into some of your risks in depth or you might go to someone who is an expert in a particular area. You will only find the answers once you have identified the questions. It is a cliché, but true, that if you want to get to the right answer, you have to ask the right question. Ask it.

Is Compliance a Good Thing or Merely a Necessity?

During the arguments about fire safety, following the terrible fire in the Grenfell Flats in London, the question of compliance with building regulations kept coming up. It had a sense of deja vu for me. I have so often been in discussions where the question of compliance, with one thing or another, has arisen. Now, of course, I am not going to advise anyone to fail to comply with legal requirements. However, I am concerned that people often think they are doing enough if they comply. Some regulations may be overprescriptive, but many are not. Many set out the minimum standard. All too often, people choose to ignore guidelines or advice on best practice, if these have no statutory authority.

I can remember a time when a lot of fatalities in motor accidents in the United Kingdom were the result of a car running into the back of a truck. That is because trucks are higher than cars and the rear bumper, or some part of the truck, went through the car’s windscreen, killing the driver and any front-seat passenger. A simple remedy was suggested. Attach a bar to the back of every truck at car-bumper height. Thus, the impact of a collision would be taken by the vehicle, not the driver. It was so obvious, but a lot of trucks did not acquire such bars until they were made compulsory. How many needless deaths occurred in the interim, due to the compliance mentality? You can probably think of similar examples in your industry.

The aim of risk management should not be mere compliance. It should be managing risks. Sometimes, regulations can be overprescriptive and work against the better management of risks. We just have to live with them or get someone to revise them. But do try to understand why they are there. Always ask what steps you need to take to go beyond compliance toward best practice, or the most appropriate practice for you.

Six Reasons to Bother With Risk Management Apart From Trying to Keep Down Insurance Premiums

Many businessmen think risk management is an unnecessary expense unless it can be justified by a reduction in insurance premiums. I believe that is taking far too short-term a view and that it even overlooks certain benefits that can be gained almost immediately. Insurance premiums are not the only reason, but they are an important one. Controlling insurance costs is certainly an important part of controlling the total costs of a business, and even if insurers do not offer immediate discounts for risk management, they will certainly review your premiums, hopefully downward, if you have fewer claims. Risk management may make the difference between being able to obtain certain insurances and having to bear the risk yourself. Insurers may require a larger excess or even refuse to insure your business, if they are not satisfied that you are making a sufficiently serious effort to reduce the risk. Most insurance policies include a clause requiring you to take reasonable precautions to prevent a loss occurring. This means that they can refuse to pay a claim if they believe you had failed to take measures to control the risk. Obviously, there would never be any claims if everyone took every precaution possible all the time, and there can be, and often are, arguments as to where to draw the line, but that line is there, and even the most reasonable insurer will sometimes refuse to pay a claim if it seems the client has been unwilling to make any effort to reduce the risk.

There are six other important reasons to get involved in risk management.

1. It reduces the chances of a really big loss. The one that could put you out of business, at least temporarily.
2. It reduces the likely cost of a loss if it does occur, so you will be more able to get over it.
3. It reduces the annual cost of repetitive small losses, which can be a constant drain on your profits, without your realizing it.
4. It often throws up unexpected savings in the process, as wasteful or unnecessary practices are brought to light. The safest way to do a job is not always the most expensive: surprisingly, often the reverse is true.
5. It reduces stress on business owners and managers. You can be more confident when you know what the risks you face are, and how you are controlling them, as well as knowing there is a Plan B if the worst happens.
6. It reduces blame. If you can show that you had made reasonable efforts, in proportion to the likelihood and probable severity, to control a risk, but the unwanted event happens, you should be able to avoid blaming yourself too badly, and you may even find that others, possibly including judges or regulators, do not blame you as much as they could have otherwise.

Think about the benefits of risk management as well as the costs and do not focus only on insurance premiums, whether you do this yourself or decide to consult an expert.

Who Is Interested in Risk Management?

I hope the answer is that you are. The main reason I like to think you are interested is that you want to be in control of your business and want to know that there is a means of dealing with whatever may happen. But, who else is interested in how you manage your risks? You may never be asked the question in a way that specifies risk management, but you might well be asked something like:

• How do you deal with risk in your business?
• How do you deal with (insert a particular risk)?
• How is your business managed?
• What management systems are there in your business?
• Give evidence of governance in your business.

Being able to show that you have a risk management system in place would be one way of at least partially satisfying such a questioner. Another way would be to show you had had a risk survey in the recent past and had at least begun to implement the recommendations.

Who is going to ask such questions? Usually, someone providing finance for your business, but not only them:

• a bank
• a funding agency
• an investor
• your insurers
• a business you want to partner with
• an organization you want to submit a tender to

How would you like to impress them?

Can Risk Management Help Reduce Stress?

Many people suffer from stress for various reasons. I know several people who offer to help relieve stress in different ways: massage, counseling, hypnotherapy, relaxation techniques. Risk management is seldom put in the list. Each of the aforementioned approaches (and others) can be helpful. Sometimes, you just have to try it and see. What they have in common is that they help you manage your reaction to the situation. They do not try to resolve the situation. That is at least partly because stressful people will always find something to get stressed about and partly because it is useful to be able to deal with your stress if you encounter another stressful situation. However, is there not also a need to look at the factors in your situation which give rise to your stress?

Risk management can be a big help:

• It can help you to understand the problems better.
• It can give you an appreciation of the likelihood and the potential severity of the thing that you do not want to ­happen.
• It can help you see what you can do about it. Yes you can.
• It can also help you to accept what cannot be helped and to face up to your risks with your eyes open.

Think how you can start managing stress and managing the causes of stress.

How Much Are You Spending on Risk Management and How Could You Reduce It?

It has been said that some organizations cannot afford risk management. This implies that the only cost would be the fees of a risk consultant. Let us examine all the costs of risk and how they interact. If you think you do not want to spend money on risk management, you could be surprised at how much you are already spending. Anything that reduces or controls the risk of something going wrong in your business is a risk management cost. Your aim should be to strike the right balance so as to get the best value for money from all your measures.

What Does the Total Cost of Risk Include?

The following are examples of risk control measures:

• Health and safety
• Security
• Inspection, repairs, and maintenance
• Internal audit
• Customer care
• Many elements of human resources
• Public relations

Failings in any of the aforementioned can lead to complaints or claims. The cost of these comprises:

• Investigations
• Claims handling
• Legal costs
• Compensation
• Repair costs
• Loss of sales

What about insurance? Some of the aforementioned points can be offset by insurance, but this means incurring the additional cost of premiums, which also have to be taken into account in establishing the total cost of risk. The cost-effectiveness of each premium should be reviewed in relation to the cost of claims and the size of potential losses. To understand how well your money is being spent, it is necessary to look at all these elements together and to consider how each affects the others, for example, spending more on security could reduce losses through theft, or saving money on maintenance could lead to more accidents and so to more claims. Alternatively, you might find that the amount spent on some of the aforementioned measures was not justified by the reduction in losses.

What do risk management consultants do? They help you quantify and prioritize the risks and evaluate the options by bringing an independent objective view and drawing on the experience of other organizations. In evaluating the costs of the different elements of the total cost of risk, it is important to take into account the amount of management time these activities take up. It is also important to consider the amount of management time an external consultant could save, compared with doing the exercise in-house.

What Could You Save?

The table that follows provides an illustration of the hidden costs of risk in a typical small business with a turnover of about 10 million U.S. dollars. There is provision for 10,000 U.S. dollars for the cost of a risk management consultation, either internal or external, which is the smallest element in the list. Think of the potential savings if such an exercise led to even a mere 2 or 3 percent reduction in the overall costs.

Table 1.1 Illustration of the cost of risk

Item	Cost $000’s	Cost %
Insurance	200	40
Health and safety	60	12
Security	60	12
Inspection	50	10
Customer care	40	8
Human resources	40	8
Public relations	20	4
Internal audit	20	4
Risk management study	10	2
Total	500	100

It is also worth establishing the total cost of risk as a proportion of total expenditure and noting whether this is increasing or decreasing over time. If this figure is abnormally high or low, it is probably worth ­carrying out further investigations. What is normal will, of course, depend on the nature of the business, but if the cost of risk is less than 1 percent of the total costs, it is likely that there are inadequate measures to protect the business from potential threats, whilst if the figure is above 5 percent, it is likely that significant savings could be made by targeting the ­expenditure more efficiently. Even if the proportion is a normal 2 or 3 percent, it is probably still worth reviewing the measures periodically to ensure the money is being spent to reduce the most serious risks, rather than majoring on trivia.

Are You Managing All of These 12 Risks?

Here Are the 12 Major Categories of Risk

Ask yourself how each risk mentioned as follows might apply to your business and whether you are putting your efforts into controlling the most or least important ones. If you notice that there are areas of overlap, it is because risks interact with one another. It is better to look at them together, rather than separately. They cannot be managed properly in isolation.

1. Property. This is probably the most well-known group. It includes fire, storm, theft, and malicious damage. In assessing it, try to think not only of the cost of repairing or replacing, but also the impact on your business of any loss or damage.
2. People. The most publicized aspect of people-related risks is health and safety, for good reasons. The relevance to your business depends on not only the number of people involved and the nature of the work, but also on the setting: that is, cleaning windows in a bungalow is safer than cleaning them in a skyscraper. Other risks involving people tend to be less publicized. Yet, poor management of these can be catastrophic. They include the risks resulting from poor staff relations, absenteeism, competency, and discipline. Lack of attention to recruitment, training, and retention of staff can result in failings in these areas.
3. Motor. Managers of fleets of vehicles usually take this risk seriously, but some others have had cause to regret failing to examine issues around staff using their own vehicles for work. By contrast, the biggest motor claim I ever dealt with was the result of a piece of mobile plant hitting a low railway bridge. The cost of repairing the plant was bad enough, but there was also the cost of making the bridge safe.
4. Cyber. This relates to anything resulting from the use of computers or the Internet. Many managers take care of the safety of the equipment and also take measures against hacking, malware, and viruses, but do not take enough steps to control the misuse of IT, the Internet, and social media by employees or others.
5. Financial. Apart from the financial consequences of all the other risks, which can partly be controlled by insurance, there are pure financial ones such as those arising from poor financial management, bad investments, cash flow, and fraud, as well as the cost of under- or overinsurance.
6. Environmental. This is not only a matter for large-scale polluters. In this category come the costs of such things as breaking tree preservation orders, or encountering archeological remains when digging a trench.
7. Regulatory. Hopefully, you will be aware of regulations applying to your industry, but never underestimate the damage to your business of falling foul of a regulator and incurring a temporary or even permanent ban from operating.
8. Reputational. Sometimes, the public perception of your failings can be out of proportion to the actual harm done. How you respond can make the difference between a damage-limitation strategy and pouring petrol onto flames. Training for your staff (and yourself?) could be a good investment. This should include training in the use of social media.
9. Resilience or business continuity. This refers to the long- or short-term effects on your business of some undesirable event, which itself might or might not be a risk you could try to manage. For example, as well as trying to minimize the risk of a fire in your premises, do you have a viable plan for keeping the business going while waiting for the repairs or rebuild?
10. Supply chain. How much do you know about the risk management practices of your suppliers? How dependent are you on any one of them? How easily could you switch? Do these considerations influence your choice of supplier?
11. Strategic or business. This is the risk of making unwise decisions about the overall direction of the business, such as restructuring or relocating. This category could also include making major miscalculations within an overall sound strategy, such as underpricing a major contract or failing to take into account a significant cost in your budgeting.
12. Liability or third party. This concerns the cost to your business when people bring claims against you, whether successfully or not. Managing the claims process is separate from managing the risk of an accident.

How Are You Managing These Eight Uninsured Risks?

You might or might not acknowledge that risk and insurance are conceptually two different things, but you could be among the large number of people who think that the issue is purely theoretical and rely on insurance as your primary means of managing the risks in your business and in your life generally. If so, you need to consider each of these eight categories of uninsured risk and consider how they apply to you. Then, think how you are going to manage them.

1. Risks you did not know about. I cannot give examples in this category, because I do not know what it is that you do not know. The only answer is to be well informed about risks. Or, talk to someone who is.
2. Things you forgot to insure. You might have forgotten about them or you might have forgotten to pay your premiums. There is an obvious solution. Do it.
3. Results of conscious choices. You might actually have given this some thought and chosen not to insure something. Bravo! This might be because you found you were incurring regular annual claims, and that it would be cheaper to meet the cost direct and save premiums, or it might be that you realized that the risk was so small that it was worth taking a chance. Hopefully, you could afford the cost if a claim did arise.
4. Excesses and deductibles. These are closely related to the previous category. You might decide the best option is a compromise between insuring and not insuring. It means you pay claims up to a certain amount after which your insurers pay. There are numerous variations on such arrangements, but the concept is the same.
5. Conceptually uninsurable. Things can go wrong and cost you money for all kinds of reasons that are outside the scope of any insurance policy. These include the results of bad business decisions, bad ­investments, poor cash flow management and damage to your reputation. The answer lies in good management. Perhaps, some training would be a help, or the use of a consultant.
6. Legally uninsurable. You cannot insure against fines or other penalties for criminal acts, nor against punitive damages. To permit it would be to defeat the purpose of the penalty. Just keep on the right side of the law.
7. Things you just cannot get anyone to insure. You might find that no insurer will insure you for a particular risk. This is usually because you have had a bad history of claims or you have not got adequate control measures in place to reduce the risk. This could mean a lack of fire precautions, the absence of a health and safety policy, employing people without necessary qualifications for particular jobs, or having inadequate physical security. The answer is to talk to your insurers or brokers and address their specific concerns. If you think they are being unreasonable even after you have discussed it with them, perhaps an independent person could help bridge the gap.
8. Things nobody can get anyone to insure. There are times when the insurance industry as a whole decides to refuse to cover a certain risk. I remember times when terrorism was uninsurable in the United Kingdom and when environmental risks were very difficult to insure. Other than lobbying the government, all you can do is to take steps to minimize the risk in your business and to make money available to meet possible losses. I have found that living in an area full of (former) coalmines makes it virtually impossible to get subsidence insurance. I will try not to do anything to cause subsidence, such as developing my property. Or, tunneling.

If you think insurance is the answer to managing risks, think again, and review the ways you are dealing with each of the mentioned types of uninsured risk, preferably before it is too late.