Risk management evolved as an idea that the cost of losses can be substantially reduced by

designing the business and training its employees to minimize losses, rather than just buying
insurance to cover losses. In other words, the management of risk can be scientific, not so much
through controlled experiments as is done in traditional science, but by studying losses to
understand why the loss occurred and how it can be prevented or mitigated. Information gained
from studying losses could thus be compiled and promulgated to others with similar risks.
Moreover, such information is increasingly used in expert systems, computer systems that not
only store extensive knowledge, but also apply that knowledge through the use of algorithms
based onanalytical principles developed by experts.
Risk management is used by small employers, corporations, nonprofit organizations, and
federal, state, and local governments. Even people can benefit from a personal risk
management program. Risk management is an important subdivision of most businesses,
since the viability of any business will depend on how well it controls and finances risk.
The cost of risk includes premiums, retained losses, financial guarantees, internal administrative
costs, outside risk management services, and taxes, fees, and other related expenses. Since the
term risk has several meanings, risk managers often use the term loss exposure to remove any
ambiguity as to what is meant. A loss exposure is any situation where a loss is possible,
whether loss occurs are not.

History of Risk Management

Although businesses always had to manage risk, risk management was not recognized as a
separate function of business until the beginning of the 20t h -century. Then, major corporations,
such as railroads and steel companies, started hiring an insurance manager, who purchased all of
the insurance for a specific company. However, the responsibilities of the insurance manager did
not include the other forms of risk management: risk avoidance, reduction and retention. Only in
the 1950s, did risk management start to appear in the printed literature, as it became increasingly
recognized that managing risk was one of the most important functions of a business.
Quantitative tools were also developed to make risk management more precise. One of these
mathematical tools is normative decision theory, which provides algorithms for making the best
decisions based on specific inputs. Previously, management science and descriptive decision
theory described how and why people chose certain options; normative decision theory
consisted of methods of selecting the best options based on specific inputs or quantitative data.
With the development of complex systems, such as the Intercontinental Ballistic Missile System
and the space missions, a more holistic approach was developed, often referred to as the
systems safety approach, 1s t developed by the military and the aeronautics industry,
where the entire system was examined in terms of its components and the operation of the
system by humans. The system safety approach was developed because it was increasingly
recognized that losses occurred because of a failure either in a system component or from human

Risk Management Objectives

Losses and the cost of managing risks reduces the profitability of the business. Therefore, that
profitability depends on eliminating or reducing the cost of losses and of managing the risks,
which is the function of the risk manager. The main concern of the risk manager is to determine
how much risk to retain and how much should be transferred through insurance or other
available means. Additionally, the risk manager requires detailed knowledge of the types of
insurance that are available and their costs, so that the best decision can be made.
Risk management for most firms is probably the responsibility of at least several people.
Generally, the larger the organization, the more likely they will have a department devoted to
risk management. Additionally, many types of businesses will have specific employees whose
duty is to manage particular types of risks. For instance, banks and other financial institutions
generally have one or more people whose only job is to ensure that the bank complies with the
laws and regulations affecting it. Many types of risk, such as legal or financial risk, require
specialized knowledge, so it is typical that these types of risk will be managed by people
specialized in those specific areas, usually as 1 part of their activities.
Generally, a risk management program must involve other departments of the business, since
they would be in a better position to address loss exposures in their department. For instance, the
accounting program should maintain internal accounting controls to reduce employee fraud,
embezzlement, and theft. The finance department can better assess the risk that it is taking with
its investments and what effect it will have on the firm. The human resources department will
generally have greater expertise in following the rules and regulations for employee benefit
programs, pensions, safety programs, and in implementing policies for hiring, promotion, and
dismissal. The production department must institute quality control to reduce product defects
and improve safety in the workplace. The marketing department must ensure that products are
labeled according to regulations and to provide the maximum benefit to the consumer and that
the product is distributed safely to the consumer.
Risk management objectives can be divided into pre-loss and post-loss objectives.

Pre-Loss Objectives
Pre-loss objectives are goals that a business should strive for before any losses occur. Preventing
or minimizing losses are the most cost-effective ways for a business to reduce the cost of losses.
As they say, an ounce of prevention is worth a pound of cure. Equipment and business
procedures should be selected to maximize safety and reliability. It must be decided how much
risk to retain and what types and amounts of insurance should be purchased and who is primarily
responsible for risks overall and particular types of risks.
Loss exposures for business include:

property losses
business income loss
human resources losses
losses from crime
foreign losses, including foreign currency risks, kidnapping of key personnel, acts of terrorism, and
political risks
reputation of the company.
Maintaining employee benefits and complying with government regulations for those benefits can also be
a major source of liability, including failure to pay promised benefits and violation of fiduciary

Another pre-loss objective is to reduce anxiety, since some loss exposures can cause
catastrophic losses, such as major lawsuits. Legal obligations must be met, including installing

safety devices to protect workers, to properly dispose of hazardous materials, and to label
consumer products appropriately.

Post-Loss Objectives
Post-loss objectives will depend on the magnitude of loss, but generally include:

to ensure the survival of the firm

to continue operating as a profitable business
maintain stable earnings
minimize the effects of losses on other people and businesses
maintain growth potential

Risk Managers
Because of the complexity and risks that large organizations face, they employ risk managers
who specialize in risk control and financing. In smaller organizations and businesses, risk
management is usually the responsibility of the executives and owners.
Risk managers must keep up to date on industry trends and rising prices of insurance, litigation
costs, and various other costs that generally increase with inflation. They must know and use
risk control and risk finance methods, which are detailed in the previous article, Handling Risk:
Avoidance, Loss Control, Retention, Noninsurance Transfers, and Insurance. To limit losses
from some retained risks, it must be decided whether excess insurance, which pays only
if actual losses exceed a specified amount, will be purchased.
Insurance coverages and the size of deductibles must be decided. Risk managers will generally
solicit competitive premium bids from several insurers to obtain the lowest price. They must
decide on the terms of the insurance, and on specific exclusions and endorsements. If the risk
manager wants coverage or special provisions that are not provided by standard policies, then an
insurance company or broker may write a manuscript policy containing the desired
provisions. Generally, manuscript policies are only written for larger accounts because they
must comply with state laws, so it would not be cost-effective to provide manuscript policies for
smaller accounts.
Generally, insurance contracts will specify how claims are to be presented and what evidence of
loss is to be presented. The risk manager would have to inform others of some of these insurance
policy requirements, especially among those who are likely to recognize the loss 1s t .

Risk Management Policy

A fundamental objective of risk management is to decide what priority profits have over risk. In
this sense, this objective is the same that investors have when they must decide how much risk
are they willing to assume to maximize profits. For it is usually true that greater profits can only
be obtained by undertaking greater risks.
However, the risk-return ratio is much more complex for a business than for an investment
portfolio. Moreover, a business can suffer losses that greatly exceed any potential for profit, and
if the business is a corporation, especially a public corporation, then shareholders should also be
informed of the businesss potential risks and how the business will manage those risks.
Consequently, a business should develop a risk management policy that delineates specific
objectives for each area of its business.

The risk management policy, at a minimum, should determine how much risk should be
retained, and if potential losses exceed a certain dollar value, a percentage of working capital, or
some other specific measure, then insurance should be in purchased to cover that exposure. The
policy should also state who is primarily responsible for risk management overall and who is
responsible for particular risks. Generally, a risk manager will generally be responsible for
insurance coverage, maintaining property appraisals and inventory valuations, processing
claims, maintaining loss records, and supervising and reviewing loss prevention activities. The
risk policy may also state that only insurance from insurance companies with a minimum rating,
such as an A+ in Bests Policyholders Ratings, should be purchased. If insurance must be
purchased from another company not satisfying the minimum rating, then the risk manager must
obtain approval from the board of directors and/or file a report about the purchase.
The risk management policy should also include how loss exposures will be treated, what toplevel executives should know about the risk management process, what standards will be used to
monitor the risk managers performance. A written risk policy will also give the risk manager
greater authority in the firm, allowing a more effective implementation of the policy.
A risk management manual may also be published that provides greater detail of the
risk management process and can be tailored for specific employees working in specific areas of
the business. The manuscript should also include procedures to follow in an emergency.

Risk Management Matrix

A common method of categorizing risk and the solutions to handle those risks is to use a risk
management matrix, where risks are placed in a table according to their frequency and
maximum loss exposure, from losses with low probability and low severity to the maximum
possible loss, which would be the worst loss that could happen to the firm during its
lifetime, and to the maximum probable loss, which is the worst loss likely to happen.
Then the means to manage that risk would be determined by how frequent and severe the loss
would be. In other words, the risk management matrix is a special type of decision matrix,
where the risk management technique used depends on the 2 characteristics of losses: frequency
and severity, as exemplified by the following table:
Risk Management Matrix

Frequency Severity Risk Management Technique






Loss Prevention and Retention






Avoidance and Reduction

Avoidance is the only rational technique for a loss that is both severe and frequent, since no
organization can remain viable suffering a high frequency of losses that are also severe.
Likewise, no insurance company will ensure such a loss. If these losses cannot be avoided
completely, then every effort should be made to reduce or likelihood. Commonly occurring
losses can be budgeted and paid as an operating expense.

Risk Management Process

The risk management process consists of 6 steps:


determine objectives
identify risks
evaluate risks
managing those risks
implement the plan
review the results

The 1s t step is to identify how risks will be managed:

Will there be a separate department and a separate risk manager?
How will specialized risks be managed?
How will alternative decisions be determined, such as whether to retain or transfer risk?

Identifying Risks
Thorough knowledge of an organization and its activities is required to identify risks. Besides
having a broad knowledge of the particular business and the laws and regulations affecting it,
the risk manager must generally obtain more specific information by interviewing the
appropriate people, both inside and outside of the organization, by physical inspections, and by
reading relevant internal records and documents. Risk can also be identified by studying OSHA
< > requirements for the specific business and what factors insurance
companies consider when setting a premium, which will usually depend on the hazards
associated with the type of business and for that particular business.
Documents that should be examined include financial statements, leases and other contracts,
inventory records, asset schedules, and appraisals and valuation reports. The risk manager
should also be notified of upcoming construction, remodeling, renovation of the firms
properties, or the introduction of new products, activities, or other operations that may give rise
to risk. A risk manager must have a clear idea of how the business operates and what could
potentially happen if specific parts of the business are disrupted, such as from the destruction of
equipment or from the death or resignation of key employees. Risk managers often use
flowcharts to understand the business more thoroughly and to better evaluate what would
happen if one part of the business was disrupted.

Risk Evaluation
The magnitude of the risk depends on both the potential magnitude of the loss and the
probability that the loss will occur. To prioritize risks and to manage them successfully requires
that potential losses and their probability be assessed for each risk.
Besides classifying each risk according to a risk management matrix, another closely related
method is the criticality analysis approach. Criticality analysis, used in the US space
program, analyzes risks in terms of their severity and places them in particular classes according
to how critical the loss would be to the project. The criteria for each class would generally
depend on the project and the organization or business, but the following classes illustrate how
criticality analysis works:
Critical risks include all risks that will be catastrophic financially to the organization, where a loss would
result in bankruptcy.
Important risks are risks that the organization can recover from, but only by borrowing.
Unimportant risks are risks that can be paid out of current income or savings.

The effort to manage the above risks would be proportional to their criticality. Putting risks in
classes rather than prioritizing them individually makes sense because the effect of any loss

within a given class would be the same. For instance, if 2 different losses would bankrupt the
firm, then both losses should be avoided or insured. Likewise, for important risks and
unimportant risks, since losses from these categories would result in the same remedy.
When risks are evaluated, all potential losses associated with that risk should be evaluated. Both
direct and indirect costs of loss exposures must be estimated. For instance, if a
critical machine in a factory is destroyed, then not only the cost of the machine must be
considered, but also the cost of lost income, and any other losses resulting from the destruction
of machine.

Risk Identification Tools

There are several tools that risk managers can use to identify risks. Most of these tools come
from the insurance industry, since it is obviously necessary for them to identify risks that the
insured are exposed to, in order to set accurate premiums. Additionally, insurance companies are
generally exposed to many businesses within a specific industry and over a long period of time,
so they have gained a great deal of information on the risk exposures of particular industries and
businesses. The major tools used are risk analysis questionnaires, exposure checklists, insurance
policy checklists, and expert systems. Although insurance companies are primary users of these
techniques, risk managers have used them to expand their applicability to all risks, whether they
are insurable or not.
Risk analysis questionnaires (a.k.a. factfinders) are questions answered by
specific people in the business on the particular aspects of the business that may give rise to risk.
Generally, the later questions are refined according to the answers given for the earlier
questions, thereby honing in on the important risk factors.
A risk exposure checklist is another means of identifying major risks, especially for
particular industries and businesses. Like all checklists, it helps to prevent overlooking major
exposures. An insurance policy checklist can also be used and can usually be obtained from
insurance companies or publishers of insurance related information. A risk manager can obtain
insurance policy checklists for every applicable insurable risk for the business. The disadvantage
of insurance policy checklists is that they generally do not cover non-insurable risks.
An additional source of information for the risk manager is historical loss data that the
business, or other similar businesses, has suffered over time. Risk maps can also be used to
identify risks, such as those used for floods and earthquakes.
All the above tools have been combined into expert systems, where the questions and
information is stored in a computer system. Expert systems store all the information necessary
for particular industries or businesses, and they can generate new questions to ask, based on
earlier information and they can even incorporate information from other sources, such as
industry or insurance publications. Additionally, an expert system can be designed to give
specific weights to specific factors that would represent a more accurate assessment of that risk

Enterprise Risk Management

As with any business, the success of any large enterprise will involve a successful management
of its risks, both pure and speculative, whether the risk is insurable or not. Besides the risk from
physical hazards, such as firestorms, an enterprise also has many other risks. Financial
risks include market risk, when the price of supplies increases or the value of investments

decreases; liquidity risk, when the firm does not have enough liquid assets to pay debts
becoming due; and credit risk, when the firm may not receive repayment of its loans or
receive payment for its products that were sold on credit. Banks, insurance companies and other
financial institutions especially require successful financial risk management.
Enterprises also have other risks that can affect it overall, including operational risk, reputational
risk, compliance risk, and strategic risk. Operational risk arises from an internal process
that causes losses, such as lack of internal controls, fraud, and technology risks, including
antiquated technology, breach of information systems by outsiders, programming errors; and
losses from external events, such as fires and floods. Reputational risk arises
from lower sales because of negative publicity or a negative reputation. Compliance risk is
the risk of failing to comply with laws and regulations, which will usually result in fines or
lawsuits that can cost the firm a significant amount of money. Strategic risk is failing to
implement the firms strategy, resulting in lower profits or greater costs.

