1

RISK MANAGEMENT

Course description

The course explores the insurance industry’s relationship to its external environment. It

will examine the regulatory environment, and the general dynamics of the how the

concepts, approaches and methodologies adopted by organization in the risk

management process.

Course Objectives

The objectives of this course include;

I) To enable students, appreciate the framework for the general conduct of

insurance and reinsurance business.

II) To provide the basic knowledge about fundamental principles of insurance and

their application

III) To make students understand how insurance enterprises are organized

IV) To equip the students with the basic characteristics of insurance cover and the

knowledge of the production processes involved

Learning outcomes

After completing this course, the student should able:

i) To have the knowledge to do insurance business

ii) To explain the business and economic cycle of the insurance industry.

iii) To explain the consumer oriented regulatory environment pertaining to the

insurance industry

iv) To appreciate the insurance market determinant factors and how they impact

on the behavior of the market participants

v) To understand the operational environment of insurance enterprises in

particular the regulatory framework

COURSE DESCRIPTION

TOPIC DESCRIPTION LESSON DETAILS

1.0 Classification of risk Risk and Related concepts

Classification of risks

Risk attitudes

Risk costs

2.0 Theoretical aspects of risk

management

Risk concepts & possibilities

Risk classification & categorization

Approaches & Philosophy

Cost of risk

3.0 Scope and objectives of risk

management

Risk management approach

Risk management definitions and

basic concepts

Risk management contributions

and benefits to business

4.0 Effective risk management

strategies

Formulating risk management strategy

Objectives - pre & post loss objectives

Role of Risk manager

Implementation strategies

Risks profiling & risk audits

Organizing & Controlling the strategy

5.0 Identifying & Analyzing loss

exposures:

Types of risk identification techniques – Hazard

identification & risk assessment –

Statistical and other methods of

assessing risk exposures - Prioritizing and mapping of risks

6.0 Risk Financing Risk financing techniques

7.0 Alternative Risk Transfer (ART)

Mechanism

Finite risk reinsurance

Risk transfer to capital markets

Global trends in the insurance

industry

Intergraded risk management

Traditional and non-traditional

options

Alternative risk financing products

8.0 Business Continuity Management Definition of business continuity

management

Emergency, disaster and catastrophe

Emergency threats

Disaster phases

Business continuity planning

9.0 Enterprise Risk Management Enterprise risk management

definitions and its application

Limitations of enterprise risk

management

ERM impact on management

practices

Other ways that ERM contribute to

value creation

ERM process

CHAPTER 1.

1.1. RISK CONCEPT AND CLASSIFICATION

Introduction

This Chapter looks at risk and its treatment. It looks at the nature and treatment of risks

in our society. There are no single risk theories, statistics and actuaries each have their

own concept of risk. However, risk historically has been defined in terms of certainty.

Based on this chapter, risk is defined as uncertainty concerning the assurance of loss.

Learning Outcomes

After studying chapter, you should be able to

1. Define Risk

2. Understand the following types of risks

Pure Risk

Speculative

Subjective

Objective

Diversification and Non diversifiable risks

3. Explain risk attitudes

4. Describe the costs associated with risks

Unit Structure

Risk and Related concepts

Classification of risks

Risk attitudes

Risk costs

Study Guide

You are supposed to have basic understanding of risk and theory of probability and

evolution of risk management.

1.1 RISK AND RELATED CONCEPTS 1

If you have worked in, or studied insurance, you will already have some idea of what is

meant by risk. When studying risk management, it is important to distinguish between

the following three concepts which are central to any study of risk management. These

concepts are often used synonymously and are freely interchanged. It is however,

important to understand the distinction between the concepts and their components

clearly.

Risk, is defined as the deviation or variability of actual results from an expected or desired

result. Some other definitions of risk include:

• Risk is a combination of hazards measured by probability;

• Risk is a condition in which loss or losses are possible;

• Risk is a condition that can threaten the assets or earning capacity of an enterprise; and

• Risk is a set of circumstances with a possibility of loss, whether or not a loss actually

takes place.

Risk implies that there is uncertainty present. There is uncertainty whether the event will

take place and if it takes place what the outcome will be.

The supplied definitions of risk imply that:

•The decision-maker is uncertain about the outcome and the actual outcome may

therefore deviate from the expected outcome;

• The degree of uncertainty surrounding the event determines the level of risk; and

• The degree of risk can therefore be interpreted in terms of the frequency with which an

event will occur and the probability that it will display a certain outcome. The risk event

represents the deviation from the expected outcome.

Perils

A peril is the cause or source of a loss (loss event). Perils can be classified into:

• Natural perils such as hail, floods, vermin infestation to mention a few. The occurrence

I of natural perils is largely beyond human control. Humans can however take effective

loss control measures to control the severity of losses resulting from natural perils

• human perils, for example, the actions or inactions of single individuals or groups of

individuals committing theft, homicides, acting negligent, or failing through

incompetence or dishonesty; and

• economic perils stem from the actions of large numbers of persons or of governments

in, for example, conducting strikes or boycotts, waging and war to mention a few.

Insurance policies usually refer to specified perils, which mean that cover is provided

whenever a loss is caused by the specified peril.

Hazards

A hazard is a condition that may increase the frequency or severity or both, of a loss

resulting from a given peril.

Hazards can be classified as:

• physical hazards - these comprise physical properties that might increase the change of

loss from the various perils. For example, a thatch roof increases the possibility of loss

due to fire;

• moral hazards - refer to an increase in the probability of loss resulting from the evil

tendencies in the character of individuals or groups. For example, a person's dishonest

tendencies may induce that person to commit insurance fraud. Individuals acting against

the law can also be classified as moral hazards. For example, a person driving under the

influence of alcohol is deliberately acting against the law and is increasing the possibility

of loss due to accidents;

• legal hazards - refer to the increase in the frequency and severity of loss that arises from

legal doctrines enacted by legislatures and created by courts. Example is increases in

possibilities of liability losses due to legislation.

Example

You have a meeting in Bushenyi at 14:00. You live in Mbbarara. Your expected outcome

is to be at the meeting at 14:00. The risk in this case is that you might be late for the

meeting or miss the meeting in total due to certain circumstances.

Some of the possible perils that might cause a deviation in the expected outcome (to be

at the meeting at 14:00) are accidents, car troubles, hi-jacking to mention a few.

Hazards that might increase the possibility of the deviation due to the identified perils can

include amongst others wet road conditions, spillage on the road surface, speeding, traffic

jams, road works.

In some cases, a hazard might also be the cause of the deviation. For example, road works

might increase the possibility of the deviation but can also be the cause of the deviation.

1.2. CLASSIFICATION OF RISK

1. Classification of risks

Risks have been mainly classified as:

a) Personal, property or liability risk

i). Personal: Potential loss to the persons

ii) Property: Potential loss to the property

iii. Liability Risk: Potential liability for any individual or institution.

b) Physical, social or market risk

i.) Physical: Storm, Tempest, Flood, Hurricane and such other natural phenomena.

ii). Social: Riot, Strike, Civil Commotion, Burglary, Theft etc.

iii.) Market: The price reduction or the purchase and sale constraints are involved.

c) Pure or speculative risk

III) Pure Risk: is considered in the context of the existence of a chance of

loss only, but not the chance of gain at all.

iv). Speculative Risk: When there is a chance of gain as well a loss.

Examples of pure risks include

Chemical Fire, explosion

Natural Cyclone, flood, earthquake

Social

Riot, strike, theft, fraud, negligence

Technical Machinery Breakdown

Personal Death, disablement, sickness, theft, fraud

and injury,

It can be seen that in most cases it is unlikely that anything other than loss will result.

Entrepreneurial or business risk undertaken by businessmen is an example of speculative

risk where either profit or loss may result. The following chart provides illustrations of

business risks.

Technical New technology,

Social Consumer behavior, industrial unrest

Economic Inflation, tax policy, competition

Political War, nationalization

Some examples of business risks are:

1. Production may not achieve the planned output at the planned cost due to

uncertain events such as non-availability of raw materials or increase in their costs

or labour problems in the form of strikes, or work to rule or go slow tactics, etc.

d) Static or dynamic risk

i). Static Risk: Which are connected with losses caused by the irregular action of the forces

of the nature or the mistakes and misdeeds of human beings.

v. Dynamic Risk: Which are associated with changes in human wants and improvements

in Machinery or Technological innovations.

e) Fundamental or particular risk

i.) Fundamental Risk: Risks associated with groups, impersonal in original and effect.

These fundamental risks are in the form of Political or Economic changes happening to a

group.

vi.) Particular Risk: Which are associated with individuals.

Case Study.

Brandon aged 37, worked as construction worker in Kampala. He was married and had

two preschool children. While working on the roof of the new house under construction,

a heavy gust wind blew Brandon off the roof into a hole adjacent to the house. He was

seriously injured and died shortly after being admitted into a local hospital.

Brandon’s tragic and untimely death shows that we live in a risky and dangerous world.

The media report daily on similar tragic events that illustrate clearly the widespread

presence of risk in our society. Examples abound – a deranged gunman kills 10 customers

in a local department store, a small town is wiped out by a tornado; a drunk driver kills 5

people in a van on a crowded expressway, brush fires destroy hundreds of expensive

homes. In addition, many people experience financial tragedies

Because of catastrophic medical expenses, the unexpected death of a family head, or the

loss of a good paying job. Still others experience financial setbacks because they

negligently injure someone and cannot pay a liability judgement and other legal costs.

1.3. RISK ATTITUDES

Risk attitudes can be defined as the ways in which a person behaves in an uncertain

situation and vary from person to person because of their personalities, economic status,

potential gains/ losses.

These attitudes fall into one of the following categories:

Diagram 1: Categories of risk attitude

The risk neutral person reacts to risk in line with its statistical probability i.e with the

likelihood of its occurrence. He tries to neutralize or balance the chance of a loss against

the chance of gain e.g. if he has to bet on the result of a match between two teams, he

will bet equal amounts on both the teams.

The risk preferer actually welcomes the existence of risk and uncertainty. He is willing to

take chance of gain against the odds posed by risks.

The risk averter is the one normally frightened by risk and does not like to live with

uncertainty. He would rather pay for certainty and will even pay for changing uncertainty

Categories of Risk Attitude

Risk Neutral

Risk prefer

Risk Averter

into certainty, e.g. payment of premium to insurer for the assurance of loss

compensation.

Under which of the following risk attitude category is a person willing to take a chance of

gain against the odds posed by risks?

I. Risk neutral

". Risk preferer

II. Risk averter

IV. All of the above - risk neutral, risk preferer and risk averter

1.4 RISK COSTS

The costs imposed by the existence of risk can be identified in three separate areas:

1. Cost of the loss

This includes both direct and indirect costs.

Direct costs being those immediately attributable to the event - e.g. repairs to a damaged

vehicle, replacement of goods damaged as the result of a collision, third party

compensation, if necessary, assessor's expenses etc.

indirect costs in this example may be additional wear and tear on other vehicles and time

lost by other drivers attending the scene of the accident.

2. Costs of handling risk

Time spent on identification, analysis and negotiation of insurance covers could be more

profitably employed in income-generating activities. The additional monetary costs of

loss prevention and reduction together with the costs of consultancy fees and insurers'

profit loading serve to reduce the profitability of the company.

3. Costs imposed by risk

Because we live in an uncertain world, individuals are willing to pay amounts in excess of

the sums which they stand to lose, on average, in the long term i.e. over their lifetime.

This is known as the expected value of loss.

The cost of risk is, thus, dependent on three variables, viz.

a) Risk control measures,

b) Uninsured losses

c) Insurance

These costs get distributed among the bearers of the risks, as shown in the following

diagram:

Total Direct & indirect costs of Risk

Cost of handling Risk Cost of loss Cost imposed by Risk

Private costs

Social Costs

CASE APPLICATION

Michael is a college senior who is majoring in marketing. He owns a high-mileage 2000

Ford that has a current market value of $2500. The current replacement value of his

clothes, television, stereo, cell phone, and other personal property in a rented apartment

totals $10,000. He six-month supply. He also has a waterbed in his apartment that has

leaked in the past. An avid runner, Michael runs five miles daily in a nearby public park

that of drug dealers, numerous assaults and muggings, and drive -by shootings. Michael’s

parents both work to help him pay his tuition.

For each of the following risks or loss exposures, who is killed by a drunk driver in an auto

accident

identify an appropriate risk management technique that

could have been used to deal with the exposure. Explain

your answer.

a. Physical damage to the 2000 Ford because of a collision with another motorist

b. Liability lawsuit against Michael arising out of the negligent operation of his car

C. Total loss of clothes, television, stereo, and personal wears disposable contact lenses,

which cost $200 for a property because of a grease fire in the kitchen of his rented

apartment

Distribution of Costs of

Risk

d. Disappearance of one contact lens

e. Water bed leak that causes property damage to the has the reputation of being

extremely dangerous because apartment

f. Physical assault on Michael by gang members who drive-by shootings. Michael's parents

both work to help are dealing drugs in the park where he runs

him pay his tuition.

g. Loss of tuition assistance from Michael's father who killed by a drunk driver in an auto

accident.

Study Questions

1. Explain the meaning of risk

2. How does objective risk differ from subjective risk?

3. What is the difference between peril and Hazard?

4. What is the difference between pure risk and speculative?

5. List the major types of pure risk

6. What are risk attitudes

7. Explain the costs associated with risk

CHAPTER 2: THEORETICAL ASPECT OF RISK MANAGEMENT

Introduction

Risk management is one of the many activities that organizations (and individuals) carry

out to help them achieve their objectives.

Risk management assists organizations and individuals to decide

1. How much risk to accept when pursuing objectives.

2. The necessary actions to deal with risk and uncertainty in order to pursue the

objectives

In developing answers to such questions a number of aspects of risk management must

be taken into consideration.

Learning objectives

1. To develop an understanding of various concepts on risk management.

2. To develop a practical approach to application of risk management and decision

making.

3. To develop an understanding of risk classification and its application.

4. To develop an understanding and application of total cost of risk.

RISK CONCEPTS AND POSSIBILITIES

Risk experts and scholars have developed various risk concepts to support various

industries and projects. These concepts have proved to be vital to the transformation of

the risk management function. The fundamental concepts of risk recognize that risk is

not entirely about eliminating risk but managing it.

The elimination perspective of risk would bring most business to standstill as business

must take “calculated risks” for a reward. The conflict between risk and reward is one

that requires a careful thought through process. The tradeoff between profits and

opaque risks require an objective approach by any business. In a highly regulated macro

and micro business environment this objectivity may be hijacked by powerful business

groups exaggerating potential returns while diminishing perceived potential risks. It is

paramount that an organizations must have strong risk management and risk

governance culture to limit any such incidents.

Thus it can be conceived that managing risks presents various opportunities (internally

and externally) if processes and procedures are in place and are rigorously tested to

confirm if they are applicable to rapidly changing and dynamic business environment.

The process of managing risk will involve;

1. Defining the risk appetite (how much risk is an organization willing to accept) and

risk capacity (how much risk can an organization afford to take).

2. Identification of risks that will affect an organizations ability to achieve its

objectives.

3. Risk assessment of impact and frequency of risk.

4. Decisions on how to manage risk if it indeed occurs

5. Managing the entire processes of monitoring and communication.

Risk management concepts varies from industry to industry due to a myriad of risks that

will affect a particular organization. Risk factors such as those inherent in the strategy of

an organization, product offerings, economic conditions, consumer preferences and

demographic changes will affect organizations differently.

Attitude towards Risks

In the mid-80s, when the frequency of professional liability claims against design

professionals reached an all-time high and many insurers had abandoned the

professional liability market, a frequently heard comment was that the result would be

“vanilla architecture” and “timid engineering.” That did not happen. Instead, most

design professionals learned to manage risk proactively by following certain basic

principles as part of an overall risk management philosophy. Some of these principles

included;

Engage in projects within the design professional’s qualifications, experience, and

staffing.

Carefully select clients through “due diligence” inquiries of appropriate persons,

including other design professionals who have previously performed services for

the same client.

Provide training and regularly repeat training for firm personnel on contractual

and risk management topics, including how to identify and deal with difficult

client issues or risk-intensive situations.

With such an approach insurers are more willing to take on design risks if the client has

taken all necessary due diligence to minimize any foreseeable gaps that would arise into

a claim.

1.0 Risk and Decision Making

We know by experience that very few people make decisions on the basis of well-

deliberated calculations, no matter if the decision situation is of private character or in a

job situation. We also know that people often neglect the normative rules when making

risky decisions, and that they often make decisions by intuition or on “a hunch” that

seems correct. The descriptive theory gives us some explanations why people make

decisions the way they actually do and why the suggested normative rules for decision-

making under risk and uncertainty are not followed. For instance people make decisions

by

Following well-known paths and by following well established and built in norms.

Research on risk attitudes with actual behavior when handling risky prospects, still

remains relatively murky. However as we unveil various theories on risk management a

number of foundation concepts will be learnt.

Risk means different things to different people, and that they perceive risk in different

ways depending on what area they are working within. Many studies have attempted to

deal with this differentiation aspect and studied the role of risk in their respective fields.

It thus can be assumed that “Risk” is a much overused word and there is need to

provide a useful definition of risk in the field of decision-making.

This definition distinguishes three types of decision-making situations. We can say that

most decision-makers are in the realms of decision-making under either:

a) Certainty, where each action is known to lead invariably to a specific outcome.

b) Risk, where each action leads to one of a set of possible specific outcomes, each

outcome occurring with a known probability.

c) Uncertainty, where actions may lead to a set of consequences, but where the

probabilities of these outcomes are completely unknown. A risky situation is thus

a situation where the outcome is unknown to the decision-maker and the

outcome of which outcome may lead to erroneous choices.

When making any decision, an understanding of several of risks that may impede

(chance of loss) or even increase the realization of decision need to be taken into

consideration. Risks can take various shapes as below

Pure risk – chance of loss or no loss (breakeven)

Speculative risk – chance of loss or gain (business risk)

There exist a fine line between pure and speculative risks as organizations evolve and

the business environment changes.

It is worthwhile making a distinction between uncertainty and risk.

Uncertainty is a shortfall of knowledge or information about what kinds of outcome may

occur, the factors which may influence future outcomes, and the likelihood or impact of

various outcomes. These possible outcomes can be divided into unfavourable, expected

or favourable, according to present perceptions (which may change in future).

Risk is exposure to unfavourable outcomes, but it worth noting there may be upside risk

in terms of exposure to favourable outcomes.

It is important that consideration of the individual traits, skills, education and

experience of the decision maker will pay a critical role in making decisions.

Question

For instance if faced with a decision to purchase a new machine worth Ushs. 100 Million

or upgrade the current machine (second hand) at a cost of Ushs. 10 Million, what would

be your approach in order of rank for the options below;

(a) Avoid buying or upgrading the current machine?

(b) Collect more information?

(c) Check different aspects of the problem?

(d) Actively work on the problem to reduce any inherent risks?

(e) Delay the decision?

(f) Delegate the decision?

2.0 Risk Appetite

Whilst business exist to create value for its shareholders and generate a good return,

the uncertainty realization of these goals cannot be ignored.

The question on how much risk an organization should accept in order to add value for

the shareholders and to meet its obligations to other stakeholders? Determining the

“risk appetite” helps answer this question.

When an insurance organization takes on insurable risks on behalf of the clients, the

client expects that all valid claims will be paid subject to the policy limit, terms and

conditions. The insurance organization must have an appetite to take on such risks.

Risk appetite varies from organization to organization. When risk appetite is clearly

articulated and well understood by everyone in the organization, it guides (in fact it

should dictate) how much risk everyone is allowed to take when selecting business

strategies and in day-to-day decisions.

Risk appetite is described as the nature/type and the total amount of risk an

organization is willing to accept in order to pursue value. It should take into account the

organization's obligations towards its key stakeholders, especially its customers e.g.

insurance policyholders.

It articulates:

The organization's attitude towards risk-taking.

The nature/type of risks it wants to assume.

The nature/type of risks that is unacceptable.

The aggregate amount of risk the organization as a whole is willing to accept, under

both normal and extreme business environments.

It is important that the organization's risk appetite is commensurate with its ability to

manage risks.

Risk appetite is set at an aggregate organizational level and generally expressed in broad

terms quantitatively and qualitatively.

These days, organizations which have articulated their risk appetite formally define it in

a written Risk Appetite Statement. For instance we shall maintain all cost and expenses

within the approved budget.

While defining risk appetite a number of factors need to be taken into consideration;

Internal Factors affecting risk appetite include:

Company history of risk taking

Long term organizational objectives

Stage in organization’s life cycle; startup, growth, maturity & declining

The financial stability (assets, income and cash flow)

Management willingness to accept risk versus the organization’s financial ability

to assume risk.

External factors affecting organization’s risk taking appetite

Market maturity

Competition and the need to take business risk

Public image

Shareholder attitudes (owners, creditor, government and beneficiaries)

Example 1: Company ABC is strong in its business philosophy and willing to take risks.

However, it is a start-up company with has net losses, little net worth, and little ability

to borrow form banks What needs to change?

Example 2: Company XYZ is very conservative and not willing to take much risk. They are

have lots of cash, are profitable, excellent net worth, and have more money than their

banks. What needs to change?

Risk Tolerance

Risk tolerance is a quantitative expression of the total level of risk or uncertainty an

organization is willing to take when pursuing specific objectives.

Alternatively, it can be considered in terms of the key risks an organization faces, as the

amount of each of the key risks an organization is willing to take.

Risk tolerance should be aligned with risk appetite and represents the boundaries for

risk taking. It is expressed as an acceptable variation around an objective or the

performance outcome.

Risk limits are derived from risk tolerances. Risk tolerances are translated into granular

risk limits which are allocated throughout the organization. Risks limits are assigned to

each of the levels in the organization and they form the boundaries of individuals' risk-

taking in their day-to-day business activities.

For instance in an insurance underwriting manual (fire exposures) risk tolerance can be

described as “we shall take on exposures not exceeding Ushs. 3 Billion”. Thus an

underwriter is limited to only take on risks that are below this threshold.

Risk Capacity

Risk capacity is the type and amount of risk an organization is able to take or withstand.

A number of factors determines an organization's risk capacity – its financial resources,

the legislations and regulations an organization is subject to and its capabilities.

The more financial resources an organization has, the more risk it can withstand.

Therefore risk capacity can influence risk appetite.

Financial services organizations such as banks and insurers are regulated. Often, they

are authorized or licensed by their local regulator(s) and are required to hold a

minimum amount of capital (regulatory capital).

For the purpose of explaining risk capacity, is the amount of financial resources that

serves as a buffer to absorb unexpected losses. For banks and insurers, risk capacity can

be thought of as the level of risk an organization can take before breaching the

regulatory capital requirements.

RISK CLASSIFICATIONS AND CATEGORIZATION

Organizations will group risk according to their estimated cost and likely hood of

occurrence. This classification can be quantitative and or qualitative. In some

organizations aspects such as event based classification and cause based classification

are applied.

Event based classification seeks to classify risks by event i.e. by what has just occurred

which has given rise to an adverse impact. The Cause based classification seeks to

classify risk by what has given rise to the event.

Insurance is a means for dealing with the economic uncertainty associated with chance

occurrences. It does so by exchanging the uncertainty of the occurrence, the timing, and

the financial impact of a particular event for a predetermined price.

To establish a fair price for insuring an uncertain event, estimates must be made of the

probabilities associated with the occurrence, timing, and magnitude of such an event.

These estimates are normally made through the use of past experience, coupled with

projections of future trends, for groups with similar risk characteristics.

The grouping of risks with similar risk characteristics for the purpose of setting prices is a

fundamental precept of any workable private, voluntary insurance system.

This process, called risk classification, is necessary to maintain a financially sound and

equitable system. It enables the development of equitable insurance prices, which in

turn assures the availability of needed coverage to the public.

Risk classification is intended simply to group individual risks having reasonably similar

expectations of loss. Difficulty in risk classification comes with the introduction of

concepts such as “fairness” and “similar risk characteristics.” Each individual, each

business, each piece of property is unique; to the extent that the risk classification

process attempts to identify and measure every characteristic, it becomes unworkable.

On the other hand, because there are differences in risk characteristics among

individuals and among properties which bear significantly upon cost, to ignore all such

differences would be unfair.

The following basic principles should be present in any sound risk classification system in

order to achieve its purposes:

The system should reflect expected cost differences.

The system should distinguish among risks on the basis of relevant cost related

factors.

The system should be applied objectively.

The system should be practical and cost-effective.

The system should be acceptable to the public.

A risk classification system serves three primary purposes: to protect the insurance

program’s financial soundness; to enhance fairness; and to permit economic incentives

to operate with resulting widespread availability of coverage.

Protection of insurance program’s financial Soundness

The financial threat to an insurance program’s solvency is primarily through a

complex economic concept called adverse selection. It results from the

interaction of economic forces between buyers and sellers of insurance. In

markets where buyers are free to select among different sellers, normally with a

motivation to minimize the price for the coverage’s provided, adverse selection

is possible. In such markets sellers have a limited ability to select buyers and

have a basic need to maintain prices at a level adequate to assure solvency. In

many cases, these economic forces are in equilibrium; occasionally, they are not.

This relocation is the concept of adverse selection, which creates economic

instability and can threaten the insurance program’s financial stability. In the

early 1900's some assessment societies offered life insurance benefits to

members without making price distinctions on known mortality differences for

different age groups. Some younger members of those groups were gradually

attracted to lower priced competitors, while others decided not to insure at all.

This opting out resulted in higher prices for remaining members. Some of those

remaining then opted out. An upward spiral of higher prices resulted for the

fewer remaining older lives.

Risk classification is one means of minimizing the potential for adverse selection.

It reduces adverse selection by balancing the economic forces governing buyer

and seller actions. Risk classification is not the only answer to controlling adverse

selection.

Enhanced Fairness

Since adverse selection occurs when the prices are not reflective of expected

costs, a reasonable risk classification system designed to minimize adverse

selection tends to produce prices that are valid and equitable i.e. not unfairly

discriminatory. Differences in prices among insurance classes should reflect

differences in expected costs with no intended redistribution or subsidy among

the classes. Ideally, prices and expected costs should also match within each

class. That is, each individual risk placed in a class should have an expected cost

which is substantially the same as that for any other member of that class. Any

individual risk with a substantially higher or lower than average expected cost

should be placed in a different class.

Economic Incentive

Any economic system that relies primarily on private enterprise for the

distribution of goods and services relies on companies and individuals to seek

out potential customers and develop means of successfully selling and servicing

the needs of those customers. The companies that prove to be the most

successful in servicing customers’ needs will be rewarded with the largest

proportion of the potential customers. Insurers offering private, voluntary

insurance programs are no different in this regard. They have incentives to

expand their markets and to achieve a high penetration of the markets they

choose to serve. In developing marketing strategies, and in pricing the products

needed in their markets, insurers need a risk classification system that will

permit them to offer insurance to as many of their potential customers as

possible, while at the same time assuring themselves that their prices will be

adequate to cover the customers’ financial uncertainty that they assume.

RISK APPROACHES AND PHILOSOPHY

When there is a risk, there must be something that is unknown or has an unknown

outcome. In non-regimented usage, “risk” and “uncertainty” differ along the subjective

and objective dimension. Whereas “uncertainty” seems to belong to the subjective

realm, “risk” has a strong objective component. The relationship between the two

concepts “risk” and “uncertainty” seems to be in part analogous to that between “truth”

and “belief”.

In decision theory, a decision is said to be made “under risk” if the relevant probabilities

are available and “under uncertainty” if they are unavailable or only partially available.

Partially determined probabilities are sometimes expressed with probability intervals,

e.g., “the probability of having a motor accident tomorrow is between 0.1 and 0.4”. The

term “decision under ignorance” is sometimes used about the case when no

probabilistic information at all is available.

In real-life situations, even if we act upon a determinate probability estimate, we are

not fully certain that this estimate is exactly correct, hence there is uncertainty. It

follows that almost all decisions are made “under uncertainty”. If a decision problem is

treated as a decision “under risk”, this does not mean that the decision in question is

made under conditions of completely known probabilities.

Rather, it means that a choice has been made to simplify the description of this decision

problem by treating it as a case of known probabilities. This is often a highly useful

idealization in decision theory. However, in practical applications it is important to

distinguish between those probabilities that can be treated as known and those that are

uncertain and therefore much more in need of continuous updating. Typical examples

of the former are the failure frequencies of a technical component that are inferred

from extensive and well-documented experience of its use. The latter case is

exemplified by experts' estimates of the expected failure frequencies of a new type of

component.

In the risk sciences, it is common to distinguish between “objective risk” and “subjective

risk”. The former concept is in principle fairly unproblematic since it refers to a

frequentist interpretation of probability. The latter concept is more ambiguous. In the

early psychometric literature on risk (from the 1970s), subjective risk was often

conceived as a subjective estimate of objective risk. In more recent literature, a more

complex picture has emerged. Subjective appraisals of (the severity of) risk depend to a

large extent on factors that are not covered in traditional measures of objective risk

(such as control and tampering with nature). If the terms are taken in this sense,

subjective risk is influenced by the subjective estimate of objective risk, but cannot be

identified with it. In the psychological literature, subjective risk is often conceived as the

individual's overall assessment of the seriousness of a danger or alleged danger. Such

individual assessments are commonly called “risk perception”, but strictly speaking the

term is misleading. This is not a matter of perception, but rather a matter of attitudes

and expectations.

TOTAL COST OF RISK

As risk management moves from a tactical approach centered on insurance to a

strategic approach that emphasizes enterprise risk management (ERM), risk managers

and finance executives need to develop new tools to handle the emerging demands

generated by this shift.

The traditional tools cost of risk metrics have served executives well. They tend to focus

on insurance-based aspects of risk, including the price tag for premiums, claims and

administration. But those metrics alone no longer do the job, because they usually omit

the costs of the processes used to manage and reduce risks to acceptable levels. For

example, they ignore expenditures required for setting up the policies and procedures

that will help reduce the number and severity of accidents as well as the opportunity

costs and cost of capital associated with insuring and retaining risk.

A Difficult Path

Developing a new and more relevant cost-of-risk metric is not easy. The biggest problem

is tracking the costs, because it can be difficult to identify specifically what is spent on

managing operational risks,

In addition, there are structural barriers to changing the cost-of-risk calculation. In many

companies, risk is handled by more than one function, with little or no interaction

among the groups. Financial risks rest with the CFO/controller, treasury handles capital

market risks, human risks are the purview of HR, the environmental health and safety

group manages environmental risks, hazard risks are the responsibility of the insurance

risk manager, and business risks stay with operations, for instance. In this environment,

coordinating and measuring the cost of risk becomes more difficult.

A company must commit time and resources to understand all risks and their impact on

each other and only then can a company really understand their true cost and

correlation of risk and what methods they should employ to manage it.

The scope of decision-making is also limited to individual functions. Even risk managers

tend to make coverage decisions in silos by looking at each line of insurance coverage

individually and deciding to retain more property risk because insurance rates for that

line of coverage are expensive.

New ways of measuring and managing the cost of risk involve more than a holistic view

of risk. It will require risk managers to change their mind set. Risk managers need to

stop thinking of themselves as insurance buyers and they need to become a resource to

business groups to help them manage overall risks not just physical risks, but business

risks.

Even after companies have gathered the relevant data on a new cost-of-risk metric, they

may find that benchmarking that metric is a challenge. For example, if a company relies

on only one or two suppliers for a key manufacturing component, it will incur one level

of component availability risk by maintaining the status quo and a different amount of

risk by expanding its list of suppliers. However, another company is unlikely to face the

same level of risk because its circumstances may differ.

Whereas traditional cost-of-risk metrics look at past risks and expenditures, this broader

cost-of-risk metric focuses on the future and potential risks that companies could face.

For example the company's initial assessment includes operational risks that may occur

during the next 12 to 18 months, but the more strategic appraisal through the

organization's strategic planning process and management committee involves risks up

to 10 years in the future. However, there is no set approach to measuring the cost of

risk in this manner.

The first step is to interview senior leaders within the company about "what keeps them

up at night"

Total Cost of Risk

Cost of Risk refers to the sum of all the quantified costs and expenses associate with the

risk management function of an organization.

Components of Cost of Risk

Retained losses will include those that the organization has planned for (active)

and those that we inadvertently or unconsciously not been planned (passive)

Insurance costs include premiums, levies and tax related to the acquisition of

insurance coverage.

Risk Management department costs will include Salaries, employee benefits,

administrative charges-travel & training, Risk Management information system

and management overhead. These costs are specific to the risk management

department,

External Service Fees include fees paid to risk management consultants,

Actuarial, Legal, loss control & third party administrators

Indirect costs such as management time spent on loss related activities, loss of

good will, over time costs, damage to brand and penalties for lost contracts.

Benefits of Costs of Risk

1. TCOR plays an important role in guiding management on risk decisions. It

provides clarity on risk management spend and how resources can best be used

effectively while implementing risk management strategies.

2. TCOR enables management measure progress towards the risk management

objectives.

3. TCOR provides employee and management incentives. When specific risk

objectives and goals are achieved various incentives are triggered and enjoyed by

employees and management.

4. TCOR is instrumental in the pricing of products of services. In the product design

& pricing process, it is usual that the risk department will sign off any new

products after taking into consideration various components of risk allocated to

the product or service.

5. TCOR is promotes safety and risk control by communicating the financial impact

of a loss on the organization.

Cost of Risk Computation

Steps to measure the impact of a loss on sales or revenue:

1. Determine the profit margin of the organization

2. Divide the loss cost by the profit margin

The result is the sales or revenue required to pay for the loss.

When evaluating TCOR, remember it’s not just premiums. TCOR also includes self-

insured losses, internal administrative fees, including collateral costs, and outside

vendor fees, broker and third party administrator fees. A reduction in premiums may

actually result in a higher total cost of risk when losses and expenses are completely

factored into your TCOR analysis.

Total cost of risk is easily benchmarked against industry peers. By measuring TCOR

against revenue you’re able to compare your program to similarly situated

companies. Benchmarking provides a great performance measuring stick relative to

how you’re doing against your peers.

TCOR is like a balloon. When you squeeze on one bucket of cost, such as premiums or

broker fees, other areas may start to look outsized, such as losses. By working on one

area of TCOR, it exposes weaknesses in other areas of your risk management program.

This will help you identify problem areas that need additional attention in the coming

year.

Study Questions

1. Differentiate between risk and reward in a business concept.

2. Differentiate between risk tolerance and risk capacity.

3. Explain the three purposes of risk classification system.

4. What factors will affect the risk appetite of an organization?

5. Explain with an example the components of total cost of risk.

CHAPTER 3. SCOPE AND OBJECTIVES OF RISK MANAGEMENT

Introduction;

Risk Management is a process that defines loss exposure faced by an organization and

selects the most appropriate techniques for treating such exposures. This chapter looks

at the fundamentals of risk management and steps in the risk management process. This

chapter also looks at contributions and benefits of risk management.

Learning Outcomes

After compiling this chapter, you should be able

Describe risk management

Understand risk management definitions and basic components

Explain risk management contributions and benefits to business.

Unit structure.

Risk management approach

Risk management definitions and basic concepts

Risk management contributions and benefits

Study Guide.

You are expected to be familiar with the various definitions of risk and the risk concepts

for proper understanding of this chapter.

4.1 RISK MANAGEMENT DEFINITIONS AND BASIC COMPONENTS.

DEFINITIONS

The simplest definition of Risk Management can be: ‘the identification, evaluation,

control and prevention and transfer of a risk.’

Definition

Other commonly quoted definitions include:

a) The protection of assets, earnings, liabilities and people of an enterprise with

maximum efficiency and at minimum cost.

b) The identification and evaluation of the threats to the expectations of an

organization and the development of means whereby the expectations will be

fulfilled in the most efficient manner by removing or reducing those threats.’

c) The identification, measurement and economic control of risks that threaten the

assets and earnings of a business or other enterprise.

d) Risk management is the identification, assessment and prioritization of risks

followed by coordinated and economical application of resources to minimize,

monitor, and control the probability and / or impact of unfortunate events or to

maximize the realization of opportunities.

e) Risk management is the process of measuring, or assessing, risk and developing

strategies to manage it. Strategies include avoiding the risk, reducing the negative

effect of the risk, transferring the risk to another party and accepting some or all

of its consequences.

f) Traditional risk management focuses on risk emanating from physical or legal

causes (e.g. natural disasters, or fires, accidents, death and lawsuits.)

g) Financial risk management, on the other hand, focuses on risks that can be

managed using traded financial instruments.

DEFINITION

For non- profit organizations, the definition can be read:’ the identification,

measurement and economic control of risks that threaten the continued provision

of essential goods and services.

2. Basic components of a risk management process

Which form of definition is appropriate will depend on the situation being examined?

However, basic components of the risk management process shall remain the same viz.

a) Identification: the recognition/anticipation of risks that threaten the assets and

earnings of business enterprises.

b) Evaluation/ measurement/ assessment: estimating the likely probability of risk

occurrence and its likely severity. It should include analysis which involves

understanding the relevance of the risks to the operations of an organization and

measuring the impact and comparing the exposures.

c) Prevention and control: measures to avoid occurrence of risk, limit its severity and

reduce its consequences

d) Financing: determining what the cost of risk is likely to be or might be and ensuring

that adequate financial resources are available

The words ‘economic control’ will always be seen in the Risk management definitions.

What is meant by these words? They mean:

Definition:

‘Adopting measures for economic control that either:

a) Produce a measurable reduction in the cost of risk and / or

b) Reduce noticeably the possibility of catastrophe loss and / or

c) Help to ensure the company’s survival whilst minimizing the overall cost of risk

control

4.2 RISK MANAGEMENT APPROACH

Until a few years ago Risk management to many of us equated roughly with insurance, so

that if a risk is insured that was effective risk management. The growing awareness and

importance of risk management has brought about a subtle change in the status of the

insurers and the insured alike.

The major factors contributing to bring about such a change are the growing complexities

of industrial and commercial risks, the vast amount of money at stake in terms of assets,

people and potential liabilities.

Risk Management in terms of skills, knowledge and opportunity offers a wider appeal

than simply insurance which is just one link in the risk management process chain.

Before deliberating on Risk Management, it may be worthwhile to note that:

1. It means application of the following general management concepts to a

specialized area.

a) To manage is to forecast and plan to organize, to command , to coordinate and

to control,

b) To foresee and plan means examining the future and drawing up the plan of

action,

c) To organize means building up the dual structure of the undertaking both

material and human ,

d) To find good dependable alternatives, compare the results of these

alternatives, choose among them.

2. Risk management requires preparing plans, organizing materials and individuals,

maintaining activity for the selected objectives, binding together and unifying all

activities and efforts and controlling the activity to ensure that everything occurs

in conformity with established rules.

3. Risk is created by:

a) Activities (technical, scientific, commercial, constructional, manufacturing,

financial, professional, security, charitable, or political)

b) Relationship to people or property

c) Laws and regulations

d) Environmental, physical, social, political

This suggests that what need to be done with risks is – analysis, treatment and financing.

Diagram 1: Steps involved in risk management process

The process of risk management generates both benefits and costs for a particular

organization, for given community and for the entire economy.

For an organization such benefits include reduced costs of risks, lowered adverse

effects from exposure to losses, reduced waste of resources and improved

allocation of productive capabilities.

RISK ANALYSIS

Identification

Evaluation

RISK TREATMENT

Elimination

Reduction

limitation

Transfer

RISK FINANCING

Deductible

Self-insurance

4. Managing risks within a company implies a threefold approach

a) Formal system of risk threat

i) Identification/ anticipation,

ii) Measurement/ evaluation/assessment,

iii)Control

iv) Recording information and decisions,

v) Monitoring results.

B) Adopting measures for economic control that either

a. Produce a measurable reduction in overall cost of risk,

b. Noticeably reduce the possibility of both everyday working risks and

catastrophe loss and / or,

c. Help to ensure the company’s survival whilst minimizing the cost of risk

control

C) Establishing management responsibilities for risk.

The potential for applying risk management is very wide. Apart from the

insurable risk area it includes:

I. Commercial risks- evaluating trade –off between risk and return,

II. Political Risks- recognizing threats in the environment and keeping the

company in balance,

III. Social risks- dealing with risk problems in a social context,

IV. Project risks –ensuring on –time, on- budget performance,

V. IT risks- the special vulnerabilities in IT operations

VI. Military risks’

VII. Personal risks –handling various threats to the individual.

Application of each area will require analysis of the physical situation and

consideration of both the motivation and attitudes of the parties involved.

One of the biggest issues in practical risk management is the reluctance to

organizational competence and objective. This means that is difficult to solve

risk problems in badly managed company and that any risk management

activity may create considerable conflict.

4.3) RISK MANAGEMENT CONTRIBUTIONS AND BENEFITS TO BUSINESS

1. Possible contributions of risk management to a business

These can be broadly summarized as under:

a) Risk Management can make the difference between survival and failure

b) Profits can be improved by reducing expenses as well as increasing income.

c) Risk management can contribute directly to business profits in at least six

ways:

I. If a business has successfully managed its pure risks, the peace of mind and

confidence gained permits it to investigate and assume attractive

speculative risks that they might otherwise seek to avoid.

II. By alerting to the pure risk aspects of speculative ventures, risk

management improves the quality of the decisions regarding such ventures.

III. Once a decision is made to assume a speculative venture, proper handling

of the pure risk aspects permits the business to handle the speculative risk

more wisely and more efficiently.

IV. Risk management can reduce the fluctuations in annual profits and cash

flows.

V. Through advance preparations, risk Management can, in many cases, make

it possible to continue operations following a loss, thus retaining, customers

or suppliers who might otherwise turn to competitors

VI. Creditors, customers and suppliers, all of whom contribute to company’s

profit, prefer to do business with a firm that has sound protection against

pure risks. Employees also prefer to work for such firms.

Peace of mind made possible by sound management of pure risks may itself

be a valuable non-economic asset because it improves the physical and

mental health of the management and owners.

The risk management plan may also help others, such as employees, who

would be affected by loss to the firm, risk management can also help satisfy

the firm’s sense of social responsibility or desire for a good image.

2. Benefits of risk Management to a business

An effective risk management practice does not eliminate risks. Risk

management provides a clear and structured approach to identifying risks and

minimizing their negative impact on different aspects of a business activity. Risk

management has other benefits for an organization, including:

a) Saving resources: time, assets, income, property and people are all

valuable resources that can be saved if fewer claims occur.

b) Protecting the reputation and public image of the organization.

c) Preventing or reducing legal liability and increasing the stability of

operations.

d) Protecting physical, human and intellectual assets from bodily injury and

damage.

e) Protecting the environment.

f) Enhancing the ability to prepare for various circumstances.

g) Reducing liabilities.

h) Assisting in clearly defining insurance needs.

The various benefits of risk management can be broadly summarized in the

following diagram

Diagram 2: potential benefits of risk management

Quick Grasp

of New

Opportunities Support

strategic &

Business

Planning

Enhance

Communication

between

Departments

&Faculties

Res -

assurance

Stake

holders

Risk

Management

Potential

Benefits

Support

effective

use of

Resource

s

Fewer shocks

&Unwelcome

Surprise

Example

Joel, age 38, is the general manager of five fast food restaurants in Kampala,

Kabalagala. employee turnover is high, several employees have been fired for

stealing money, and several restaurants have been robbed and burglarized

repeatedly during the past three years. The company has also been fined by the

government for employing undocumented workers. The company’s accountant

recommends that the firm establish a risk management program to deal with

these problems. Risk management is a process that identifies the loss

exposures faced by a firm and uses a number of methods, including insurance,

to treat the exposures. After implementing the program, the restaurant

experienced dramatic results. Employee thefts declined sharply, robberies and

burglaries at the problem restaurant were reduced, employee turnover

declined, and the restaurant’s profit margin showed significant improvement.

The above example shows how a business firm benefited from its risk

management program. Other organizations have also recognized the merits of

a formal risk management program. Today, risk management is widely used by

corporations, small employers, non -profit organizations, and state and local

Promotes

Continual

Improvemen

t

Helps Focus

Internal Audit

Programme

governments. Students can also benefit from a personal risk management

program.

In this chapter, - the first of two dealings with risk management – we discuss

the fundamentals of traditional risk management. The following chapter

discusses the newer forms of risk management that are rapidly emerging,

including enterprise risk management and financial risk management. In this

chapter, we discuss the meaning of risk management, objectives of risk

management, steps in the risk management process, and the various

techniques for treating loss exposures. The chapter concludes with a discussion

of personal risk management.

CASE APPLICATION

Pioneer City Bus Corporation provides school bus transportation to private and

public schools in town.

City bus owns 50buses that are garaged in three different cities within the

county. The firm faces competition from two larger bus companies that operate

in the same area. Public school boards and private schools generally award

contracts to the lowest bidder, but the level of service and overall performance

are also considered.

a) Briefly describe the steps in the risk management process that should be

followed by the risk manager of city bus.

b) Identify the major loss exposures faced by City Bus.

c) For each of loss exposures identified in (b) , identify a risk management

techniques that could be used to handle the exposure.

d) Describe several sources of funds for paying losses if retention is used in the

risk management program.

e) Identify other departments in City Bus that would also be involved in the

risk management program.

Study Questions

1. What is the meaning of risk management?

2. Describe the steps in the risk management process

3. Explain the following risk-control techniques

a). Avoidance

b). Loss Prevention

c). Loss Reduction

4. What is formal system of risk threat

5. Explain five benefits of risk management to a business.

CHAPTER 4: STRATEGIC RISK AND RISK MANAGEMENT STRATEGIES

Introduction

Once risk factors have been identified, organizations need to go through the process of

implementing various risk responses. Risk management requires that at various stages

of the product and service, risk strategies are adopted and implemented to enable

organizations meet their goals and objectives.

In this chapter we shall take a deep dive into strategic risk and implementation of risk

strategies.

Learning objectives

1. To develop an understanding of risk management strategy

2. To develop an understanding of the strategic risk management

3. To develop an understanding of use of risk map

4. Explain the role of risk manager

5. To develop an understanding and application of risk profiling

RISK MANAGEMENT STRATEGY

As noted by the Committee of Sponsoring Organizations of the Treadway Commission

(COSO), “In the aftermath of the financial crisis, executives and their boards realize that

ad hoc risk management is nolonger tolerable and that current processes may be

inadequate in today’s rapidly evolving business world.” However, especially for

nonfinancial companies that may be relatively new to these topics, enhancing risk

management can be a somewhat daunting task.

This topic focuses on two key aspects of the relationship between risk and strategy: (1)

understanding the organization’s strategic risks and the related risk management

processes, and (2) understanding how risk is considered and embedded in the

organization’s strategy setting and performance measurement processes. These two

areas not only deserve the attention of boards, but also fit closely with one of the primary

responsibilities of the board risk oversight.

The Advent of Strategic Risk Management

Enterprise risk management (“ERM”) and risk management in general can encompass a

wide range of risks that face any organization. Some risks may reflect exposures that,

although harmful, will not threaten the overall health of an organization or its ability to

ultimately meet its business objectives. For example, a temporary data center outage can

result in a short-term problem or customer dissatisfaction, but once recovered, the

organization can quickly be back on track. Other more significant risk events can be

catastrophic, resulting in losses that can not only impair an organization’s ability to meet

its objectives, but may also threaten the organization’s survival. The recent credit crisis is

an example of this type of risk. These more significant risk exposures have given rise to a

focus on “strategic risks” and “strategic risk management.” “Strategic risks” are those

risks that are most consequential to the organization’s ability to execute its strategies and

achieve its business objectives. These are the risk exposures that can ultimately affect

shareholder value or the viability of the organization. “Strategic risk management” then

can be defined as “the process of identifying, assessing and managing the risk in the

organization’s business strategy—including taking swift action when risk is actually

realized.” Strategic risk management is focused on those most consequential and

significant risks to shareholder value, an area that merits the time and attention of

executive management and the board of directors.

Standard & Poor’s included the following attributes for strategic risk management in its

2008 announcement that it would apply enterprise risk analysis to corporate ratings:

1. Management’s view of the most consequential risks the firm faces.

2. Their likelihood, and potential effect.

3. The frequency and nature of updating the identification of these top risks;

4. The influence of risk sensitivity on liability management and financial decisions

5. The role of risk management in strategic decision making.

Clearly the potential impact of strategic risks is significant enough to deserve the

attention of the board and its directors.

Strategic Risk Management and the Role of the Board

At the board level, strategic risk management is a necessary core competency. In Ram

Charan’s book, Owning Up: The 14 Questions Every Board Member Needs to Ask, one of

the questions posed is “Are we addressing the risks that could send our company over

the cliff?” According to Charan, boards need to focus on the risk that is inherent in the

strategy and strategy execution:

Risk is an integral part of every company’s strategy; when boards review strategy, they

have to be forceful in asking the CEO what risks are inherent in the strategy. They need

to explore ‘what ifs’ with management in order to stress-test against external conditions

such as recession or currency exchange movements.

Regarding risk culture, Charan provides the following insight: “Boards must also watch for

a toxic culture that enables ethical lapses throughout the organization. Companies set

rules—but the culture determines how employees follow them.” We believe that

corporate culture plays a significant role in how well strategic risk is managed and must

be considered as part of a strategic risk assessment.

Understanding an Organization’s Strategic Risks and Related Risk Management

Processes

A necessary first step for boards to understand their strategic risks and how management

is managing and monitoring those risks is a strategic risk assessment. A strategic risk

assessment is a systematic and continual process for assessing the most significant risks

facing an enterprise. It is anchored and driven directly by the organization’s core

strategies. As noted in a 2011 COSO report, “Linkage of top risks to core strategies helps

pinpoint the most relevant information that might serve as an effective leading indicator

of an emerging risk.”

Conducting an initial assessment can be a valuable activity and should involve both senior

management and the board of directors. Management should take the lead in conducting

the assessment, but the assessment process should include input from the board

members and, as it is completed, a thorough review and discussion between

management and the board. These dialogues and discussions may be the most beneficial

activities of the assessment and afford an opportunity for management and the directors

to come to a consensus view of the risks facing the company, as well any related risk

management activities.

The strategic risk assessment process is designed to be tailored to an organization’s

specific needs and culture. To be most useful, a risk management process and the

resultant reporting must reflect and support an enterprise’s culture so the process can be

embedded and owned by management. Ultimately, if the strategic risk assessment

process is not embedded and owned by management as an integral part of the business

processes, the risk management process will rapidly lose its impact and will not add to or

deliver on its expected role.

The Strategic Risk Assessment Process

There are seven basic steps for conducting a strategic risk assessment:

1. Achieve a deep understanding of the strategy of the organization

The initial step in the assessment process is to gain a deep understanding of the

key business strategies and objectives of the organization. Some organizations

have well developed strategic plans and objectives, while others may be much

more informal in their articulation and documentation of strategy. In either case,

the assessment must develop an overview of the organization’s key strategies and

business objectives. This step is critical, because without these key data to focus

around, an assessment could result in a long laundry list of potential risks with no

way to really prioritize them. This step also establishes a foundation for integrating

risk management with the business strategy. In conducting this step, a strategy

framework could be useful to provide structure to the activity.

2. Gather views and data on strategic risks

The next step is to gather information and views on the organization’s strategic

risks. This can be accomplished through interviews of key executives and directors,

surveys, and the analysis of information (e.g., financial reports and investor

presentations). This data gathering should also include both internal and external

auditors and other personnel who would have views on risks, such as compliance

or safety personnel. Information gathered in Step 1 may be helpful to frame

discussions or surveys and relate them back to core strategies. This is also an

opportunity to ask what these key individuals view as potential emerging risks that

should also be considered.

3. Prepare a preliminary strategic risk profile

Combine and analyze the data gathered in the first two steps to develop an initial

profile of the organization’s strategic risks. The level of detail and type of

presentation should be tailored to the culture of the organization. For some

organizations, simple lists are adequate, while others may want more detail as part

of the profile. At a minimum, the profile should clearly communicate a concise list

of the top risks and their potential severity or ranking. Color coded reports or

“heat-maps” may be useful to ensure clarity of communication of this critical

information.

4. Validate and finalize the strategic risk profile

The initial strategic risk profile must be validated, refined, and finalized. Depending

on how the data gathering was accomplished, this step could involve validation

with all or a portion of the key executives and directors. It is critical, however, to

gain sufficient validation to prevent major disagreements on the final risk profile.

5. Develop a strategic risk management action plan

This step should be undertaken in tandem with Step 4. While significant effort can

go into an initial risk assessment and strategic risk profile, the real product of this

effort should be an action plan to enhance risk monitoring or management actions

related to the strategic risks identified. The ultimate value of this process is helping

and enhancing the organization’s ability to manage and monitor its top risks.

6. Communicate the strategic risk profile and strategic risk management action

plan

Building or enhancing the organization’s risk culture is a communications effort

with two primary focuses. The first focus is the communication of the

organization’s top risks and the strategic risk management action plan to help build

an understanding of the risks and how they are being managed. This helps focus

personnel on what those key risks are and potentially how significant they might

be. A second focus is the communication of management’s expectations regarding

risk to help reinforce the message that the understanding and management of risk

is a core competency and expected role of people across the organization. The risk

culture is an integral part of the overall corporate culture. The assessment of the

corporate culture and risk culture is an initial step in building and nurturing a high

performance, high integrity corporate culture.

7. Implement the strategic risk management action plan

As noted above, the real value resulting from the risk assessment process comes

from the implementation of an action plan for managing and monitoring risk.

These steps define a basic, high-level process and allow for a significant amount of

tailoring and customization to reflect the maturity and capabilities of the

organization. As shown by Figure 1, strategic risk assessment is an ongoing process,

not just a one-time event. Reflecting the dynamic nature of risk, these seven steps

constitute a circular or closed-loop process that should be ongoing and continual

within the organization.

Integrating Strategic Risk Management in Strategy Setting and Performance

Measurement Processes

The second step for an organization is to integrate strategic risk management into its

existing strategy setting and performance measurement processes. As discussed above,

there is a clear link between the organization’s strategies and its related strategic risks.

Just as strategic risk management is an ongoing process, so is the need to establish an

ongoing linkage with the organization’s core processes to set and measure its strategies

and performance. This would include integrating risk management into strategic planning

and performance measurement systems. Again, the maturity and culture of the

organization should dictate how this performed. For some organizations, this may be

accomplished through relatively simple processes, such as adding a page or section to

their annual business planning process for the business to discuss the risks it sees in

achieving its business plan and how it will monitor those risks.

For organizations with more developed performance measurement processes, the

Kaplan- Norton Strategy Execution Model described in The Execution Premium may be

useful.

This model describes six stages for strategy execution and provides a useful framework

for visualizing where strategic risk management can be embedded into these processes.

Stage 1: Develop the strategy

This stage includes developing the mission, values, and vision; strategic analysis; and

strategy formulation. At this stage, a strategic risk assessment could be included using the

Return Driven Strategy framework to articulate and clarify the strategy and the Strategic

Risk Management framework to identify the organization’s strategic risks.

Stage 2: Translate the strategy

This stage includes developing strategy maps, strategic themes, objectives, measures,

targets, initiatives, and the strategic plan in the form of strategy maps, balanced

scorecards, and strategic expenditures. Here, the strategic risk management framework

would be used to develop risk-based objectives and performance measures for balanced

scorecards and strategy maps, and for analyzing risks related to strategic expenditures.

At this stage, boards may also want to consider developing a risk scorecard that includes

key metrics.

Stage 3:

Align the organization This stage includes aligning business units, support units,

employees, and boards of directors. The Strategic Risk Management Alignment Guide and

Strategic Framework for GRC (Governance, Risk and Compliance) would be useful for

aligning risk and control units toward more effective and efficient risk management and

governance, and for linking this alignment with the strategy of the organization.

Stage 4: Plan operations

This stage includes developing the operating plan, key process improvements, sales

planning, resource capacity planning, and budgeting. In this stage, the strategic risk

management action plan can be reflected in the operating plan and dashboards, including

risk dashboards. Organization ideally should develop a “resources follow risk” philosophy

to make certain that resources were appropriately and efficiently allocated. This

philosophy focused on ensuring that resources used in risk management are justified

economically based on the relative amount of risk and cost-benefit analysis.

Stage 5: Monitor and learn

This stage includes strategy and operational reviews. “Strategic risk reviews” would be

part of the ongoing strategic risk assessment, which reinforces the necessary continual,

closed-loop approach for effective strategy risk assessment and strategy execution.

Stage 6: Test and adapt

This stage includes profitability analysis and emerging strategies. Emerging risks can be

considered part of the ongoing strategic risk assessment in this stage. The strategic risk

assessment can complement and leverage the strategy execution processes in an

organization toward improving risk management and governance.

For more information about integrating risk management in the strategy execution model

and a discussion of risk scorecards, see “Risk Management and Strategy Execution

Systems.”

Final Thoughts: Moving Forward with Strategic Risk Management

Management teams and boards must challenge themselves and their organizations to

move up the strategic risk management learning curve. Developing strategic risk

management processes and capabilities can provide a strong foundation for improving

risk management and governance. Boards may want to consider engaging independent

advisors to advise and educate themselves on these matters. For organizations that are

early in this process, the seven keys to success for improving ERM as described in a 2011

COSO Thought Leadership Paper may be useful, and are applicable in strategic risk

management:

1. Support from the top is a necessity

2. Build ERM using incremental steps

3. Focus initially on a small number of top risks

4. Leverage existing resources

5. Build on existing risk management activities

6. Embed ERM into the business fabric of the organization

7. Provide ongoing ERM updates and continuing education for directors and

senior management[13]

However the board decides to proceed, their leadership, direction, and overall oversight

will be critical to the success of a strategic risk management process.

RISK MANAGEMENT RESPONSES

Once risks have been identified, organizations need to choose a strategy for dealing

with each risk. The organization will choose one or more of the following approaches for

dealing with the risks you decide to manage:

a) Avoidance

i) Totally eliminating an activity or exposure

ii) Issues arising with avoidance are;

1) It may be difficult to sell to management due conflicting with the

goals and affecting profits

2) It may be core process that defines the organization values

3) The risk manager may lack the appropriate decision making

b) Prevent

i) Reduce frequency of types of claims that cannot be eliminated.

ii) Actions taken to break the sequence of events make the event less

likely

iii) Allow an entity to engage in activities that would otherwise be avoided

c) Reduce

i) Reduce the severity of financial impact of the loss that is not prevented

ii) Pre-loss actions to prevent such as fire prevention equipment

iii) Post-loss such as claims administration

d) Duplicate/segregate/separate

i) The goal is to reduce overall severity

ii) Segregate ; isolation of an exposure form other exposure, perils &

hazards such as specialized access ; fire suppression equipment in a

computer room

iii) Separation the spread of various exposures over various locations; such

as a standby generator in a different location

iv) Duplicate the use of back up for critical processes not exposed to the

same loss!!

e) Transfer

i) The purpose is to transfer part or all of the risk to another party

ii) Physical transfer shits part of an operation to another outside party

iii) Contractual shifts responsibility or liabilities to another outside party

CONSIDERATIONS WHEN FORMULATING AND IMPLEMENTING RISK STRATEGIES

When tasked with supporting a specific risk management objective, a risk manager can

adopt a number of approaches and consideration. Below are a few considerations to

take into account;

It is usually difficult to demonstrate risk management value through traditional

investment metrics (return on investment, return on equity, return on assets, or

risk-adjusted return on capital), many companies make the business case.

However concepts such as shareholder value, risk mitigation, process

consolidation and silo elimination can drive the point home.

What value is an organization is trying to create, as well as protect. Is it simply

increased share price? Or is it reducing volatility to enable a more efficient use of

capital? Or perhaps, for non-profits, is it delivering more services to a broader

constituency?

Whether value is expressed as market share, profit, service provision, donor

levels, social impact or some other benefit, how does the risk management

competencies advance the organization’s mission and related objectives? In

other words, what business need will be met through a structured risk

management approach?

Many organizations already have controls in place for widely understood risks,

such as business disruption, environmental liability or worker injuries. It is likely

that the individuals responsible for these controls also conduct risk assessments.

While this is not risk management, it is a start.

And understanding what your organization is already doing allows you to

leverage existing practices within a broader RM environment.

Additionally, having a common, collective understanding concerning which risks

should be accepted, avoided, transferred (or shared), mitigated or exploited can

reduce organizational dissonance about what is acceptable to the organization’s

stated objectives.

Many parts of the organization have a legitimate stake in the discussion, and they

can become either powerful allies or forceful detractors. The “power of one”

comes into play in recruiting those who can make a positive difference in your

implementation.

Go for the quick wins. Don’t try to cover every possible risk. Start with those that

matter most for the success of your organization’s strategic objectives. By

identifying and analyzing the risks that may have a material impact on the ability

to execute strategy, the odds of creating value quickly are much higher. If you

prioritize by risk criteria—severity, importance or speed to onset—action plans

can be executed immediately and revisited to validate the chosen responses.

Understanding which risk criteria are important to leadership creates an

opportunity for frank discussions about just how much risk the organization

wishes to pursue, both for specific objectives and in the aggregate. These

leadership discussions tend to reveal where the organization may be culturally

when it comes to risk-taking or risk aversion. Overall, this exercise can go a long

way towards establishing a barometer of the organization’s risk appetite.

Delegate “fixes” to risk owners who will do something about the risks? The

obvious answer is whoever is accountable for managing the business functions

most closely associated with those material risks. For example, a chief

information officer may be accountable for managing risks associated with

potential data breaches.

Not all risks can be neatly compartmentalized, however. Risks such as

unauthorized social media releases may not find a “natural” owner, but a specific

individual still needs to be named. There always should be one identified owner

held accountable for the risk management plan decisions and execution. This

person will likely need to rely on others to make the plan work and manage

interconnected risks, but naming an individual risk “owner” will help move the

chosen response plan to action.

Report on progress - The risk owners should be reporting in their normal business

updates on key issues, such as the material risk outcome target, specific activities

that have taken place since the last report, challenges in executing the risk plan,

and a trend assessment in the risk profile against the targeted outcome. Periodic

reports to senior management on RM program progression might include

progress related to milestones for specific RM objectives.

PRE AND POST LOSS ORGANIZATION OBJECTIVES

An organization need’s to continually plan on how to manage risk factors before and

even after they materialize into an incident or claim.

The pre loss goals include;

1. Economy of operations – ensuring that all process and procedures are

documented and risk facing any operations have been identified and treated.

2. Legality of operations – ensuring that all operations are with the legal and

regulatory framework

3. People Focus – focus on people as being critical factors for the running of the

organizations

The key risk management goal is to obtain full management support and commitment

to the crisis management program

The Post-Loss Goal include;

1. To Restore and or maintain operations.

2. To sustain profits and earnings.

3. The organization needs to work towards growth.

4. The organization needs to maintain a good public image.

The risk management goals is to effectively and economically minimize the operational

and financial impact of a crisis.

ROLE OF RISK MANAGER

Risk managers advise organizations on any potential risks to the profitability or

existence of the company. They identify and assess threats, put plans in place to avoid,

reduce or transfer risks.

Risk managers are responsible for managing the risk to the organization, its employees,

customers, reputation, assets and interests of stakeholders.

They may work in a variety of sectors and may specialize in a number of areas including:

Enterprise risk

Corporate governance

Regulatory and operational risk

Business continuity

Information and security risk

Technology risk

Market and credit risk

Responsibilities of Risk Manager

The key responsibilities of the risk manager include;

1. Planning, designing and implementing an overall risk management process for

the organization.

2. Risk assessment, which involves analyzing risks as well as identifying, describing

and estimating the risks affecting the business.

3. Risk evaluation, which involves comparing estimated risks with criteria

established by the organization such as costs, legal requirements and

environmental factors, and evaluating the organization’s previous handling of

risks.

4. Establishing and quantifying the organization’s 'risk appetite', i.e. the level of risk

they are prepared to accept.

5. Risk reporting in an appropriate way for different audiences, for example, to the

board of directors so they understand the most significant risks, to business

heads to ensure they are aware of risks relevant to their parts of the business and

to individuals to understand their accountability for individual risks.

6. Corporate governance involving external risk reporting to stakeholders.

7. Carrying out processes such as purchasing insurance, implementing health and

safety measures and making business continuity plans to limit risks.

8. Conducting audits of policy and compliance to standards, including liaison with

internal and external auditors.

9. Providing support, education and training to staff to build risk awareness within

the organization.

What skills should a risk Manager possess?

1. Analytical skills.

2. Strong interpersonal skills.

3. Strong communication skills.

4. Negotiation skills.

5. Forward looking- This requires balancing insight from internal and external

providers, and using benchmarks to signpost opportunities and potential near-

term threats

THE CHANGING ROLE OF THE RISK MANAGER

1. Digital – a great change driver

Technological change is a powerful factor behind the changing role of the risk

manager. Related hazards include the growing menace of cybercrime and the

potential repercussions of security breaches and customer data loss. But today’s

corporate risk managers are also increasingly being consulted about technology

in a wider sense with respect to the risks of innovation and digital disruption, as

well as the business opportunities that well-managed technology can create.

2. Data – the great differentiator

Mastering data is critical for the future of the risk management profession. Risk

managers overwhelmingly believe that the use of data will transform the

function.

It is starting to do so now, as many risk professionals use analytics to inform such

practices as horizon scanning and scenario planning. Challenges abound,

however, particularly in obtaining accurate risk information and data.

3. Innovators and futurists.

In the past, risk management and innovation have to some extent been

perceived as being mutually exclusive. Risk managers know this perception is

changing, agreeing that “good risk managers must also be innovators” – in the

practice of risk management itself and in their support of other business

functions. Risk managers must also be forward-looking.

4. Expanding the range of expertise is imperative.

Gaining acceptance as a business partner requires the development of skills

beyond the traditional risk management remit. Knowledge of digital technology

and data is one, but so is the ability to communicate effectively with the board,

CEO and CFO as well as with line managers.

5. Professionalization

This is key to cementing hard-earned influence. Professional standards for risk

management are advancing, but practitioners believe certification is necessary

for the future of their profession. One outcome will be better training and more

learning materials for addressing the newer themes that risk.

Formerly associated with rules and control, the risk managers are increasingly and

encouragingly regarded as key business partners with the ability to influence strategic

decisions across the organization. And, if they aren’t considered as such today, then

they will need to be in the future.

This transition has major consequences for the future of the role:

• Risk managers are being called upon to support strategic growth;

• They are engaging in more frequent dialogue at board level;

• They are facing a growing number of complex, interrelated risks, many of which

are exacerbated by globalization;

• They are adopting a more forward-looking approach than in the past;

• This calls for greater diversity among practitioners.

RISK PROFILING

A Risk Profile describes an organization’s key risks, which include both threats and

opportunities. Risk is the expression of the likelihood and impact of an event with the

potential to affect the achievement of an organization’s objectives.

Use of Risk Profiles

1. Risk Profile enhances senior management’s analysis and decision making

related to priority setting and resource allocation.

2. A Risk Profile also provides staff, external partners, and advisors with a clear

'snapshot' of the organization’s key risks and, when implemented, can help

identify areas of efficiency and potential opportunity.

3. A risk profile supports strategic priority setting and resource allocation,

informed decisions with respect to risk tolerance, and improved results.

4. A risk profile is important in building the corporate view of risks, information

and knowledge at both the corporate and operational levels and assist

organizations understand the range of risks they face, their likelihood and

their potential impacts.

5. In addition, a risk profile identifies and assesses the existing organization’s

risk management capacity and capability. Obtaining an understanding of the

organization’s risk management capacity and capability will inform the Risk

Profile development process and enrich the contextual analysis.

As is the case with other risks identified on an ongoing basis, once key risks are

documented, the key focus is to integrate risk information into existing departmental

governance structures and planning and reporting cycles in a way that is simple and that

can communicate key risks effectively.

How an organization presents its corporate risks differs from organization to

organization, however, all Risk Profiles include fundamental qualities that make them a

valuable management tool.

A Risk Profile identifies risks that affect the achievement of objectives.

Risks, including threats and opportunities, must be forward looking and relate to

future uncertainty. A risk is not a business condition or a current issue or

problem. Sometimes, reoccurring issues may be interpreted as risks. In this

instance, organizations should identify the risks associated with managing those

reoccurring issues, rather than describing the issues themselves.

Risk Profile must reflect the organization’s particular circumstances and

objectives. It should reflect the current business conditions of the organization

as well as the size of the organization and the complexity of its mandate.

Risk Profile should be presented in a balanced way with enough detail to provide

context and a clear description of risks, including how these risks are being

managed within the organization. There should not be so much detail that it

overwhelms the reader or is not easily used to support effective decision-making.

Depending on the organization’s preference, this information may be outlined in this

section of the Corporate Risk Profile or separately.

The sections are:

Key Risks; and

Key Risk Matrix.

Key Risks

This section identifies the key risks to which the organization is exposed and provides a

description of each risk. This section also provides an overview of the risks to which

senior management should divert most of their attention and gives staff, external

partners and advisors a clear 'snapshot' of the organization’s key risks. Top risks should

be listed according to their residual risk exposure. Risks should be labelled or named

and accompanied by a risk description.

Key Risk Matrix

The Risk Matrix is a tool that illustrates the ranking of risks based on an assessment of

their likelihood and impact. The size of the matrix will depend on the organization’s

preference, some organizations use a 3x3 matrix while others use a 5x5 matrix.

Organizations are encouraged to select a matrix size according to their needs and

translate between matrices if required.

Given that the matrix demonstrates visually how each risk is ranked in accordance with

likelihood and impact criteria, and where risks stand in relation to other risks, it is

considered essential.

Risk

Category Risk Description

1 Legal There is a risk

that insufficient

legal and drafting

support will be

available to the

program.

2 HR

Capacity

There is a risk

that there will be

insufficient HR

capacity for

research.

3 Program

Delivery

There is a risk

that research

quality will

diminish.

4 Project

Design

There is a risk

that project

design will not

meet stakeholder

and industry

requirements.

5 Business

Processes

There is a risk

that contractual

STRATEGY MAP

An organization must clearly map mission, vision, and strategy in order to determine

what they want to accomplish. A strategy map is a one-page illustration that shows

what the organization hopes to accomplish in terms of the customer, financial, and

societal goals, and how it will achieve desired results using processes and resources. A

strategy map should include the following perspectives:

1. Financial – defines how much and what type of value the organization must

create to satisfy shareholders and stakeholders

instruments will

be used

inappropriately.

2. Customer – describes the value proposition the firm promises to deliver to its

customers and why customers should buy from the organization, rather than rival

competitors

3. Process – describes how the organization will efficiently and effectively deliver

value promised to customers

4. Learning and Growth – clearly describes the resources that enable the

organization’s employees to efficiently and effectively perform internal

processes.

Identify Risks using the Strategy Map

Since the strategy map describes initiatives the firm must successfully complete in order

to achieve the best possible outcome for shareholders and stakeholders, it can be used

to identify potential risks.

Categories of risks that should be assessed include:

Customer perspective – external events that may decrease the attractiveness of

the organization’s value for current and potential customers

Process perspective – events that may prevent the organization from creating

value promised to consumers

Learning and growth perspective – events that impair intangible human,

organizational, and informational resources that the organization relies on to

successfully complete internal processes

Assess Risks

Risks should be ranked based on financial impact and likelihood of occurrence. This

assessment will place risk events in one of four risk response categories:

1. Mitigate risk – activities with a high likelihood of occurring, but financial impact is

small. The best response is to use management control systems to reduce the risk

of potential loss.

2. Avoid risk – activities with a high likelihood of loss and large financial impact. The

best response is to avoid the activity.

3. Transfer risk – activities with low probability of occurring, but with a large

financial impact. The best response is to transfer a portion or all of the risk to a

third party by purchasing insurance, hedging, outsourcing, or entering into

partnerships.

4. Accept risk – if cost-benefit analysis determines the cost to mitigate risk is higher

than cost to bear the risk, then the best response is to accept and continually

monitor the risk.

Design a Risk-based Management Control System

Organizations should employ a comprehensive framework to enhance the

execution of strategies. Based on Simons’ (2000) “Lever of control” framework,

five controls should be engaged to manage risk:

Diagnostic controls – communicates to employees what activities lead to strategy

execution and reports if they were successfully completed

Boundary controls –constrains employee activities by making it clear what

actions are unacceptable

Belief controls – outlines what the organization stands for and inspires and

motivates employees to make a difference

Internal controls – ensures accurate record keeping, safeguards the

organization’s assets, and enhances compliance with laws and regulations

Use levers to control and manage risk – ensures that the organization is properly

mitigating, avoiding, transferring, and accepting risks

Management should regularly monitor the risks to ensure that the management control

system is working, as well as the appropriateness of the organization’s strategy.

Strategic execution capabilities will be improved by integrating strategy mapping with

control, compliance, and risk management activities. A risk-based control system

enhances management’s ability to properly manage risks, threats, and opportunities in

order to achieve the organization’s strategic plan.

Risk Mitigation Strategies

General guidelines for applying risk mitigation handling options are shown in the figure

below. These options are based on the assessed combination of the probability of

occurrence and severity of the consequence for an identified risk. These guidelines are

appropriate for many, but not all, projects and programs.

Questions

1. Describe three pre and post loss goals in risk management

2. Explain three risk responses in the insurance sector

3. What are the responsibilities of a risk manager

4. Develop a risk profile for a typical insurance company

5. Discuss the use of a risk profile

CHAPTER 5.0 IDENTIFYING AND ANALYZING LOSS EXPOSURES

Introduction

Risk identification is the most important step of risk management because exposures

need to be identified for them to effectively analyzed, controlled or financed.

Risks must be identified for them to be managed or treated. The identification process

will focus on the internal and external environment from which an organization carries

out its business. In this chapter we discuss a number of risk identification techniques

and how these can be applied to loss exposure analysis.

Learning objectives

1. Develop an understanding and application or risk identification techniques

2. Develop an understanding of the risk analysis process.

3. Develop an understanding of the various risk analysis tools

TYPE OF RISK IDENTIFICATION TECHNIQUES

When carrying out the risk identification process, the organization may chooses of the

following analyses

Source analysis

Risk sources may be internal or external to the system that is the target of risk

management (use mitigation instead of management since by its own definition

risk deals with factors of decision-making that cannot be managed).Examples of

risk sources are: stakeholders of a project, employees of a company or the

weather over an airport.

Problem analysis

Risks are related to identify threats. For example: the threat of losing money, the

threat of abuse of confidential information or the threat of human errors,

accidents and casualties. The threats may exist with various entities, most

important with shareholders, customers and legislative bodies such as the

government.

Risk can be identified using the following methods;

a. Check list and survey

Purpose: systematically using a check list to identify as many exposures

and hazards.

Method: Use of information gathering documents

Strengths

standardized

Used by non-risk management personnel with minimal required

training

Information can be classified and tabulated

Provides a history

Weaknesses

Cannot cover all areas or operations

Provide limited financial impact

Does not prioritize exposures

May not identify new exposures

Types of Check lists and survey

I. Preliminary survey list- gathers general information about the

organization such as ownership, structure, personnel and activities.

II. Asset checklist- identifies all physical and tangible assets

Strengths:

Identifies all resources and capacities

Identifies often over looked assets

Weaknesses

Seldom addressed liability exposures

Requires frequent updating

May use various valuation estimates

III. Activity Checklist- used for liability and human resources

Strengths

Provides thought process for loss prevention

Evaluates equipment, personnel and operations functioning

together

Identifies often over looked activities

Weaknesses

Tends to be too detailed

Does not identify financial impact

Operations and activities may vary by locale.

IV. Perils list – identifies original cause of loss – Human, Economic &

Natural Perils

Strengths

Provides a list of possible loss causes

Uses insurance nomenclature

Identifies often over looked perils

Weakness

New perils are not addressed

Upper management skepticism

Can be over lapping

V. Industry check list- specific to a certain operation or industry

Strengths:

Germane to specific exposures and perils

Allows comparison with peers

Utilized by others in the industry

Weaknesses

Focus may be too narrow or generic

May make mistakes of others

Industry may be close-minded

VI. Insurance company check list- Used to identify how a particular

company covers exposures and perils

Strengths

Connects insurance coverage with other check list used to

identify perils

Generally written in east-to-read language

Readily available by the insurance company underwriter or

marketing

Weakness

Biased towards the insurance company providing the

checklist.

Tends to suggest that other insurance companies do not or

cannot provide the desired coverage or at the same level of

quality

Often does not discuss exclusions, limitation in the same

detail as coverage.

b. Flow chart

Purpose – graphically and sequential to depict the activities of an

operation or process to identify exposures perils and hazards

Method: Product Analysis, Site Analysis, Decision Analysis, Dependency

Analysis & Critical path analysis

Strengths

Can illustrate interdependency within the organization

Can easily pin point bottle necks or choke points

Can determine critical paths or critical points

Weakness

Does not indicate frequency and severity

Does not show minor processes with major loss potential

Limited applicability to liability exposures

Too process oriented

c. Insurance Policy Review

Purpose: used to identify exposures and perils

Method; Internal and Outside expert review

Strengths

Many perils are given a precise definition

States what is specifically covered

States what is specifically not covered

Weaknesses

Policies are not standardized

Difficult to analyze before a loss

Case law may disregard what policy says

Addressed exposures covered by the policy

d. Physical Inspection

Purpose- information visits to the organization’s critical sites to identify

exposure, perils and hazards

Method

1. Internal – Safety department, operation personnel, risk

management

2. External – Regulatory agencies, consultants, insurance carriers,

community services

Strengths

Personal On-site inspection

Visualization of processes, locations

May find unreported hazards or assets

Weaknesses

Time consuming and often expensive

Situations always change

Subject to steering the local personnel

e. Compliance review

Purpose

1. To determine compliance with the regulations and laws

Statutory: Legal and State

2. Professional: Voluntary, Involuntary, Industry & Government

insurance programmes

Method: Key regulations or laws are identified and operations are

reviewed to ascertain compliance.

Strength

Most are free of charge

Provide an outside opinion whether you want it or not

Weaknesses

Laws and regulations have their own problems

Little or no control over compliance evaluation

May focus unwanted attention on organization exposing it to

liability, fines etc

f. Procedure and polices review

Purpose- Used to identify how an organization functions- Organizational

charter and by laws, Board minutes, Procedure manuals, Employee

manuals, code of ethics, Risk management polices

Method – Internal Review External Review and Legal Review

Strengths

Key to identifying exposures in the organization

Weaknesses

Organizational politics may prevent effective treatment

g. Contract Review

Purpose- To identify contractual obligations and compliance with

contractual requirements.

Method: Internal Review, External Review and Legal Review

Contracts, Leases, sales contracts, bill of lading, employment contracts,

hold harmless and indemnification agreements, advertising materials,

service contracts, insurance certificates

Strength- May identify “holes” in the risk management

plan

Weaknesses- Involvement of second party may prevent

control of exposures

h. Experts

Purpose- The use of experts to identify exposures, perils and hazards

Method – Internal- Staff/functional & operational External- Specialty and

Industry

Strengths

Saves time

Provides a level of expertise to focus on exposures, perils &

hazards

Weaknesses

External experts can expensive

May be difficult to find qualified experts

i. Financial Statement analysis

Purpose- to aid in exposure identification and valuation, financial

capabilities & financial based decision making

Method

Evaluation of revenue

Evaluation of expenses

Review of financial statements

- Outside Auditor’s opinion statement

- Notes to the financial statements

- Balance sheet

- Statement of income and expenses

- Cash flow statement

Review of level of indebtedness and outstanding loan

Financial ratios analysis

Strength

Useful in forecasting the financial loss from a specific event

Demonstrate the financial impact of loss on the other areas

of the organization

Serves as the basis for the development of a a crisis

contingency plans

Weaknesses

Usually does not address business risk

Unable to predict losses from sole of key suppliers customers

Can lead to manipulation of financial records

j. Loss data Assessment

Purpose- to identify exposures and their valuations based on history

Method

Insurance carrier or third party loss runs

Internal loss runs

Incident and accident reports

Indexing loss information against exposure information

Trend analysis in losses and exposures

Strengths

Can be used for bench marking

Can be used for forecasting losses

Weaknesses

Since data is historical, this method is reactive rather than

proactive

History does not always repeat itself

Losses may not have occurred in past

Data credibility may be an issue.

General rules applicable to risk identification methods

Risk identification is the most important part in the risk management process

because an unidentified exposure cannot be effectively managed and controlled

Risks is present in every business activity

Risk is not always self-evident

Risks are subject to diagnosis and treatment

A combination of risk identification techniques should be used diagnose and

identify risk.

Often one method will reveal the greatest number of risks.

QUALITATIVE AND QUANTITATIVE TECHNIQUES

Qualitative Analysis

Refers to the identification and evaluation of broad loss exposures that cannot be easily

measured by traditional statistical and financial method to help management

understand their impact on the organization’s ultimate risk and performance

Qualitative analysis is conducted using questionnaires, surveys, seminar and with

internal and external groups that are knowledgeable about the organization.

Frequently addresses the following question; should we do this? What is the impact on

the organization reputation or morale?

Quantitative analysis

Attempts to accurately measure risk using acceptable traditional methodologies that

calculate relative numeric relative values

Quantitative analysis is conducted by using analysis of cost, benefits, losses and financial

statements & exposures.

Frequently addresses the following questions; Can we do this? What is the financial

impact?

Qualitative vs Quantitative Analysis

Qualitative analysis

Quantitative analysis

Both quantitative and qualitative analysis are used when:

Exposure Analysis Evaluation/Ranking

Risk Analysis

Decision

Statistical Analysis

Financial Analysis

Management Appetite

Valid answers are needed to predict losses and value of claims

Cost and benefits are primary factors in the decision making process

When non-monetary factors are part of the decision making process e.g.

reputation morale and citizenship.

Measurement tools of qualitative risk exposures

Identification methods should be used to analyze those qualitative risks that have a

potential harmful exposure to the organization although they are not subject to

financial measurements.

Measurement skills depict relative values that are not easily quantified

Critical Risk- assigned to a level to capture their critical nature to the

organization. Losses that could bankrupt the organization, stop operations or

threaten survival

Important Risks – could result in losses that would require the organization to

borrow from external sources.

Less important risks – could result in losses with a low financial impact that would

not harm the organization or could be paid from existing cash flows.

Severity measurement scales – High, Moderate and Low Severity

Probability or frequency measurement scales – High, Moderate & Low

Probability.

There is no one absolute measurement scale; it varies from organization to industry

Areas of qualitative analysis

1. Management Appetite for risk will depend on

a) Company history

b) Long term organizational objectives,

c) stage in the life cycle

d) Established company

e) financial stability

f) Market Maturity

g) Competition and need to take risks

h) public image

i) Management appetite to take on risk versus the financial ability

2. Innovation, product development and marketing

a) Criticality to the organization

b) market position and market share

c) Competition

d) State of the art product development,

e) Business interruption exposure

f) Technology

g) Production capacity

h) Degree of automation

i) Nature of operations hazardous

3. Contractual obligations

a) Enforceability of hold harmless and indemnification agreements under

applicable jurisdictions

b) Willingness and financial ability of the other party

c) Financial capability and attitude of insurers providing additional insured status

4. Compliance and regulatory requirements

a) Industry legislation

b) Management awareness of government regulations

c) Possible industry or voluntary regulation

d) Penalties, fines and public image

e) History of enforcement

5. Safety (internal and external)

a) Union concerns to safety

b) Ergonomic audits and Existence of safety programs

c) Level of management support for safety programs

d) Ability to recruit and train

e) Implications on employee productivity

f) Disaster recovery

g) Crisis management plan

h) Security plan and possibility of terrorism

6. Social responsibility and citizenship

a) Industry profile high or low

b) Management concern with reputational risks

c) Effect of negative press and uses of outside auditors

7. Internal policies

a) Audit and over sight

b) internal, external and board involvement

c) Employment issues ; contract, leasing, seasonal and Employee Practices

Liability

d) Product recalls, product guarantee and ethic policies and procedures

Measurement tools of quantitative risk exposures

Quantitative risk analysis assigns a projected value (usually this value is stated in terms

of cost or time) to the risks.

Uses of Qualitative Risk analysis

1. Prioritization of risk factors

2. Verification of loss data

3. Classification of loss data

4. Prediction of losses and range of losses

5. Cost benefit decision making

6. Net Present Value (NPV) analysis

7. Review of insurance program structure to determine viability of a retention

program, amount of retention and insurance purchasing decisions including limits

of liability.

Tools to perform Quantitative risk analysis

Risk analysis tools are used to assess the various impact exposures have on the

organization.

Tools to access the likelihood of an event to occur

1. Loss analysis

2. Risk mapping or risk factor analysis

3. Probability analysis

4. Linear regression

Tools to assess the impact of an event should it occur

1. Payback analysis and accounting rate of return

2. Cost benefit analysis

3. Net Present values analysis (NPV)

4. Internal Rate of Return

There are five inputs to perform quantitative risk analysis:

The risk register. This contains a list of all of the identified risks so far on the

project, and includes information on each such as their responses, their records

and categories.

The risk management plan. This document is in fact the risk management

strategy because it defines the level of risk which is seen as tolerable, how such

risks will be managed, who will be responsible for carrying out the risk activities,

the time and cost aspects of each risk activity and how the communication of risk

is to occur.

Schedule management plan. Because the schedule timings are presented in a

quantifiable manner then risks concerned with timing and time scales can easily

be quantified within this process.

Cost management plan. Similar to the above, costs are also quantifiable and can

be used as an input for this process. Note that the scope management plan is not

quantifiable and is therefore normally used within the qualitative risk analysis

process.

Organizational process assets. These may consist of risk templates, policies

procedures or guidelines, lessons learned from previous or similar projects, and

any quantitative risk tools.

Advantages of Quantitative Risk Assessment

1. Using quantitative assessments managers are able to present the results of risk

assessment in a straight forward manner to support the accounting based

presentation of senior managers.

2. As results are statistical in nature, it aids in determining whether an expensive

safeguard is worth purchasing or not. The process requires the risk assessment

team to put great effort into assets value definition and mitigation as a result.

3. its results are based substantially on independently objective processes and

metrics.

4. Finally, carrying out a quantitative risk analysis is fairly simple and can easily

follow a template type approach.

Drawbacks of Quantitative Risk Assessment

1. Calculations involved in quantitative risk assessments are complex and time

consuming.

2. Its results are presented in monetary terms only and as such, may be difficult for

non-technical people to interpret.

3. The process requires expertise so participants cannot be easily coached through

it.

4. Impact values assigned to risks are based on opinions of participants.

Advantages of Qualitative Risk Assessment Technique:

1. Ease of calculation: when compared with quantitative technique, performing

calculations using a qualitative technique is relatively simple.

2. Monetary value of assets does not need to be determined: to perform a

qualitative risk assessment, managers don't need to come up with a monetary

value assets identified during the initial asset identification phase.

3. It is not necessary to quantify threat frequency: because this technique does not

require complex calculations, managers do not have to quantify the number of

times a certain threat is likely to occur

4. It is easier to involve non-security and non-technical staff: though it is important

to select as risk assessment team members, this technique does not require that

selected team members consist solely of technical members.

5. Flexibility in process and reporting

Drawback of Qualitative Risk Assessment Techniques

1. Qualitative techniques are subjective in nature- i.e. rather than relying on

'statistical data or evidence' for its results, it is dependent on the quality of the

risk management team that created it.

Striking a Balance

As already highlighted above, both approaches to risk management have their

advantages and disadvantages. Certain situations may call for organizations to adopt the

quantitative approach. Conversely, smaller organizations with limited resources will

probably find the qualitative approach better fitting.

Furthermore, in selecting a risk analysis technique, managers should select a technique

that best reflects the needs of the organization. The decision on which risk analysis

technique to use should depend on what the manager is attempting to achieve.

Capturing risks and selecting controls are important, however more important is an

effective risk assessment process establishing the risk levels. Before an organization can

decide on what to do, it must first identify where and what the risks are. Quantitative

risk analysis requires risk identification after which both qualitative and quantitative risk

analysis processes can be used separately or together. Consideration of time and budget

availability and the need for both types of analysis statements about risk and impact will

determine which method(s) to use.

PRIORITIZING AND MAPPING OF RISKS

Risk assessment is a process of assessing probabilities and consequences of risk events if

they are realized. The results of this assessment are then used to prioritize risks to

establish a most-to-lease critical importance ranking.

Risk Matrix

A Risk Matrix is a matrix that is used during Risk Assessment to define the various levels

of risk. This is a simple mechanism to increase visibility of risks and assist management

decision making. Although many standard risk matrices exist in different organizations

may need to create their own or tailor an existing risk matrix.

For example, the harm severity can be categorized as:

Catastrophic - Multiple Deaths

Critical - One Death or Multiple Severe Injuries

Marginal - One Severe Injury or Multiple Minor Injuries

Negligible - One Minor Injury

The probability of harm occurring might be categorized as 'Certain', 'Likely', 'Possible',

'Unlikely' and 'Rare'. However it must be considered that very low probabilities may not

be very reliable.

The resulting Risk Matrix could be :

Negligible Marginal Critical Catastrophic

Certain High High Extreme Extreme

Likely Moderate High High Extreme

Possible Low Moderate High Extreme

Unlikely Low Low Moderate Extreme

Rare Low Low Moderate High

The company or organization then would calculate what levels of Risk they can take with

different events. This would be done by weighing up the risk of an event occurring

against the cost to implement safety and the benefit gained from it.

Contents

The following is an example risk matrix with particular accidents allocated to

appropriate cells within the matrix:

Negligible Marginal Critical Catastrophic

Certain Stubbing Toe

Likely Fall

Possible Major Car Accident

Unlikely Aircraft Crash

Rare Major Landside

Problems with Risk Matrix

Poor Resolution. Typical risk matrices can correctly and unambiguously compare only a

small fraction (e.g., less than 10%) of randomly selected pairs of hazards. They can

assign identical ratings to quantitatively very different risks ("range compression").

Errors. Risk matrices can mistakenly assign higher qualitative ratings to quantitatively

smaller risks. For risks with negatively correlated frequencies and severities, they can

lead to worse-than-random decisions.

Suboptimal Resource Allocation. Effective allocation of resources to risk-reducing

countermeasures cannot be based on the categories provided by risk matrices.

Ambiguous Inputs and Outputs. Categorizations of severity cannot be made objectively

for uncertain consequences. Inputs to risk matrices (e.g., frequency and severity

categorizations) and resulting outputs (i.e., risk ratings) require subjective

interpretation, and different users may obtain opposite ratings of the same quantitative

risks. These limitations suggest that risk matrices should be used with caution, and only

with careful explanations of embedded judgments.

Risk mapping

A risk map is a data visualization tool for communicating specific risks an organization

faces.

Risk mapping is used to assist in identifying, prioritizing, and quantifying (at a macro

level) risks to an organization. This representation often takes the form of a two-

dimensional grid with frequency (or likelihood of occurrence) on one axis and severity

(or degree of financial impact) on the other axis; the risks that fall in the high-

frequency/high-severity quadrant are given priority risk management attention.

The goal of a risk map is to improve an organization's understanding of its risk profile

and appetite, clarify thinking on the nature and impact of risks, and improve the

organization's risk assessment model. In the enterprise, a risk map is often presented as

a matrix. For example, the likelihood a risk will occur may be plotted on the X-axis while

the impact of the same risk is plotted on the Y-axis.

Risk analysis builds on the risk information generated in the identification step,

converting it into decision-making information. In the analyzing step, three more

elements are added to the risk's entry on the master risks list: the risk's probability,

impact, and exposure. These elements allow operations staff to rank risks, which in turn

allows them to direct the most energy into managing the list of top risks.

Risk Probability

Risk probability is a measure of the likelihood that the consequences described in the

risk statement will actually occur and is expressed as a numerical value. Risk probability

must be greater than zero, or the risk does not pose a threat. Likewise, the probability

must be less than 100 percent, or the risk is a certainty-in other words, it is a known

problem.

The following table demonstrates an example of a three-value division for probabilities.

Risk Impact

Risk impact is an estimate of the severity of adverse effects, the magnitude of a loss, or

the potential opportunity cost should a risk be realized. Risk impact should be a direct

measure of the risk consequence as defined in the risk statement. It can either be

measured in financial terms or with a subjective measurement scale.

If all risk impacts can be expressed in financial terms, use of financial value to quantify

the magnitude of loss or opportunity cost has the advantage of being familiar to

business sponsors. The financial impact might be long-term costs in operations and

support, loss of market share, short-term costs in additional work, or opportunity cost.

Risk Exposure

Risk exposure measures the overall threat of the risk, combining the likelihood of actual

loss (probability) with the magnitude of the potential loss (impact) into a single numeric

value. In the simplest form of quantitative risk analysis, risk exposure is calculated by

multiplying risk probability by impact.

Exposure = Probability x Impact

The advantage of this tabular format is that it is easy to understand through its use of

colors (red for the high-risk zone in the upper-right corner, green for low risk in the

lower-left corner, and yellow for medium risk along the diagonal). It also uses a well-

defined terminology: "High risk" is easier to comprehend than "high exposure."

QUESTIONS

1. Differentiate between qualitative and quantitative analysis.

2. Define and risk map and give an example of its application.

3. What are the advantages of qualitative risk assessment?

4. Identify two risk identification techniques highlighting the pros and cons

CHAPTER 6.0 RISK FINANCING

Introduction

Chines merchants were among the earliest known business people to utilize risk

financing in the conduct of trade and commerce. Merchants who shipped their goods on

the Yangtze River could never be sure that their goods would safely arrive at the trading

centers down river. The merchant boats would sometimes sink with the cargo and ship.

To avoid a total loss, merchants would coordinate their shipments by distributing their

cargo on various ships. In case a ship sunk, it would only lose a portion of cargo

minimizing on the possibility of total loss.

The basic tenents of risk financing from the trip down the Yangtze river to how

organization finance risk have similarities such as;

1. Pooling of resources

2. Transfer of risk

3. Spread of risk

4. The need to anticipate the risk of the groups operations

5. A plan to financially deal with a loss if it occurred

6. Risk retention

7. Verbal or written contracts to substantiate financing in event of loss

8. Identifying the simplest, least expensive and most creative to finance risk without

jeopardizing the financial integrity of operations.

9. The ultimate goal to protect the assets of the business or personal lines.

Learning objectives

1. To develop an understanding an application risk finance techniques

2. To develop an understating of the best technique for an organization

Risk Financing

Risk financing involves the identification of risks, determining how to finance the risk,

and monitoring the effectiveness of the financing technique that is chosen.

Risk financing is designed to help a business align its desire to take on new risks in order

to grow, with its ability to pay for those risks. Businesses must weigh the potential costs

of its actions against whether the action will help the business reach its objectives. The

business will examine its priorities in order to determine whether it is taking on the

appropriate amount of risk in order to reach its objectives, whether it is taking the right

types of risks, and whether the costs of these risks are being accounted for financially.

Companies have a variety of options when it comes to protecting themselves from risk.

Commercial insurance policies, captive insurance, self-insurance, and other alternative

risk transfer schemes are available, though the effectiveness of each depends on the

size of the organization, the organization’s financial situation, the risks that the

organization faces, and the organization’s overall objectives. Risk financing seeks to

choose the option that is the least costly, but that also ensures that the organization has

the financial resources available to continue its objectives after a loss event occurs.

Companies typically forecast the losses that they expect to experience over a period of

time, and then determine the net present value of the costs associated with the

different risk financing alternatives available to them. Each option is likely to have

different costs depending on the risks that need coverage, the loss development index

that is most applicable to the company, the cost of maintaining a staff to monitor the

program, and any consulting, legal, or external experts that are needed.

RISK FINANCING TECHNIQUES

Risk Management Process

A) Retention of Risk

The financing of risks and losses is said to be “retained” if the funding source for

payment of the losses originates from and remains within the organization until the loss

is actually paid.

Financing risks through retention can be accomplished by any of the following

techniques.

Identification and

Analysis Exposure Treatment of Exposure

The Risk Management

Process

Risk Financing

Transfer Retention

Risk Control

1. Expensing of Losses

Current expensing of losses involves the payment of losses directly from the

current operating budget or appropriation. That is, the loss is “expended” or paid

out of the current year’s operating funds. Current expensing typically does not

provide for a formally recognized funding source from which losses are paid.

Therefore, expensing of losses is suitable only for payment of small losses such as

repairing or replacing a damaged laptop. Expensing is not suitable for funding

large losses.

2. Loss Reserves

A loss reserve can be established for the potential liability or payment of loses.

The reserve is typically based on expected losses and treated as an accounting

entry that identifies the potential liability on the organization’s financial

statement. This liability can be funded by cash, securities, or other liquid assets

that are earmarked as designate liabilities.

3. Borrowing

Borrowing is a method that may be utilized by an organization to pay for losses

that have not been previously funded or insured. The cost of this option is on the

high end considering that it attracts interest and ultimately the institution still

pays for the losses with its own earning and resources. This deprives the

organization of funds that would have otherwise been used for other revenue

generating activities.

4. Self-Insurance

Insurance whereby the organization finances its losses through a planned

strategy. The methods for this option include the below

a) Self-insurance trust is a funding vehicle that is a bank account administered by

an independent third party (trustee) the funds are designated sole for the

purpose of paying losses. The fund level is actuarially determined and through

a formalized agreement the statement of coverage and loss to be paid are

predetermined.

b) Captive is primarily controlled by its owners and in which the original

insured’s are the principal beneficiaries. Simply state, a captive is a

corporation for which the product is the payment of losses and the revenue is

premium payments.

Risk Transfer

The financial burden of losses can be transferred from the entity incurring the loss to an

outside entity for a premium fee or through a contract. This may be accomplished

through the purchase of commercial insurance or through a contractual transfer.

1. Insurance Transfer of Risk

Insurance is a contractual relationship that exists when one party (the Insurer) for

a consideration (the Premium) agrees to reimburse another party (the Insured or

third party on behalf of the Insured) for a loss to a specified subject (the Risk)

caused by designated contingencies (the Hazards or Perils).

When commercial insurance is purchased the insured entity pays premiums to

the insurer. The insurer then pools the premiums paid by all insured entities that

have purchased the same type of insurance. In this manner the risks are “spread”

among all insured, and premiums are kept to a minimum.

The insurer is then legally responsible for payment of all claims and losses,

subject to the terms, exclusions and limitations of the policy, rather than the

entity incurring the claim or loss.

From a practical point of view, insurance will nearly always involve some form of

risk retention. For instance the excess or deductible is a planned retention while

any limitation of scope of cover as a result of an adverse policy coverage

interpretation by the commercial insurer would be unplanned retention.

The insurance policy therefore should never be viewed as a “complete” transfer

of risk.

2. Contractual transfer

Involves a legal transfer of the financial responsibility for payment of losses, but

does not involve the purchase of insurance. Such non- insurance transfers

typically involve the use of a “hold harmless agreement. A hold harmless

agreement is an agreement between two parties defining an obligation or duty

resting on one party to make good the liability, loss, or damage that the other

party has incurred or may incur.

RISK RETENTION VERSUS RISK TRANSFER

The decision whether to transfer rather than retain risk will depend upon many factors

including;

1. The size and type of operation

2. The financial strength and resources

3. The type of risk to be treated

4. The risk taking philosophy of the organization

5. The organization future goals and objectives

6. The overall effectiveness of the risk management and loss control program

When evaluating the risk financing continuum two aspects are critical

a) Cost efficiency

b) Cost certainty

For instance an insurance program has cost certainty while cost efficiencies are minimal

considering that the organization will pay the for premium that will include

1. Insurance company profit

2. Overheads

3. Estimate of losses to be paid under the policy

4. Charges for use of their policy form

5. Reinsurance

6. Miscellaneous services

7. A charge for “risk” they are assuming for this exposure

This insurance option is suitable for smaller organizations with limited assets and

resources where maximum cost certainty is important for the financial wellbeing.

On the other end, a decision to retain for instance your professional liability claims

would provide cost efficiency and cost uncertainty. The cost efficiency arises for paying

for losses without having to incur the usual insures expenses. The cost uncertainty arises

due to having limited or no knowledge when a claim will arise and when it will be paid.

This also speaks into the availability of funds when required to pay for such losses.

The retention approach will make sense for large corporations that have resources their

risk management program in an effective manner and have sufficient assets to

accommodate the volatility of loss payments without impairment to the financial

strength of the organization.

Typical risk managers will utilize a combination of both options retaining risks that are

predictable and transferring risks that are unpredictable or catastrophic. This balance

hopefully should strike a balance between cost efficiency and cost certainty. However

for the success of this balance an organization need to have in place a robust risk

management and loss control program.

Guiding Factors when choosing risk transfer and risk retention

1. The risk taking philosophy of the organization. The senior managements need to

agree on what risk to accept or and what risks to transfer.

2. Self-insure the predictable layer of losses where possible. To do otherwise would

be trading shillings with an insurer with a loss of control over your program.

3. Transfer unpredictable or catastrophic layers of potential losses at limits

sufficient to protect the assets of your organization.

4. Any risk retained should have an effective risk management program in place to

control or minimize on risk.

5. Always take a long term view of the risk transfer versus retention strategy. For

instance if a soft market place, insurance costs will be lower, how sustainable will

this be for the future?

6. It is important to be prudent and conservative in funding your self-insurance

program. The payable losses can reduce if the loss control program is effective.

7. Choose your risk financing consultants such as brokers, actuaries, auditors and

legal carefully. They need to be your partners and advocates in safeguarding your

organization’s assets and reputation.

8. Research on the insurance carrier to determine the financial security,

management, policy services and record of paying claims.

Questions

1. Discussing retention as a risk transfer technique

2. Discuss the relationship between cost certainty and cost efficiency

3. Discuss the basic tenents of a risk financing program

CHAPTER. 7. ALTERNATIVE RISK TRANSFER (ART) MECHANISM

Introduction;

This chapter discusses alternative risk transfer mechanisms with respect to insurance and

related risk management. Risk transfer means causing another party to accept the risk,

for example through insurance, where risk is transferred from an entity to the insurance

company.

Learning Outcomes

After completion of this chapter you should be able to;

Describe alternative risk transfer mechanism and explain why the increased use.

Explain what falls under finite risk re-insurance

Explain integrated risk management

Show how capital markets work as an additional source of capacity.

Explain alterative risk transfer products

Unit structure

Definition and reasons for increased use

Finite risk management

Risk transfer to capital markets

Integrated risk management

Alternative risk financing products

Study Guide

You are expected to be familiar with the scope and objectives of risk management,

building up an effective risk management programme and the important steps in risk

management decision making process.

8.1 DEFINITION AND REASONS FOR INCREASED USE OF ALTERNATIVE RISK TRANSFER

MECHANISM

Alternative Risk Transfer (often referred to as ART) is the use of techniques other than

traditional insurance and reinsurance to provide risk bearing entities with coverage or

protection. The field of alternative risk transfer grew out of a series of insurance capacity

crises in the 1970s through 1990s that drove purchasers of traditional coverage to seek

more robust ways to buy protection.

Most of these techniques permit investors in the capital markets to take a more direct

role in providing insurance and reinsurance protection, and as such the broad field of

alternative risk transfer is said to be bringing about a convergence of insurance and

financial markets.

In addition, a number of approaches involve funding risk transfer, often within the

structures of the traditional reinsurance market. Captive insurance companies are formed

by firms and re/insurers to receive premiums that are generally held and invested as a

"funded" layer of insurance for the parent company. Some captives purchase excess of

loss reinsurance and offer coverage to third parties, sometimes to leverage their skills and

sometimes for tax reasons. Financial reinsurance in various forms (finite, surplus relief,

funded, etc.) consists of various approaches to reinsurance involving a very high level of

prospective or retrospective premiums relative to the quantity of risk assumed. While

such approaches involve "risk finance" as opposed to "risk transfer," they are still

generally referred to under the heading of alternative risk transfer

Alternative Risk Transfer mechanisms are designed to help you retain underwriting profits

and reduce insurance premiums paid under traditional plans.

Why more risk managers are using alternative risk transfer solutions

Alternative risk transfer (ART) is assuming more importance, as larger companies seek to

take more control over their risk management and transfer, smooth out volatilities in

pricing, broaden coverage, and gain deeper insight into their losses, near losses, claims

and overall risk profile.

ART presents risk managers with more opportunities to hedge risks in innovative ways

and to be less dependent on ‘classic’ insurance.

For companies with increasing revenues and large balance sheets, risk tolerance is

increasing. They can take on more risk and are looking to protect themselves against risks

that run into billions of dollars, which can be difficult to find cover for in the conventional

insurance market.

Furthermore, risk managers increasingly face emerging or new risks that can be difficult

to insure – such as non-damage BI, political risks, reputational risks, climate risks – all of

which can cost companies billions of dollars.

Several broader industry factors are also spurring increased ART: more data with which

to quantify and accurately price risks, greater focus on and more sophisticated ART

services among large (re)insurance carriers and an influx of alternative capital into the

(re)insurance sector.

Many options

The range of ART mechanisms available today is both wide and diverse, providing multiple

risk transfer alternatives to the traditional insurance market.

Risk financing vehicles such as captives, financial instruments and hybrid products that

incorporate characteristics of both financial instruments and reinsurance are all

commonly utilised ART structures, each providing differing strategic risk management

benefits.

The ability to blend traditional (re) insurance with forms of self-funding, access flexible

multi-year, multi-line, multi-trigger products and increased availability of capacity are the

key drivers in the growth in demand for ART.

Common strategies include:

• Loss-sensitive insurance plans, in which premiums are based on losses.

• Risk purchasing groups of individuals purchasing liability insurance.

• Captives, which are owned and controlled by their insured parties.

• Group captives, which are owned and controlled by multiple insureds (firms of a similar

size often pool risks in an industry captive with customised insurance plans).

• Protected cell captives, which allow a client to rent a captive while ensuring complete

separation of assets, capital and surplus between them and other participants.

• Self-insured retention plans.

• Self-insured groups and pools.

Organisations use a variety of capital sources to fund their risks: banks, insurers,

shareholders and others. By merging the best of capital market techniques with insurance

structures, ART solutions enable companies to select the most appropriate risk finance

and acquire contingent capital at economic cost.

ART solutions can fulfil a variety of needs, including:

• General earnings smoothing

• Managing speculative risks

• Risk hedging

• Deal facilitation

• Removal of specific balance sheet provisions.

In particular, they can be used to hedge risks (or accumulations of risks) considered by a

company to be intolerable or unacceptable – for example, commodity, exchange rate or

weather risks – or to gain a financing cost advantage over its competition, such as utilising

insurance structures that competitors may not have access to.

ART can also enable companies to reduce the cost of borrowing (in certain circumstances,

insurers’ contingent capital may be cheaper than standby lines of credit) and can be used

where a lender of capital stipulates some form of insurance coverage – for example, as

part of a credit enhancement deal.

Part of the reason why ART has gained popularity is because the insured:

a) does not subsidise others whose premiums are inadequate to pay their claims

b) gains access to profits generated from current insurance premiums, and

c) has more control of who shares their risk and is not subject to market swings – gaining

stability and predictability in premiums.

Broader contributing

New capital is not the only driver of change in this market – the far greater availability of

data nowadays creates opportunities to price and quote for new types of business.

Structured insurance is an example of an area where activity is increasing as companies

look to cover difficult or uninsurable risks over multiple balance sheet periods with a mix

of risk retention and risk transfer.

This is mainly a year-to-year solution for managing non-attributed exposures over

multiple balance sheet periods and can, for example, be particularly effective for

managing political risk.

Another area that is being explored by investors is operational risk for financial

institutions (such as fraud, employment practices, system failures and delivery

management failures), where potentially investors would be ready to ‘step in’ and take

some of the high-severity risk.

8.2. FINITE RISK INSURANCE

An insurance contract that shifts the risk of loss from an insured to an insurer during a

stated number of years. Such contracts are subject to a specific limit of liability and

include a "commutation feature" (i.e., a refund to the insured) if loss experience is better

than expected. Part of the investment income derived from the insured's premium

payment is also rebated to the insured. In lieu of an underwriting profit that an insurer

seeks from a traditional insurance policy, a finite risk insurance contract provides the

insurer with an administrative fee for writing and maintaining the contract plus a

relatively stable investment income, which is earned on the insured's premium payments.

Finite risk insurance is the term applied within the insurance industry to describe an

alternative risk transfer product that is typically a multi-year insurance contract where

the insurer bears limited underwriting, credit, investment and timing risk. The assessment

of risk is often conservative. The insurer and the insured share in the net profit of the

transaction, including loss experience and investment income. The premium is generally

well in excess of the present value of a conservative estimate of loss experience. The

policy generally contains retrospective rating provisions such as

Commutation provisions,

Additional premium provisions, or

An experience account

Finite risk insurance excludes products expressly sold as annuities.

The term "blended finite risk insurance" is often used to describe an insurance product

that has the characteristics of finite risk, but with more risk transfer included than

generally is the case for finite risk. While there is no brightline test for risk transfer, the

distinction would be most readily noted in the premium for blended finite risk insurance,

which must be less than the present value of a conseravtive estimate of loss experience

by a readily noticeable degree

"Additional premium provision" means, in the context of finite risk insurance, a provision

of an insurance or reinsurance contract that requires or strongly encourages the insured

to pay the insurer some calculable amount as a result of losses paid or incurred under

that insurance or reinsurance contract, excluding provisions for additional premium due

to changes in exposure or policy audit.

"Commutation provision" means a verbal or written agreement, whether or not formally

incorporated into an insurance or reinsurance policy, that allows the policyholder to

commute the policy, usually implying that all liabilities and rights created by that contract

are extinguished in return for the balance of an experience account. Generally provisions

such as "profit sharing" or "low claims bonus," which also produce a return of premium

that can be reduced by claims payments, are not considered Commutation Provisions if

they do not extinguish the contract. Loss-based return and additional premium provisions

in conventional loss-based rating plans, e.g., incurred loss retrospectively rated insurance

and so-called "retention plans" used commonly in insuring US Workers' Compensation,

are generally not considered Commutation Provisions for much the same reason.

Sample language for such a provision might resemble this:

Commutation by policyholder

This policy may be commuted by the policyholder (the “commutation”) effective as of

December 31, 200_ or on each two year anniversary of such date thereafter, upon not

less than ninety (90) days advance written notice to the Insurer. The date of the

Commutation (the "Commutation Date") shall be set forth in such notice. Effective the

Commutation Date, the Policyholder and the Insurer, finally and irrevocably release each

other from any and all liability and obligations to each other under or in connection with

this Policy, whether billed or unbilled, whether reported or unreported and whether

known or unknown; provided that, upon the Commutation, the Insurer shall pay to the

Policyholder an amount equal to the Loss Experience Account. Such Loss Experience

Account shall be due and payable to the Policyholder on the Commutation Date

"Experience account" when used in the context of finite risk refers to a provision in an

insurance or reinsurance contract that, using some function of premium, insurer charges,

losses paid or payable under the contract, subrogation proceeds, and interest rates, forms

the basis of an explicit or notional fund that can then be used to calculate the amount

due under an additional premium provision.

An example, appropriate for a finite risk insurance policy, might look like this:

Loss experience account

A notional loss experience account will be created at the Inception Date, for use in

evaluating amounts due under the commutation provision, which shall be updated

annually thereafter as of the last day of each calendar year so long as this Policy remains

in effect. The notional loss experience account will be determined as follows:

1. Beginning balance; minus

2. Payments of ultimate net loss made by the Insurer as of the immediately preceding

loss payment date; plus

3. Interest income on any positive daily balance calculated using an interest rate

equal to the one-year treasury rate effective on the inception date (for the first

calculation) and effective at each one-year anniversary for each subsequent

twelve-month period.

As of the inception date, the beginning balance will be equal to 100 percent of the

premium, less brokerage fees, less the insurer margin. The beginning balance for each

subsequent year will be the total of (1) through (3), above, from the prior year's

calculation.

Finite risk reinsurance is a form of reinsurance that specifically incorporates the time

value of money. Unlike most reinsurance contracts, finite risk contracts are usually

multiyear. In other words, they spread risk over time and generally take into account the

investment income generated over the period.

In one type of finite risk reinsurance, for example, an insurance company transfers its

claims to the reinsurer, paying a premium that corresponds to the present value of the

claims transferred. Present value is a financial formula that recognizes the potential

investment income generated by the premium dollars. Generally, the claims transferred

are for medical malpractice or other so-called long-tail coverages, where the harm caused

may not be apparent for some time and the final cost of claims may not be known for

years. The timing risk is the key element here. If the claims are settled earlier than

anticipated, investment income will be lower and the reinsurer could lose money on the

transaction.

In another type of finite reinsurance, claims that have not yet been settled are

transferred. The risk to the reinsurer is that the claims will be more expensive than

expected over the long-term – that injured workers’ medical expenses will be twice as

high as anticipated, for example. The main benefit of this kind of finite reinsurance

contract is that they facilitate mergers since the acquiring company no longer has to be

concerned about whether reserves for losses are adequate.

Other types of finite reinsurance involve a greater element of financing losses but the

contract must meet requirements as to the amount of risk transfer to qualify the

arrangement as reinsurance for accounting purposes.

Finite risk contracts are reported to regulators along with traditional reinsurance

contracts. They are not broken out separately. Finite risk products are estimated to

represent less than five percent of total reinsurance premiums.

8.3. RISK TRANSFER TO CAPITAL MARKETS

The terms 'alternative risk transfer' and 'non-traditional risk transfer' are used loosely to

embrace a range of instruments that enable an organization to transfer financial risk to a

professional risk carrier, other than by way of an insurance contract. Professional risk

carriers in this case are capital markets, rather than insurance and reinsurance markets.

Financial risk transfer is about spreading financial risk across a large number of entities

capable of absorbing a substantial loss more easily than a single organization. Insurance

has been the traditional way of doing this but there has been a movement into capital

markets for transfers of very high value catastrophe risks. This is because a string of very

high catastrophe losses has exposed inability of the insurance industry to respond

adequately. The spread and scale of capital markets means that catastrophe exposures

can be spread over a wider capital source, instead of solely within the insurance and

reinsurance markets.

Capital market risk products are still evolving and each has to be assessed on its individual

merits. They differ between countries because of different regulations and tax treatment.

They are most commonly used with large economic risks, rather than for those of

individual companies. The financial market failures of 2008 caused massive damage to

the liquidity and asset strength of many of these markets, and this is causing companies

to take greater care in understanding the risks involved.

Example

An example of alternative risk transfer would be that arranged by Swiss Re, which a few

years structured, placed and reinsured earthquake cover for FONDEN (the Mexican

Government's natural catastrophe

fund). If an earthquake exceeds certain thresholds (e.g. magnitude, depth and location)

the cover provides financing for disaster relief and post-disaster reconstruction. A sum of

US$160 million of cover was placed in the the capital markets through a catastrophe bond

and the remainder was reinsured.

Remember that alongside the advantage of access to a wider range of funding products

these are also disadvantages, which include the following.

Payment is not necessarily linked to indemnity. The amount received, therefore

may be short or in excess of loss amount.

Capital markets do not always bring the claims skills and resources that come with

insurances. These may need to be sourced internally or subcontracted, both at

cost.

The instruments may not be treated sympathetically by regulators, taxation

regimes or by accounting standards.

8.4. INTEGRATED RISK MANAGEMENT

Integrated risk management is a process that takes into consideration the degree of risk

that is found at all levels within a given organization. The idea is to assess the risk inherent

with the operation in general, including how risk factors in one area of the operation may

trigger specific responses in other areas of the operation. This all-inclusive approach to

risk management can often help to minimize factors that could create ongoing

operational issues that have long-term consequences for the business.

When used effectively, integrated risk management is a very proactive process. As the

first step to the process, it is necessary to identify risk as it exists at various levels within

the business. From there, risk must be assessed in terms of what that risk means to each

phase of the operation. Once the assessment is completed, it is essential to address risk

at each step in the business process, and determine what options are viable for dealing

with that risk factor. Finally, steps are taken to reduce risk within each area of the

operation, which in turn leads to increased efficiency and productivity, while at the same

time limiting the potential for losses.

It is important to note that integrated risk management is not a one-time event, or even

one that is conducted once or twice per calendar year. Instead, this type of all-inclusive

risk management is an ongoing process that relates to the day-to-day activities of the

company. From assessing risk in each phase of the manufacturing process to

understanding possible risk factors involved during service delivery and face to face

interactions of employees with customers, the risk evaluation is a constant aspect of the

ongoing effort to make the company as stable and profitable as possible.

There is no one ideal approach to the process of integrated risk management. The exact

processes used and the policies that govern those processes will vary somewhat from one

business setting to another. A constant with integrated risk management is that all

aspects of the operation are evaluated on a continual basis, identified risk factors are

evaluated in light of the overall operation, and resolutions that ultimately benefit the

entire business are the ultimate goal of the management process. As the circumstances

of the business change over time, the strategies that are used as part of the integrated

risk management process must also evolve in order to position the company to enjoy

additional growth in the future.

8.5 ALTERNATIVE RISK FINANCING PRODUCTS

Alternative risk financing products can be divided roughly into two principal categories:

Alternatives to insurance companies and

Alternatives to insurance products

1. Alternatives to Insurance Companies

In this section, we will identify different types of risk financing alternatives to insurance

companies and we will explain their benefits.

Example

a) Self-insurance

It is one of the oldest alternatives to insurance companies and remains one of the most

popular.

The term is self-explanatory: rather than purchasing an insurance policy, a company will

decide to retain an eligible risk while designating an amount of money calculated to

compensate for the potential future loss.

Self-insurance typically provides the first layer of coverage, and a policy is purchased from

the commercial insurance market to cover losses in excess of the self-insurance.

Following the 9/11 terrorist attacks, coverage for certain risks became much more

difficult to acquire and was only available at substantially increased costs.

Example

For example, airline insurers immediately increased premiums and cut their coverage for

third-party war and terrorism liabilities to a maximum of $50 million per airline, per

"event."

Workers' compensation carriers began to look very carefully at catastrophic exposures,

especially in locations with more than 250 employees and some life insurance reinsurers

exited the market entirely.

As a result of these developments, many companies have increased the amount of risk

that they self-insure.

For instance, coverage for catastrophic losses might be secured by designating a $75

million a year self-insured retention and by combining this retention with traditional

insurance; this strategy would provide coverage in excess of the retention amount at

greatly reduced premiums.

b) Insurance pools, or self-insurance groups

These are an extension of self-insurance and are employed by companies to underwrite

their collective exposure to high-occurrence, low-cost risks. These groups tend to be

comprised of companies with similar risk profiles (either by type of industry or by

geography or both), because each member of a pool shares the profits and losses of the

pool through a so-called joint and several liability arrangements.

Members contribute premiums to a fund, the proceeds of which are invested and paid

out for claims and administrative expenses. Surplus funds may, at the members'

discretion, be repaid by members or reinvested in the fund.

c) A captive insurer

This, in general terms, is a licensed insurance company established by a noninsurance

parent company to insure the risks of the parent company, its affiliates or other entities

doing business closely with the parent company.

Captives are considered to have a number of advantages over traditional insurance

coverage. Companies' utilizing captives enjoy cash flow benefits from lower insurance

costs and retention within the corporate group of premiums and investment income.

Captives can also provide tax benefits.

For example, payments to captives that provide employee benefits insurance are

deductible as insurance premiums in certain circumstances.

Additionally, the company's control over the captive subsidiary allows it to deal with

reinsurers directly, instead of through an insurance company, thereby lowering the cost

of access to the reinsurance market. Perhaps in response to these perceived benefits, the

use of captives has grown tremendously in recent years.

d) Risk retention groups

These are similar to multi-owner captive insurance companies or self-insurance groups.

They are liability insurance companies owned by their insureds (which must be engaged

in a similar business or exposed to similar risks) and they are authorized by the Liability

Risk Retention Act of 1986, which permits the insurance company - once licensed by its

state of domicile - to insure members in all states.

These groups enjoy many of the benefits ascribed to captives - such as the ability of

members to control their own program, the ability to maintain coverage at affordable

rates where typical insurance is hard to obtain and the ability to access reinsurance

markets directly - without the hassle of having to set up the corporate structure of a

captive insurance company as a subsidiary.

These groups now underwrite significant portions of the medical malpractice market,

following the insolvencies between 2001 and 2003 of many of the traditional malpractice

insurers.

However, it is important to note that these groups cannot underwrite certain risks, such

as an employer's liability with respect to its employees, or loss or damage resulting from

any personal, familial or household responsibilities or activities.

2. Alternatives to insurance products

Credit securitizations, CAT bonds, weather derivatives and finite risk products are among

the available alternatives to insurance products.

Many of these instruments are products of the capital markets: a consensus is emerging

that the global capital markets have capacity exceeding that of the insurance markets by

several degrees of magnitude and, consequently, can handle at a lower cost and with less

shock to the system the occurrence of natural disasters and other severe risks.

In this section, we will explain the benefits of different types of risk financing alternatives

to insurance products.

a) Credit securitization

This involves the transfer of assets subject to credit risk, such as receivables, to a specially

created investment vehicle (Le. a special purpose company). The vehicle in turn issues

securities "backed" by the transferred The proceeds of the sale of the asset-backed

securities are remitted to the transferor of the assets - the entity that otherwise would

have purchased insurance to defray its credit risk - and the purchasers of the securities

assume the risk of recovery of the assets.

b) CAT bonds

These more formally known as catastrophe bonds, are risk-linked securities designed to

transfer a specified set of risks from the issuer to the investors.

They are usually structured as corporate bonds whose repayment of principal is forgiven

if certain specified trigger conditions are met.

These conditions are generally linked to some sort of catastrophic event, such as a

hurricane hitting Florida. If no hurricane hits, the investors enjoy a return on their

investment through interest payments (typically at a coupon rate much higher than the

risk-free rate) and the principal repayment over the life of the bond.

But if the triggering event occurs, then the investors may lose their rights to some portion

of the principal or the entire principal, which is retained by the issuer to pay the loss.

As the hurricane example suggests, CAT bonds are most frequently used where the risk

sought to be defrayed is a high-severity, low-frequency event.

c) Weather derivatives

Definition

Weather derivatives are financial instruments that can be used by companies as part of a

risk management strategy to reduce the risk associated with adverse or unexpected

weather conditions.

The derivative, in this case, is some objective measure of the weather, such that the

weather derivative pays based on the variability of the observed weather from an index.

So, for example, a weather derivative might pay based on the number of days when a low

(or high) temperature was exceeded.

Example

Farmers, for instance, would use weather derivatives to hedge against poor harvests that

result from a lack of rain or unseasonable snowstorms. Theme parks, on the other hand,

might use weather derivatives to insure against rainy weekends during peak season.

Energy companies, in particular, have been at the forefront of the development of the

weather derivative market.

d) Finite risk products

Finite risk products are similar to traditional insurance, but with a twist. Unlike typical

insurance contracts, which are typically of 12 months' duration, finite risk insurance

products have a longer term - say, 10 years.

These products are particularly useful where the risk sought to be insured against is a

high-severity, low-frequency event, such as an oil spill.

Example

For example, if we assume an actuarial analysis predicts the occurrence of an oil spill

within the next 10 years, the probability of such an event occurring in anyone year within

that period is 1 in 10 (or 10%).

The oil producer could, of course, insure that risk by purchasing an annual insurance

policy.

If the risk did not occur in that first year, the oil producer would be out its premium, which

the insurance company would have invested to produce income for its shareholders.

The oil producer would then need to renew the insurance policy for the following year. If

the risk also did not materialize in that second year, the result would be the same as the

first, and this would continue for each year the annual policy is renewed and the oil spill

did not occur. Alternatively, the oil producer could procure at the outset a finite risk

contract that covers the entire 10-year period. If the oil producer and its insurer estimated

that the oil spill would occur in year seven, they could reduce to present value the

resulting liability.

In exchange for the payment of a premium approximating that liability estimate, the oil

producer and its insurer would agree to share the investment income generated by the

premium. The oil producer also would be entitled to deduct the premium paid at the

outset of the transaction and - if the insured risk did not materialize during the term of

the contract - to the return of a substantial portion of the premium paid.

These benefits have made finite risk products increasingly popular, despite the negative

press attention these products have received as a result of alleged abuse by certain

insurers and reinsurers.

I Case study

Article by Rachel S. Kronowitz and Chidi J. Ogene - Legal Experts, USA

This article by Rachel S. Kronowitz and Chidi J. Ogene, looks at Alternative Risk Financing

aspects with a little different focus of categorizing the options into-

1. Alternatives to insurance companies &.

2. Alternatives to insurance products.

"Organizations typically purchase insurance policies to mitigate risks. However,

businesses beset by higher premiums or by the inability of insurance companies to cover

their risks adequately have sought other options. Increasingly, they find that they can

manage risk using financial instruments and other arrangements in addition to insurance

policies. Known as alternative risk financing, these arrangements combine risk transfer

and risk retention techniques with self-insurance to provide alternative (or

complementary) options to traditional insurance.

Certain alternative risk financing techniques have been around for quite some time, and

their popularity has followed or been affected by the vagaries of the insurance market.

However, recent events have contributed to renewed, and quite possibly more

permanent, interest in alternative risk financing. For example, catastrophes such as the

WTC terrorist attacks of September 11, 2001, and natural disasters such as the 2005

tsunami and Hurricane Katrina have led many to believe that similar catastrophic events

will occur with increasing frequency and that the hardening of insurance markets that

occurred following these disasters threatens to be permanent.

In addition, recent corporate scandals led to the passage of the Sarbanes-Oxley Act of

2002, in USA, which requires chief executive officers and chief financial officers of publicly

traded companies to certify that their companies have adequate internal controls. This

statutory requirement has, in turn, convinced many companies of the value of a strategic,

business- wide approach to risk management and has also led to elimination of the

traditional barriers between a company's finances and insurance-buying operations.

These trends have prompted business executives to seek out other risk mitigation

options, such as alternative risk financing.

In addition, recent corporate scandals led to the passage of the Sarbanes-Oxley Act of

2002, in USA, which requires chief executive officers and chief financial officers of publicly

traded companies to certify that their companies have adequate internal controls. This

statutory requirement has, in turn, convinced many companies of the value of a strategic,

business- wide approach to risk management and has also led to elimination of the

traditional barriers between a company's finances and insurance-buying operations.

These trends have prompted business executives to seek out other risk mitigation

options, such as alternative risk financing.

In this article, we will examine a variety of different alternative risk financing techniques

and products that companies now use to mitigate or transfer risk outside of the traditional

insurance-based model.

Study Questions.

1. What are the main goals of ART?

2. What does finite risk insurance mean and which products fall under it?

3. Define what multi-owner captive insurance companies are?

4. How is self-insurance done and how does it offer ART mechanism.

CHAPTER 9: BUSINESS CONTINUITY MANAGEMENT’’

Introduction

This chapter looks at business continuity management, the differences between the

terms disaster, emergency and catastrophe. It also looks at disaster phases, the

emergency threats and the business continuity planning process.

Learning outcomes

After completion of this chapter you should be able to;

Explain what Business Continuity Management is

Give the differences between emergency, disaster and catastrophe

Give the major emergency threats

Explain the disaster phases

Describe the Business continuity management planning process.

Unit Structure

Definition of business continuity management

Emergency, disaster and catastrophe

Emergency threats

Disaster phases

Business continuity planning

Study guide

You are expected to be having proper understanding of how to identify and analyse loss

exposures.

9.1 DEFINITION OF BUSINESS CONTNUITY MANAGEMENT

Business continuity management (BCM) is a framework for identifying an organization's

risk of exposure to internal and external threats.

The goal of BCM is to provide the organization with the ability to effectively respond to

threats such as natural disasters or data breaches and protect the business interests of

the organization. BCM includes disaster recovery, business recovery, crisis management,

incident management, emergency management and contingency planning.

According to ISO 22301, a business continuity management system emphasizes the

importance of:

Understanding continuity and preparedness needs, as well as the necessity for

establishing business continuity management policy and objectives.

Implementing and operating controls and measures for managing an organization’s

overall continuity risks.

Monitoring and reviewing the performance and effectiveness of the business

continuity management system.

Continual improvement based on objective measurements.

Illustration of Business Continuity Management

9..2 EMERGENCY THREATS TO BUSINESS CONTINUITY

Emergency preparedness is a process. It’s not just about having a plan to do a fire drill

once a quarter, but how to keep the business going during and after a crisis. This fact

grows more relevant every day as companies face the challenges of a riskier society.

Business continuity is about ensuring your company is prepared for any crisis.

Before you get started with defining a business continuity plan, you must conduct a

vulnerability assessment to understand your company’s major weak points in the

response during a crisis and the subsequent recovery period. A business impact analysis

is a way to understand how threats will affect business functions. After documenting the

risks to your organization, research which tools such as an emergency notification

system, document storage, and training would be most in critical for your emergency

prevention and disaster recovery.

The most common threats to consider in your emergency management plans.

1. Workplace Violence

The threat of an active shooter entering into an office is a scary reality. What would your

employees do in the event a gunman started shooting in your building?

.

2. Winter Storms

As some countries continue to get hammered with snow and ice by Winter Storm your

business needs to have a plan in place for employees to work remotely.

3. Hurricanes

If businesses learned anything from Hurricane Sandy, it’s the importance of having a

backup plan in place to continue operations well before a hurricane hits land.

4. Earthquake

The East Coast earthquake showed they can happen almost anywhere and most don’t

know what to do. Over 45 states in the U.S. are at risk for earthquakes. According to

FEMA, your risk can be assessed by considering your hazard, exposure, and vulnerability

6. Office Fire

On Jan. 27, more than 200 people were killed when a fire broke out in a Brazilian

nightclub. Fire alarms, extinguishers and escape routes aren’t enough unless your

employees know what to do.

7. Wildfire

The ongoing drought plaguing Midwest and Southern states since 2010 has cost the

economy more than $35 billion plus impacted the gross-domestic product by even more.

Another cause for concern is when dry conditions spark wildfires. In 2012, the Colorado

wildfire caused 32,000 people to be evacuated and destroyed hundreds of buildings. Is

your business located in one of the areas impacted by drought and at risk for wildfire?

8. Flood

Flooding is one of the most common natural disasters in the world and it can happen

pretty much anywhere at any time. But your office can flood simply by the sprinkler

system malfunctioning. Do you have your documents backed up in the event important

papers are destroyed in a flood?

9. Influenza

The Center for Disease Control estimates up to 50,000 deaths from flu are possible in

2013. Our trained emergency management consultants have tips on how to prevent flu

from spreading in your office. The most important way to prevent the spread of disease

in your office is to encourage employees to stay at home at the first sign of illness, plus

have alcohol-based hand sanitizer located around the workspace. Your business

continuity plan should also focus on working with a depleted workforce.

10. Blackout

There are many different types of power outages in various ranges of severity but a key

component of handling a blackout is ensuring your data is secured in a location outside

the walls of your office. A full list of classifications of power outages, what to do in the

event of a blackout, and the subsequent recovery process is available

11. Cyber Attacks

12. Act of terrorism

13.New laws and regulations

14. IT-related threats continue to provide the greatest concern for organisations,

according to a new report published by the Business Continuity Institute (BCI), in

association with the British Standards Institution (BSI).

The annual BCI Horizon Scan has pitted such threats above other threats like natural

disasters, security incidents and industrial disputes.

Three quarters (77%) of business leaders said they fear the possibility of an unplanned IT

and telecoms outage, whilst 73% worry about the possibility of a cyber-attack or data

breach.

The report has also identified long-term trends, with 73% seeing the use of the internet

for malicious attacks as a major threat that needs to be closely monitored, and 63%

feeling the same way about the influence of social media.

9.3 EMERGENCY/DISASTER/CATASTROPHE

Emergency

An emergency is unplanned event that significantly

Disrupts normal operations

Poses serious threat to persons or property

Cannot be managed by routine response

Requires a quick and coordinated response across response across multiple

departments or divisions.

DISASTER

Disaster can be defined as an event of natural or manmade causes that lead to sudden

disruption within society, causing damage to life and property to such extent that is

beyond the capacity of normal social and economic mechanism to cope up with.

Industrial disaster

Industrial disasters are caused by chemical, mechanical, civil electrical, or other process

failures due to accident, negligence or incompetence, in an industrial plant which may

spill over to the areas outside the plant causing damage to life and property.

Chemical disasters

Chemical disasters are occurrences of emission, fire or explosion involving one or more

hazardous chemicals in the course of industrial activity or storage or transportation or

due to natural events leading to serious effects inside or outside the installation likely to

cause loss of life and property including adverse effects on the environment

CATASTROPHE

Catastrophe is not the same as disaster. It is a sudden and widespread disaster. Any

natural or manmade incident, including terrorism, that results in extraordinary levels of

mass causalities, damage or disruption severely affecting the population, infrastructure,

environment, economy, national morale, and/or government functions.

9. 4 Phases of Disaster

A model to help emergency managers prepare for and respond to a disaster, also known

as the ‘life cycle’ of comprehensive emergency management has been designed. The four

phases of disaster: 1) mitigation; 2) preparedness; 3) response; and 4) recovery.

The model helps frame issues related to disaster preparedness as well as economic and

business recovery after a disaster. Each phase has particular needs, requires distinct tools,

strategies, and resources and faces different challenges. The issues addressed below

relate to the resiliency and recovery of the local economy and business community before

and after a major disaster.

MITIGATION

Pre-Disaster Mitigation Efforts

PREPAREDNESS

Education, Outreach and Training

Business Continuity & Emergency

Management Planning

RESPONSE

Immediate Response to

Stakeholders

Establish Business Recovery

Centre

RECOVERY

Post-Disaster Economic Recovery

Plan

-

The issues addressed below relate to the resiliency and recovery of the local economy

and business community before and after a major disaster.

Phases of Disaster

Mitigation

Mitigation involves steps to reduce vulnerability to disaster impacts such as injuries and

loss of life and property. This might involve changes in local building codes to fortify

buildings; revised zoning and land use management; strengthening of public

infrastructure; and other efforts to make the community more resilient to a catastrophic

event.

Preparedness

Preparedness focuses on understanding how a disaster might impact the community and

how education, outreach and training can build capacity to respond to and recover from

a disaster. This may include engaging the business community, pre-disaster strategic

planning, and other logistical readiness activities. The disaster preparedness

activities guide provides more information on how to better prepare an organization and

the business community for a disaster.

Response

Response addresses immediate threats presented by the disaster, including saving lives,

meeting humanitarian needs (food, shelter, clothing, public health and safety), cleanup,

damage assessment, and the start of resource distribution. As the response period

progresses, focus shifts from dealing with immediate emergency issues to conducting

repairs, restoring utilities, establishing operations for public services (including

permitting), and finishing the cleanup process.

Triage efforts assess and deal with the most pressing emergency issues. This period is

often marked by some level of chaos, which can last a month or more, depending on the

nature of the disaster and the extent of damage. Federal resources, such as action from

the Federal Emergency Management Agency (in the case of a major disaster declaration)

and non-profit resources such as the Red Cross are deployed immediately

Business re-entry into the economy begins during this phase. Businesses initially may

face issues with access to their site, preliminary damage assessment, and

communications with staff, vendors, suppliers and customers. Ongoing issues may

include access to capital and workers, the repair of damaged property or inventory, and

a diminished customer base. It is in this phase that long-term future of a region’s business

base will be saved or lost.

Business Recovery Centres are quickly set up in a community to centralize small business

recovery resources.

.

RECOVERY

Recovery is the fourth phase of disaster and is the restoration of all aspects of the

disaster’s impact on a community and the return of the local economy to some sense of

normalcy. By this time, the impacted region has achieved a degree of physical,

environmental, economic and social stability.

The recovery phase of disaster can be broken into two periods. The short-term phase

typically lasts from six months to at least one year and involves delivering immediate

services to businesses. The long-term phase, which can range up to decades, requires

thoughtful strategic planning and action to address more serious or permanent impacts

of a disaster. Investment in economic development capacity building becomes essential

to foster economic diversification, attain new resources, build new partnerships and

implement effective recovery strategies and tactics. Communities must access and deploy

a range of public and private resources to enable long-term economic recovery.

9.5 BUSINESS CONTINUITY MANAGEMENT PLANNING

Business continuity planning (or business continuity and resiliency planning) is the

process of creating systems of prevention and recovery to deal with potential threats to

a company

Any event that could negatively impact operations is included in the plan, such as supply

chain interruption, loss of or damage to critical infrastructure (major machinery or

computing /network resource). As such, risk management must be incorporated as part

of BCP

Illustration of Business Continuity Management planning lifecycle.

ANALYSIS

The analysis phase consists of impact analysis, threat analysis and impact scenarios.

Business impact analysis (BIA)

A Business impact analysis (BIA) differentiates critical (urgent) and non-critical (non-

urgent) organization functions/activities. Critical functions are those whose disruption is

regarded as unacceptable. Perceptions of acceptability are affected by the cost of

recovery solutions. A function may also be considered critical if dictated by law. For each

critical (in scope) function, two values are then assigned:

Recovery Point Objective (RPO) – the acceptable latency of data that will not be

recovered. For example, is it acceptable for the company to lose 2 days of data?

Recovery Time Objective (RTO) – the acceptable amount of time to restore the

function.

The recovery point objective must ensure that the maximum tolerable data loss for each

activity is not exceeded. The recovery time objective must ensure that the Maximum

Tolerable Period of Disruption (MTPoD) for each activity is not exceeded.

Next, the impact analysis results in the recovery requirements for each critical function.

Recovery requirements consist of the following information:

The business requirements for recovery of the critical function, and/or

The technical requirements for recovery of the critical function

Threat and risk analysis (TRA)

After defining recovery requirements, each potential threat may require unique recovery

steps. Common threats include:

Epidemic

Earthquake

Fire

Flood

Cyber attack

Sabotage (insider or external threat)

Hurricane or other major storm

Utility outage

Terrorism/Piracy

War/civil disorder

Theft (insider or external threat, vital information or material)

Random failure of mission-critical systems

Power cut

The impact of an epidemic can be regarded as purely human, and may be alleviated with

technical and business solutions. However, if people behind these plans are affected by

the disease, then the process can stumble.

Impact scenarios

After identifying the applicable threats, impact scenarios are considered to support the

development of a business recovery plan. Business continuity testing plans may

document scenarios for each identified threats and impact scenarios. More localized

impact scenarios – for example loss of a specific floor in a building – may also be

documented. The BC plans should reflect the requirements to recover the business in the

widest possible damage. The risk assessment should cater to developing impact scenarios

that are applicable to the business or the premises it operates. For example, it might not

be logical to consider tsunami in the region of Mideast since the likelihood of such a threat

is negligible.

Recovery requirement

After the analysis phase, business and technical recovery requirements precede the

solutions phase. Asset inventories allow for quick identification of deployable resources.

For an office-based, IT-intensive business, the plan requirements may cover desks, human

resources, applications, data, manual workarounds, computers and peripherals. Other

business environments, such as production, distribution, warehousing etc. will need to

cover these elements, but likely have additional issues.

The robustness of an emergency management plan is dependent on how much money an

organization or business can place into the plan. The organization must balance realistic

feasibility with the need to properly prepare. In general, every $1 put into an emergency

management plan will prevent $7 of loss.[8]

SOLUTION DESIGN

The solution design phase identifies the most cost-effective disaster recovery solution

that meets two main requirements from the impact analysis stage. For IT purposes, this

is commonly expressed as the minimum application and data requirements and the time

in which the minimum application and application data must be available.

Outside the IT domain, preservation of hard copy information, such as contracts, skilled

staff or restoration of embedded technology in a process plant must be considered. This

phase overlaps with disaster recovery planning methodology. The solution phase

determines:

crisis management command structure

secondary work sites

telecommunication architecture between primary and secondary work sites

data replication methodology between primary and secondary work sites

applications and data required at the secondary work site

physical data requirements at the secondary work site.

IMPLEMENTATION

The implementation phase involves policy changes, material acquisitions, staffing and

testing.

TESTING AND ORGANIZATIONAL ACCEPTANCE

The purpose of testing is to achieve organizational acceptance that the solution satisfies

the recovery requirements. Plans may fail to meet expectations due to insufficient or

inaccurate recovery requirements, solution design flaws or solution implementation

errors. Testing may include:

Crisis command team call-out testing

Technical swing test from primary to secondary work locations

Technical swing test from secondary to primary work locations

Application test

Business process test

MAINTENANCE

Biannual or annual maintenance cycle maintenance of a BCP manual is broken down into

three periodic activities.

Confirmation of information in the manual, roll out to staff for awareness and specific

training for critical individuals.

Testing and verification of technical solutions established for recovery operations.

Testing and verification of organization recovery procedures.

Issues found during the testing phase often must be reintroduced to the analysis phase.

Information/targets

The BCP manual must evolve with the organization. Activating the call tree verifies the

notification plan's efficiency as well as contact data accuracy. Like most business

procedures, business continuity planning has its own jargon. Organization-wide

understanding of business continuity jargon is vital and glossaries are available.[9] Types

of organisational changes that should be identified and updated in the manual include:

Staffing

Important clients

Vendors/suppliers

Organization structure changes

Company investment portfolio and mission statement

Communication and transportation infrastructure such as roads and bridges

Technical

Specialized technical resources must be maintained. Checks include:

Virus definition distribution

Application security and service patch distribution

Hardware operability

Application operability

Data verification

Data application

Testing and verification of recovery procedures

As work processes change, previous recovery procedures may no longer be suitable.

Checks include:

Are all work processes for critical functions documented?

Have the systems used for critical functions changed?

Are the documented work checklists meaningful and accurate?

Do the documented work process recovery tasks and supporting disaster recovery

infrastructure

Study questions

1. Give the detailed explanation of business continuity management.

2. Differentiate between disaster and catastrophe,

3. Explain the phases of disaster.

4. What falls under the business continuity planning process?

5. Give the major emergency threats in business continuity.

CHAPTER .10. ENTERPRISE RISK MANAGEMENT

Introduction

Enterprise risk management is a comprehensive risk management program that

addresses an organization ‘s pure risks, speculative risks, strategic risks and operational

risks. By packing all of these risks in a single program, the organization offers one risk

against the another and in the process reduces its overall risk.

Learning Outcomes

After completion of this chapter you should be able to;

Explain what Enterprise Risk Management is all about

Give the Limitations of Risk Management Enterprise

Show how ERM impacts on management practices

Describe the ERM process

Unit Structure

Enterprise Risk Management definitions and its application

Limitations of Enterprise Risk Management

ERM impact on management practices

Other ways that ERM can contribute to value creation

ERM process

Study Guide

You are expected to have clear understanding of the risk management process and

the concept of risk management.

10.1. ENTERPRISES RISK MANAGEMENT DEFINITIONS AND ITS APPLICATIONS CII 3/7 &

3/10

In chapter 2 we saw that risk management in an organization is an integrated process

aimed at identifying and controlling risks that may affect the achievement of corporate

goals. It depends on:

• a clear statement of objectives from the board of directors;

• a systematic approach to risk identification in changing circumstances;

• an analysis of risks against criteria set by the board; and

• effective management of selected risks.

Responsibility for risk management remains with the board so there is need for a clear

communication and reporting structure. The purpose of this is twofold: to assure the

board the system is working as intended and to enable them to exercise necessary

control.

The structure an organization sets up to control risk management across the whole of its

organization is known as enterprise risk management (ERM). As well as being a framework

to control risk management activities, ERM systems allow all the risks involved in an

organisation to be looked at together and from different perspectives. This is known as a

holistic approach.

ERM has been recognized as an important element of strong corporate governance.

Today its use in large organizations is internationally supported by laws, regulations and

compliance requirements. For large or public organizations, ERM is no longer an option.

Moreover, all public companies are required to report on risk factors, and potential

investors and their advisers will take into account how well risk management standards

are applied. Regulators demand effective ERM and stakeholders such as lenders,

customers, suppliers and staff organizations often ask for evidence that risk taking is

under control.

As a result, it is important that not only must ERM systems be in place and working, they

must be seen and proved to be working by independent assessors. Regular audits are

essential, not only to provide assurance that processes function to specified standards,

but also to monitor results.

However successful risk management is not just about compliance and assurance. There

are a number of benefits that successful risk management provides, including:

• better informed strategic decisions;

• successful management of change and higher operational efficiency; •organizations can

expect more accurate financial reporting;

• reduced borrowing costs; and

• improved competitive advantage.

Small and medium-sized organizations may not have the resources to implement full ERM

systems and may not have pressure from outside to conform. However, similar

advantages can accrue for any organisation prepared to analyze all types of risk on a

regular basis, even if their systems are skeletal and concentrate only on significant items.

A successful ERM

system has two

key elements:

ERM framework is important. It shows how essential functions of an organisation

combine to create an integrated system for managing risk across the whole organisation.

It specifies required information flows and procedures for achieving them. It identifies

where overlapping responsibilities might occur and altogether with the job descriptions,

will clarify who is responsible for initiating action plans and ensuring their success.

ERM is a dynamic management system which states that people be organized and trained

to carry out delegated tasks within specified boundaries and specified communication

and reporting channels.

However, this takes place in an environment that is subject to continual change.

Maintaining integrity of the framework throughout a large organisation is often a full time

task, requiring constant monitoring of the system to see if it is working and measurement

of performance against intended results.

In a typical ERM system, a group risk management function would be responsible for:

• setting up and maintaining the ERM framework; and

First is a workable

framework clarifying

functional responsibilities

and interactions, and the

systems for internal

communication, reporting

and control

Second, personalizing this

framework, is a set of terms of

reference for key staff. This clarifies

individual requirements for

communications, reporting and

control.

• managing all risk management functions within the group.

The head of this function might be called chief risk officer, group risk manager or some

equivalent title. The chief risk officer would fulfil their responsibilities through a number

of subordinate risk officers, each with a designated area of interest and specified tasks to

address. In large organizations a number of risk officers could be supervised by an

intermediate risk manager if appropriate.

Depending on the organisation, the group risk management can be a central

coordinating and collation unit, and will have the minimum number of staff required

to operate efficiently. Individual function managers would still own processes,

controls and technical aspects of all work related to their function, cut would liaise

with group risk management when reviewing risk controls.

10.2. Limitations of Enterprises Risk Management

ERM does not provide absolute assurance that the organization’s objectives will: be met

as actual risk events are subject to the uncertainty of the future. -stead. ERM identifies

and monitors risk events deemed significant to the originations’ mandates.

Further, ERM is limited by the imperfections of the people entrusted with its

implementation.

Five factors influence the quality of ERM:

1. Judgment: Human judgment can falter under the pressures of time and information

constraints.

2. Breakdowns: Mistakes and errors can result from fatigue, distractions, or lack of

training and experience.

3. Collusion: Two or more individuals may collude to circumvent controls, conceal activity

or alter data.

4. Cost versus Benefit: The benefit of a risk concern must be weighed against resource

constraints. Valuation of costs and benefits may be directly measurable or may be

subjective assessments.

Example

For example, the cost of a training program to assess creditworthiness is quantifiable,

whereas customer response to cumbersome qualification procedures is not.

5. Management Override: Management override suspends prescribed controls for

illegitimate purposes. Whereas management intervention may be necessary for

processing exceptional transactions, management override misuses authority for

proscribed activities.

10.3. ERM impact on Management practices

Enterprise Risk Management standards must accommodate a range of company

environments from small to large, decentralized to hierarchical, and informal to formal

lines of authority. Also, because different industries face, and tolerate different risk

profiles, controls that are appropriate for one industry may not be meaningful to another.

Rather than controlling risk from a canned prescription, a company’s management team

must design ERM around a set of guiding principles.

The company's mind-set toward ERM determines the efficacy of the risk management.

Developing a culture of risk management rallies company-wide cooperation, talent and

expertise to bear on any and every aspect of risk.

Perhaps no single effort can produce greater results than developing the risk

management culture-training, supporting, communicating, and compensating risk smart

behavior.

Employees persuaded of the company's attitude toward risk can contribute to the design

of risk practices within their areas of expertise and are better equipped to detect hidden

risks in routine operations.

With an ERM infrastructure in place, line management can be relied on to perform the

initial risk analysis. Competent managers, already experts in their unit's role within the

company, can fold risk controls into business decisions to protect the company from

inappropriate risk exposure.

Under a strong RM culture, the value of RM is broadly recognized within the company

and no competent manager would suggest a product that inappropriately exposed the

company to risk.

The results of the risk analysis mayor may not roll up to the formal ERM team depending

on how they can be used; the analysis may facilitate the unit's own business decisions, or

it may reveal risks that should be considered in aggregate with the company's portfolio

of risk by the ERM team's executive management.

Ideally, risk information is shared where risks are most strongly linked. To be truly

embedded in the company culture, ERM must have a voice at the executive management

level.

The board of directors is responsible for making certain that senior management

establishes RM strategies that optimize available resources. Senior management must

have sufficient knowledge of and expertise in the company's activities to develop RM

systems and controls and to judge their success.

As an ERM expert serving at the executive level, the Chief Risk Officer (CRO) establishes a

channel for two-way communication throughout the organisation. Responsibility for RM

must be independent of risk-taking functions to prevent conflicts of interest.

The role of oversight for ERM must be clearly documented, and relationships between

compliance, internal audit and management functions should be unambiguous.

Company culture, involvement by line management, two-way communication, support at

the executive level, and expert use of appropriate ERM guidelines determine the efficacy

of RM in achieving the company's goals. Once in place, the ERM team charged with

overseeing RM affords the company an enterprise wide view of opportunities and threats.

By understanding individual unit risk, or silo risk, and by assessing the individual risks in

aggregate, the ERM team can evaluate an accurate cost of the company's risk exposure.

The company can then charge back the cost of risk to the individual business units by

requiring them to hold appropriate reserves (economic capital). Equivalent to the capital

budgeting process, the allocation of risk capital according to the reserve requirement

achieves an efficient use of company resources.

The ERM team can yet again add value by taking further advantage of the portfolio view

of risk. The mitigation of silo risk viewed through the lens of corporate strength may

reveal opportunities for new products and investment strategies that would otherwise

remain hidden.

Diversification of division risk may expose lucrative opportunities for the company in

instances that show no or negative significance for the individual unit; pooled risks

present a different profile than the constituent risks at the individual level, as discussed

in the Introduction-Enterprise Risk Management Defined.

As an example of integrating risk management across an organisation, consider a

company's liquidity- its ability to raise cash. This key element of financial strength can be

a source of profit or drain. Failure to meet obligations can quickly throw a company into

financial ruin.

Yet even generous reserves and economic capital cannot obviate liquidity risk. instead,

an oversupply of cash may harm the company by tying up limited resources needed to

realize the company's objectives. A well-designed risk management strategy is essential

to preparing for uncertain events without undermining corporate strength.

10.4. Other ways that ERM can contribute to value creation

ln the past decade, there have been many mergers of companies of all sizes. Companies

have combined with companies within their industry as well as outside their industry, i.e.

banks with insurance companies. When a company is small, there are few employees and

even fewer at the helm. It is easy for a handful of people to manage both the assets and

liabilities at small companies.

Whether or not, the asset and liabilities are properly handled is another matter. However,

as companies grow, more people are employed to run the different departments that

begin to emerge. Along with the growing pains, employees begin to have a better

understanding of their particular department but tend to know less and less about the

workings and issues of other departments. This compartmentalization magnifies with

growth and mergers.

Large companies tend to have departments just to manage debt portfolios, equity

portfolios, and different product lines, i.e. life versus health, and the very large companies

have companies within companies. Although, practitioners of each component of an

enterprise may be quite skilled, there must be an overall risk management plan and

system for an entire enterprise.

All enterprises have operational and financial risks thereby needing capital to cover these

risks. Managing capital implies that there will be enough financial resources to cover

operational and financial risk and managing risk implies that operational and financial

risks are covered by capital. Thus, efficiently managing capital and risk together is

essential to survival and will reduce the enterprise risk.

The first step is to outline risks of the firm and quantify each one. Next, a dynamic financial

model can be developed. Most importantly, the model should recognize all courses of

capital available-including equity (for capital adequacy), debt (for financial leverage), and

insurance (for risk leverage).

F. Organizational objectives for pursuing ERM

1. Competitive advantage

For organizations that are in the business of taking risks, risk management plays a crucial

role in the success and survival of the organizations. Traditionally, companies treat

different types of risks as separate matters and deal with them independently. Enterprise

Risk Management, on the contrary, treats all risks as a combined portfolio and manages

them holistically.

This holistic approach agrees with the Modern Portfolio Theory, which states that it is

possible to construct a portfolio that is reasonably safe even if it contains a number of

uncorrelated high-risk investments.

Organizations using integrated ERM obviously have competitive advantages over

companies using traditional risk management in the sense that ERM not only passively

engages risk controls, but also actively pursues risk optimizations, which further

translates into value creation.

2. Strategic goals

In order to succeed, organizations need to set business strategies, both offensive and

defensive. Sometimes being a market pioneer and taking on specific risks might pave the

way to become the market leader. However, organization needs to make sure it

understands what it gets itself into before jumping in.

On the other hand, merely maintaining the market share and playing safe might not be

the best way to utilize capital. ERM can influence business strategies by identifying

potential adjustments related to previously unidentified opportunities and risks.

In addition, ERM provides a way for senior executives to not only translate the vision into

sound strategies, but also makes sure these strategies achieve sustainable competitive

advantages.

Aligning ERM resources and actions with the business strategy can maximize

organizational effectiveness. Moreover, by linking ERM with business strategy, risk

process can be carried out in the context of where a business is headed, not just based

on where it is today.

3. Shareholder value

Enterprise Risk Management can help an organisation achieve its business objectives and

maximize shareholder value. Companies that undertake a risk based program for

shareholder value management typically can add 20- to 30- percent or more to

shareholder value.

Tip

A 1998 study by George Allayannis and James Weston has suggested that active risk

management contributes to shareholder value.

Risk management adds value not only to individual companies, but also supports overall

economic growth by lowering the cost of capital and reducing the uncertainty of

commercial activities.

Organizations that develop an ERM framework for linking critical risks with business

strategies can become highly formidable competitors in the quest to add value for

shareholders.

4. Transparency of management (reduction of agency costs)

ERM involves:

Setting risk appetite and policy,

Determining organizational structure, and

Establishing corporate culture and values

These three tasks are closely allied to the work of the board. With ERM in place, they can

be more easily communicated to the employees and further increase the transparency of

management. Senior executives with a significant portion of their wealth tied up in

company stocks and options have a direct financial interest in the success and survival of

the firm. These incentives, if structured appropriately, work to put the "skin in the game"

for managers, resulting in a strong alignment between management and shareholder

interests.

Risk management provides managers with a higher degree of job security and protects

their financial interests in their firm. This substantially reduces the agency cost.

5. Decision-making

In order to make sound and effective decisions, senior managers need sufficient

information. When making business decisions, risk adjusted return plays an important

role. Senior managers need to evaluate business opportunities based on not only total

returns, but also the risks associated with them, i.e., risk adjusted return.

ERM, which controls risks in a combined portfolio approach, substantially enhances the

decision making process. Furthermore, ERM requires the integration of risk management

into the business processes of a company. Rather than the defensive or control-oriented

approaches used to manage downside risk and earnings volatility, ERM optimizes

business performance by supporting and influencing pricing, resource allocation, and

other business decisions. It becomes an offensive weapon.

6. Policyholder as a stakeholder

When people think about a company's stakeholders, they often think only about those

who hold its equity and perhaps those who hold its debt. However, a truer picture is that

the stakeholders include any group or individual that supports and participates in the

survival and success of a company.

In the case of an insurance company, individual policyholders are an important

stakeholder. After all, an insurance company cannot survive without policyholders, and

hence there is obviously a great need for customer management. For traditional

insurance business, a company normally incurs upfront investment when issuing a policy

and it needs to keep policies in force to recoup the cost.

With an ERM infrastructure in place, the insurance company can improve the risk

transparency to regulators, rating agencies and equity analysts. Through timely and

effective communication and reporting, the insurance company provides assurance to its

policyholders that appropriate risk management strategies are in effect. Policyholders, as

a stakeholder, will have confidence in the company's ability to meet future obligations

and are less likely to lapse.

10.5. ERM Process

With an ERM infrastructure in place, the insurance company can improve the risk

transparency to regulators, rating agencies and equity analysts. Through timely and

effective communication and reporting, the insurance company provides assurance to its

policyholders that appropriate risk management strategies are in effect. Policyholders, as

a stakeholder, will have confidence in the company's ability to meet future obligations

and are less likely to lapse.

ERM process

The activities of ERM can be organized into four themes as shown in the below diagram:

Diagram 2: Activities of ERM

1. Risk control

Definition

Risk Control is the process of identifying, monitoring, limiting, avoiding, offsetting and

transferring risks.

The primary objective of Risk Control is to maintain the risks that have been retained by

the enterprise at levels that are consistent with company risk appetites and company

plans.

Risk Control is most effective if it is applied universally throughout the organisation, but

can still be very useful if applied separately to divisions or business units of an enterprise.

2. Strategic risk management

Definition

Themes of the activities of ERM

Risk control

Strategic Risk management Catastrophic

Risk

management

Risk

Management

culture

Strategic Risk Management is the process of reflecting risk and risk capital in the strategic

choices that a company makes.

Strategic Risk Management usually has as its objective the optimization of risk adjusted

results for the organisation. That is accomplished by choosing the strategic alternatives

that have the best return for the level of risk that is associated with them.

Strategic Risk Management is only effective if it is applied universally throughout the

organisation. In fact, uneven application of Strategic Risk Management can actually hurt

the risk adjusted return of the company by thwarting options with moderate risk reward

profiles in areas that are practicing Strategic Risk Management white allowing areas

without strategic Risk Management discipline to pursue plans that have poor risk adjusted

returns.

The Risk Control process is used in conjunction with the Strategic Risk Management

process to ensure that risks that are retained by the company do not exceed expectation

during implementation of the company's plans.

3. Catastrophic risk management

Definition

Catastrophic Risk Management is the process of envisioning and preparing for extreme

event’s that. could threaten the viability of the enterprise.

The primary objective of Catastrophic Risk Management is to anticipate potential

disasters that could destroy the enterprise for the purpose of developing contingency

plans to minimize the impact of those disasters on the enterprise and to produce the

environmental monitoring that would provide potential advance warning of the disasters.

Catastrophic Risk Management Process involves:

a) Trend analysis

Looking for patterns that suggest potential emergence of negative situations

b) Stress testing

Determine the impact on the firm of imagined extreme adverse Impacts include financial,

reputational, regulatory, credit ratings etc.… Stress tests are often repeated periodically

and changes in the impact in the company from successive tests are noted.

c) Contingency planning

For some or all of the scenarios that are being stress tested and/or are suspected

possibilities from trend analysis, the company develops a set of specific action plans

detailed enough to be helpful in a fast moving situation, but flexible enough to be useful

in an emergency that is not exactly the same as what was anticipated.

d) Active catastrophic risk management

When catastrophe strikes, the firm is prepared to take decisive timely action and clear

communications to all stakeholders and media about those actions and does initiate and

complete those actions and communications effectively.

e) Problem post mortem

After any serious problem situation, whether it results in a loss or if the loss is forestalled

by the ERM process, the firm uses the situation as a learning opportunity and identifies

what went well and poorly with the ERM process and communicates that learning broadly

f) Catastrophic risk transfer

Involves consideration of insurance or capital markets transactions that would transfer

catastrophic risk exposure to either insurance companies or the capital markets.

4. Risk management culture

Definition

Risk Management Culture is the general approach of the firm to dealing with its risks.

A positive Risk Management Culture will incorporate ERM thinking automatically into all

management decision making.

The primary objective of Risk Management Culture is to create a situation where

Operational, Strategic and Catastrophic Risk Management take place in an organization

without the direct oversight or intervention of the Risk Officer or the Risk Committee.

In a positive Risk Management Culture, management across the firm will be aware of the

risk tolerance, the risk governance process and the return for risk expectations of the firm.

Who are your stakeholders and what do they demand?

Key stakeholders would include the board of directors and management, employees,

policyholders and stockholders. Each type of stakeholder has a different perspective that

influences what each considers most important. However, the company mission/culture

will exert strong influence--

Establishing the organization’s risk management culture will help create a shared high-

level view by all key stakeholders that will promote consistent goals, better decision-

making, coordinated efforts and greater results.

10.6 Case Study

‘Higgins? My office now!” those words summoned risk manager Chuck Higgins to the

office of Steve Davis, president of Third National Bank six months ago. When he was hired,

Higgins pledged to institute an enterprise risk management program at the bank. When

Higgins responded to the president’s message, he got fired!

After the joining the bank, Higgins reviewed the traditional property, liability, and

personnel-related loss exposures faced by the bank. When he tried to learn about the

bank’s financial risks, the chief loan officer and chief financial risks. He was angry when

he learned that 30 percent of the bank’s montage loans were in default, and the bank

would have to take $25 million charge for bad montage loans. He was livid when he

learned the bank would have to pay $20 million to a a hedge fund because the bank

guaranteed that an auto parts company would not default on bonds it issued.

When news of the mortgages loan write-off and loan guarantee loss became public, the

bank’s stock price plummeted. As discussed in chapter 3, a risk manager’s job involves

more than simply purchasing insurance. A risk manager must identify the loss exposures

faced by the organization, analyze those exposures, select and implement a combination

of risk treatment measures, and monitor the success of the risk management program.

This chapter builds on the discussion of risk management in chapter 3 and discusses some

advanced topics in risk management. Topics discussed include the changing scope of risk

management, insurance market dynamics, loss forecasting, financial analysis in risk

management decision making, and application of several risk management tools.

Study Questions.

Explain what ERM is all about

How does ERM impact on Management Practices?

What are some of the Limitations of ERM?

Give the ways that ERM can contribute to value creation.