Risk management is a systematic process of identifying and assessing company risks and taking actions to protect a company against them. Some risk managers define risk as the possibility that a future occurrence may cause harm or losses, while noting that risk also may provide possible opportunities. By taking risks, companies sometimes can achieve considerable gains. However, companies need risk management to analyze possible risks in order to balance potential gains against potential losses and avoid expensive mistakes. Risk management is best used as a preventive measure rather than as a reactive measure. Companies benefit most from considering their risks when they are performing well and when markets are growing in order to sustain growth and profitability.
The task of the risk manager is to predict, and enact measures to control or prevent, losses within a company. The risk-management process involves identifying exposures to potential losses, measuring these exposures, and deciding how to protect the company from harm given the nature of the risks and the company's goals and resources. While companies face a host of different risks, some are more important than others. Risk managers determine their importance and ability to be affected while identifying and measuring exposures. For example, the risk of flooding in Arizona would have low priority relative to other risks a company located there might face. Risk managers consider different methods for controlling or preventing risks and then select the best method given the company's goals and resources. After the method is selected and implemented, the method must be monitored to ensure that it produces the intended results.
The field of risk management emerged in the mid-1970s, evolving from the older field of insurance management. The term risk management was adopted because the new field has a much wider focus than simply insurance management. Risk management includes activities and responsibilities out-side of the general insurance domain, although insurance is an important part of it and insurance agents often serve as risk managers. Insurance management focused on protecting companies from natural disasters and basic kinds of exposures, such as fire, theft, and employee injuries, whereas risk management focuses on these kinds of risks as well as other kinds of costly losses, including those stemming from product liability, employment practices, environmental degradation, accounting compliance, offshore outsourcing, currency fluctuations, and electronic commerce. In the 1980s and 1990s, risk management grew into vital part of company planning and strategy and risk management became integrated with more and more company functions as the field evolved. As the role of risk management has increased to encompass large-scale, organization-wide programs, the field has become known as enterprise risk management.
Company managers have three general options when it comes to choosing a risk manager:
Because risk management has become a significant part of insurance brokering, many insurance agents work for fees instead of for commissions. To choose the best type of risk manager for their companies, managers should consider the company's goals, size, and resources.
Managers also should be aware of the types of risks they face. Common types of risks include automobile accidents, employee injuries, fire, flood, and tornadoes, although more complicated types such as liability and environmental degradation also exist. Furthermore, companies face a number of risks that stem primarily from the nature of doing business. In Beyond Value at Risk, Kevin Dowd sums up these different types of risks companies face by placing them in five general categories:
In addition, environmental risks constitute a significant and growing area of risk management, since reports indicate the number and intensity of natural disasters are increasing. For example, the periodical Risk Management reported that there were about five times as many natural disasters in the 1990s as in the 1960s. The year 2004 was one of the worst in history, with three major hurricanes hitting the state of Florida and a tsunami causing death and devastation in the Pacific Rim. Some observers blame the rising number of natural disasters on global warming, which they believe will cause greater floods, droughts, and storms in the future.
Furthermore, any given risk can lead to a variety of losses in different areas. For example, if a fire occurs, a company could lose its physical property such as buildings, equipment, and materials. In this situation, a company also could lose revenues, in that it could no longer produce goods or provide services. Furthermore, a company could lose human resources in such a disaster. Even if employees are not killed or injured, a company would still suffer losses because employers must cover benefits employees draw when they miss work.
One way managers can assess the risks of doing business is by using the risk calculator developed by Robert Simons, a professor at the Harvard Business School. Although the risk calculator is not a precise tool, it does indicate areas where risks and potential losses exist, such as the rate of expansion and the level of internal competition. Using the risk calculator, managers can determine if their company has a safe or dangerous amount of risk. The risk calculator measures three kinds of internal pressures: risk stemming from growth, corporate culture, and information management. Rapid growth, for example, could be a risk and lead to losses, because if a company grows too quickly, it may not have enough time to train new employees adequately. Hence, unchecked growth could lead to lost sales and diminished quality.
Managers can assess the increased risk associated with growth by determining if sales goals are set by top management without input from employees. If a company sets sales goals in this manner, then it has a high level of risk in that the goals may be too difficult for employees to meet. In cases where employees feel extreme pressure in trying to achieve goals, they may take unnecessary risks. Similarly, companies that rely heavily on performance-based pay also tend to have higher levels of risk.
To assess risk arising from corporate culture, managers should determine what percentage of sales comes from new products or services developed by risk-taking employees. If the percentage is high, then the amount of risk is also high, because such a company depends significantly on new products and the related risks. In addition, a corporate culture that allows or encourages employees to work independently to develop new products increases company risk, as does a high rate of new product or service failures.
Finally, managers can determine business risks resulting from information management by determining if they and their subordinates spend a lot of time gathering information that should already be available. Another way of assessing these risks is by managers considering whether they look at performance data frequently and whether they notice if reports are missing or late.
Risk managers rely on a variety of methods to help companies avoid and mitigate risks in an effort to position them for gains. The four primary methods include exposure or risk avoidance, loss prevention, loss reduction, and risk financing. A simple method of risk management is exposure avoidance, which refers to avoiding products, services, or business activities with the potential for losses, such as manufacturing cigarettes. Loss prevention attempts to root out the potential for losses by implementing such things as employee training and safety programs designed to eradicate risks. Loss reduction seeks to minimize the effects of risks through response systems that neutralize the effects of a disaster or mishap.
The final option risk managers have is to finance risks, paying for them either by retaining or transferring their costs. Companies work with risk managers insofar as possible to avoid risk retention. However, if no other method is available to manage a particular risk, a company must be prepared to cover the losses—that is, to retain the losses. The deductible of an insurance policy is an example of a retained loss. Companies also may retain losses by creating special funds to cover any losses.
Risk transferring takes place when a company shares its risk with another party, such as an insurance provider, by getting insurance policies that cover various kinds of risk that can be insured. In fact, insurance constitutes the leading method of risk management. Insurance policies usually cover (a) property risks such as fire and natural disasters, (b) liability risks such as employer's liability and workers' compensation, and (c) transportation risks covering air, land, and sea travel as well as transported goods and transportation liability. Managers of large corporations may decide to manage their risks by acquiring an insurance company to cover part or all of their risks, as many have done. Such insurance companies are called captive insurers.
Risk managers also distinguish between preloss and postloss risk financing. Preloss risk financing includes financing obtained in preparation for potential losses, such as insurance policies. With insurance policies, companies pay premiums before incurring losses. On the other hand, postloss financing refers to obtaining funds after losses are incurred (i.e., when companies obtain financing in response to losses). Obtaining a loan and issuing stocks are methods of postloss financing.
During the implementation phase, company managers work with risk managers to determine the company goals and the best methods for risk management. Generally, companies implement a combination of methods to control and prevent risks effectively, since these methods are not mutually exclusive, but complementary. After risk management methods have been implemented, risk managers must examine the risk management program to ensure that it continues to be adequate and effective.
In the 1990s, new areas of risk management began to emerge that provide managers with more options to protect their companies against new kinds of exposures. According to the Risk and Insurance Management Society (RIMS), the main trade organization for the risk management profession, among the emerging areas for risk management were operations management, environmental risks, and ethics.
As forecast by RIMS, risk managers of corporations started focusing more on verifying their companies' compliance with federal environmental regulations in the 1990s. According to Risk Management, risk managers began to assess environmental risk such as those arising from pollution, waste management, and environmental liability to help make their companies more profitable and competitive. Furthermore, tighter environmental regulations also goaded businesses to have risk managers check their compliance with environmental policies to prevent possible penalties for noncompliance.
Companies also have the option of obtaining new kinds of insurance policies to control risks, which managers and risk managers can take into consideration when determining the best methods for covering potential risks. These nontraditional insurance policies provide coverage of financial risks associated with corporate profits and currency fluctuation. Hence, these policies in effect guarantee a minimum level of profits, even when a company experiences unforeseen losses from circumstances it cannot control (e.g., natural disasters or economic downturns). Moreover, these nontraditional policies ensure profits for companies doing business in international markets, and hence they help prevent losses from fluctuations in a currency's value.
Risk managers can also help alleviate losses resulting from mergers. Stemming from the wave of mergers in the 1990s, risk managers became a more integral part of company merger and acquisition teams. Both parties in these transactions rely on risk management services to determine and control or prevent risks. On the buying side, risk managers examine a selling company's expenditures, loss history, insurance policies, and other areas that indicate a company's potential risks. Risk managers also suggest methods for preventing or controlling the risks they find.
Finally, risk managers have been called upon to help businesses manage the risks associated with increased reliance on the Internet. The importance of online business activities in maintaining relationships with customers and suppliers, communicating with employees, and advertising products and services has offered companies many advantages, but also exposed them to new security risks and liability issues. Business managers need to be aware of the various risks involved in electronic communication and commerce and include Internet security among their risk management activities.
As the field of risk management expanded to include managing financial, environmental, and technological risks, the role of risk managers grew to encompass an organization-wide approach known as enterprise risk management (ERM). This approach seeks to implement risk awareness and prevention programs throughout a company, thus creating a corporate culture able to handle the risks associated with a rapidly changing business environment. Practitioners of ERM incorporate risk management into the basic goals and values of the company and support those values with action. They conduct risk analyses, devise specific strategies to reduce risk, develop monitoring systems to warn about potential risks, and perform regular reviews of the program.
In the United States, the Sarbanes-Oxley Act of 2002 provided the impetus for a number of large firms to implement enterprise risk management. Passed in the wake of scandals involving accounting compliance and corporate governance, the act required public companies to enact a host of new financial controls. In addition, it placed new, personal responsibility on boards of directors to certify that they are aware of current and future risks and have effective programs in place to mitigate them. "Fueled by new exchange rules, regulatory initiatives around the globe, and a bevy or reports that link good corporate governance with effective risk management, attention is turning to ERM," Lawrence Richter Quinn noted in Financial Executive. "[Some executives believe that it] will save companies from any number of current and future ills while providing significant competitive advantages along the way."
In late 2004 the London-based Treadway Commission's Committee of Sponsoring Organizations (COSO) issued Enterprise Risk Management-Integrated Framework, which provided a set of "best practice" standards for companies to use in implementing ERM programs. The COSO framework expanded on the work companies were required to do under Sarbanes-Oxley and provided guidelines for creating an organization-wide focus on risk management. According to Financial Executive, between one-third and one-half of Fortune 500 companies had launched or were considering launching ERM initiatives by the end of 2004.
Revised by Laurie Collier Hillstrom
Braunstein, Adam. "Strategies for Risk Management." CIO (24 February 2005). Available from < http://www2.cio.com/analyst/report2268.html >.
D'Arcangelo, James R. "Beyond Sarbanes-Oxley: Section 404 Exercises Can Provide the Starting Point for a Comprehensive ERM Program." Internal Auditor (October 2004).
Dowd, Kevin. Beyond Value at Risk. New York: Wiley: 1998.
Lam, James. Enterprise Risk Management: From Incentives to Controls. Hoboken, NJ: John Wiley, 2003.
Mills, Evan. "The Coming Storm: Global Warming and Risk Management." Risk Management (May 1998): 20.
Quinn, Lawrence Richter. "ERM: Embracing a Total Risk Model." Financial Executive (January-February 2005).
Risk and Insurance Management Society, Inc. "(RIMS) Website." Available from http://www.rims.org.
Simons, Robert. "How Risky Is Your Company?" Harvard Business Review (May 1999): 85.
Telegro, Dean Jeffery. "A Growing Role: Environmental Risk Management in 1998." Risk Management (March 1998): 19.
White, Larry. "Management Accountants and Enterprise Risk Management." Strategic Finance (November 2004).