Risk - a new way of thinking - Business Works

Risk Ė a new way of thinking

Paul Hopkin, AIRMIC

W e all feel that we have a concept of risk in our business, but as more firms take an interest in risk management, Paul Hopkin of the Association of Insurance and Risk Managers (AIRMIC), says that the aim is to encourage enterprise.

If you are one of those people who have only a vague or very general understanding of the term Ďrisk management,í then no need to worry; you are not alone. Risk management has become such a hot topic that the concept is overused and, frankly, often misunderstood. Ask ten different directors what they mean by the term and you might well get ten different answers.

Before defining the term, letís be clear about one thing. Risk management is not just about preventing bad things happening or about ticking the boxes so that you have covered your back if things go wrong. It is a dynamic way of thinking that supports better decision making, enables more effective use of resources (including your insurance spend) and makes firms more resilient in times of crisis.

Above all, used correctly, it helps organisations become more enterprising. Just as you feel confident about driving at speed because your car has brakes, companies that understand the risks they face can afford to be more enterprising.

Risk management is defined as a strategic process involving the systematic identification of the risks an organisation faces so that it can reduce them, accommodate them and even exploit the openings they provide. This is a workable definition, even if you could spend hours arguing about the precise wording.

Letís now consider three real illustrations of risk management at work, which vary in size from small-scale up to the UKís biggest-ever peacetime construction project. First, a hotel owner in a small French town discovers that a rival establishment is to be built just down the road. She could, of course, treat it as a threat. Instead, she sees the chance to promote the town as a tourist destination and so increase trade: positive risk management.

How risk management can cut your insurance bills

Your company is probably paying too much for its insurance and improved risk management normally leads to more effective use of insurance.

The principle behind getting better value for money is a simple one. If you or your broker can persuade your insurance company that you have taken steps to reduce the chances of mishaps occurring, you are likely to get a better deal. Partly as a result of discussion with AIRMIC, insurers are more than ever taking into account the individual policyholder circumstances before quoting terms, rather than just going to their rate book.

The risk management process also helps you identify areas where you need less insurance or perhaps none at all. You may also discover exposures that you had not previously noticed and decide that they merit extensions to your policy, so saving you a nasty shock further down the line.

In other words, risk management can help you to reduce your insurance bills without leaving your company unduly exposed.

The second is the London Olympics; my association organised a seminar to discuss the risks and opportunities arising from the 2012 games. Letís remember that this event aims to capture the imagination of the nation and to be a showcase for us all. It will provide 12,000 long-term jobs in a rundown area, create thousands of new homes with infrastructure to match and turn the Lea Valley into Europeís largest park.

The Olympics will, however, only achieve their objectives if they go to plan, and we all know the disasters that can befall big projects. That is where risk management comes in. Speaker after speaker made the same point: the process of identifying, prioritising, mitigating and monitoring the risks inherent in the project at several different levels is essential to its success. The work may be unglamorous and often painstaking, but it is about achieving something very worthwhile.

Finally, I know of one company that recently concluded it could survive the loss of a big factory, but that its long-term survival would be at risk, because of the reputational consequences, if the same factory produced sub-standard goods. This analysis had far-reaching effects on strategy.

And these are not isolated cases. Research by DNV (Det Norske Veritas) published in 2008, probably the most extensive exercise of its kind ever conducted anywhere, examined 25 mostly UK organisations that had implemented ERM (Enterprise Risk Management) programmes. DNV concluded that ERM can be shown to significantly reduce the net risk exposure of organisations and to support improved decision making. In many cases it was able to measure the difference. For example, one large government agency had cut its exposure by between £10 million and £20 million. Smaller organisations can expect proportionately similar benefits.

ERM must be implemented correctly, however, and that includes being appropriate for the size and nature of the organisation involved. DNV identified 13 hallmarks of successful ERM, including the use of risk management as a creative process, ensuring sufficient effort is allocated to treating risks after the analysis phase and managers seeking risk information to help decision making.

Provided you achieve these things, then understanding risk exposure enables the organisation to take cost-effective steps to reduce it and to become more enterprising.

Risk management can be a highly technical, time-consuming subject or it can be little more than an application of common sense and a re-ordering of what you already know about your business. In my experience anyone who runs an SME invariably prefers the latter.

And that is one of the main reasons why AIRMIC decided to replace the Risk Management Standard, an internationally used document drawn up in 2002 that sets out the elements of best practice. Although an excellent reference point, it was written by risk managers for risk managers. Other people find it rather inaccessible. It did, in any event, need updating in light of recent developments, most notably the publication last year of an international standard (ISO 31000) for risk management.

Our new guide is designed to be useful to the executive who wants to learn more about risk management, but does not claim to have a specialist knowledge of the subject. It is intended to provide practical advice for organisations of all sizes on the implementation of a risk management programme. It includes two simple A4 checklists to help users see at a glance whether they have all the elements in place to implement an effective ERM programme.

It is important to stress, however, that this is much more than just a box ticking exercise. Like the document it replaces, the guide describes the principles of risk management but is not prescriptive. Nor is it intended to replace human judgement. Implementation will vary from company to company.

Letís now say, for the sake of argument, that you have decided to implement a formal risk management strategy or want to investigate doing so. Where do you begin?

There are plenty of risk management consultants and others who can advise you, and your insurance broker might also be able to help. Alternatively, you and your colleagues may want to have a stab at doing it yourselves. People who run SMEs are generally intuitive risk managers.


A good place to start is with a simple risk graph like the (somewhat simplified) one below where one axis represents the likelihood of an adverse event taking place, and the other axis the impact that such an event would have. The nearer to the top right hand corner you go, the greater the need for action.

Although this case is imaginary, it is also realistic. Management clearly needs to address the risk of a key supplier going bust or of major customer default. Theft of company property is not to be tolerated, but neither does it threaten the enterpriseís existence. This may all seem obvious, but it is amazing how often even large companies are so focussed on maximising profits (or just staying alive) that they miss basic dangers to their operations.

With exercises like this, you quickly learn a new way of thinking and almost invariably learn something new and important about your company. It is important to share the experience and conclusions with your colleagues so that get maximum buy-in and understanding.

The feedback we receive time and time again is that it is more than just useful; it can be fun as well. And it could make your enterprise more profitable and more resilient.

For more information or to download a copy of the new guide:
A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000
w: www.airmic.com

Paul Hopkin is technical director at AIRMIC (the Association of Insurance and Risk Managers)

Tweet article
BW on TwitterBW RSS feed