Designing and Implementing an Integrated Risk Management System that Effectively Minimizes Your Exposure
Integrated Risk Management Conference
By Dr James A Robertson PrEng and George J Paton, Director, CRM Risk Control Consultants
The management of risk in organizations today is becoming of increasing importance as insurance premiums and liability risks increase and as the hidden costs of risk in areas such as down-time, customer dissatisfaction and other factors increase.
Effective management of risk is therefore becoming a strategic necessity. Risk management in the area of physical risk is an aspect of business that is frequently overlooked or is approached on an ad-hoc basis. This paper sets out some of the factors that should be taken into account in implementing risk management solutions and identifies the need for such solutions to be holistic in nature. In particular, it is noted that the physical and financial components of risk management should be tightly integrated and that the management of maintenance on a risk containment basis is highly desirable.
It is concluded that the effective application of information technology in the form of an integrated loss acquisition database and management information system is vital to achieving the full potential of risk management in any organization. Some of the benefits of this approach are discussed together with a case history of a successful implementation.
It is concluded that the application of these techniques can give rise to a considerable improvement in profitability and should be a vital component of most organizations business strategy. Effective risk management supported by effective information systems can play a significant role in creating and sustaining competitive advantage.
The management of risk in business today is a many faceted and complex task. Traditional approaches to risk management have focused on funding and financial issues rather than managing risk at source. As with maintenance, risk management has tended to concentrate on treating the symptoms rather than the cause. Events giving rise to large losses tend to originate from apparently insignificant occurrences with regard to wear and tear, maintenance and personnel which, with time, escalate to a point of giving rise to a major incident. The use of appropriate techniques to track small losses in a manner that enables management to analyze trends in such a way that proactive action can be taken to anticipate and prevent major losses and to identify the true cause of recurrent losses is vital to effective risk management that offers bottom line benefits.
In developing and implementing a risk management solution, it is important to recognize that a prime objective of the risk management function is to create a risk awareness culture in the organization in which there is an understanding of the adverse effects that risk exposure will have on the organization. As a consequence of this awareness and understanding, deliberate measures to minimize the potential impact on the organization should be implemented. A fundamental principle of risk management is a change in emphasis from an approach of contingency planning in the event of occurrence to proactive management directed at preventing risks from materializing. Risk management is therefore primarily a management function aimed at dealing mainly with uncertainties whilst taking cognizance of the consequences of pure risk and it's impact on business activities.
In designing a risk management solution, a number of tasks must be performed:
a. The potential impact of hazards on the effective operation of the business must be considered.
b. Steps necessary to achieve predefined objectives must be defined.
c. Risk improvement programs to reduce the probability of occurrence of risks must be developed.
d. Alternative strategies for controlling the consequences of risk and their impact on the organization must be developed.
e. These strategies must be integrated into the general decision framework of the organization.
Management activities associated with this process will include risk identification, risk evaluation, risk control and risk monitoring. Risk control involves selecting and implementing the solution most appropriate to achieving the given objective while risk monitoring focuses on determining the outcomes in order to assess the validity of the decisions made. Risk management must take place at all levels in the organization.
In determining the cost of risk, in order to measure the effectiveness of a risk management programme, factors such as insurance premium costs, retention costs such as risk control expenditure, maintenance programmes, training costs, fire protection, security and administration costs must all be taken into account. An optimum risk management solution will maintain a balance between the cost of risk improvement and the level of risk financing with the objective of achieving lower levels of risk in conjunction with greatly reduced overall levels of expenditure as shown in figure 1.
In accomplishing these objectives, a means of acquiring and analyzing comprehensive and detailed loss statistics in order to determine the impact of risk management decisions and to identify problem areas requiring attention, is highly desirable. In fact, it is unlikely that the full long term benefits of a risk management program will be achieved unless the risk management program is supported by a comprehensive information system capable of recording all relevant loss information in a manner that supports comprehensive analysis and enquiry.
FIGURE 1 : DETERMINING THE COST OF RISK
In discussing risk management in the context of designing and implementing a solution, the following terms are applicable (Valsamakis, Vivian, du Toit, "The Theory and Principles of Risk Management" 1992).
a. Risk management
Risk management comprises a comprehensive range of activities for dealing with risks. As a science it identifies the methods that can be adopted to handle risks and to show the interdependence between the available alternatives. As a management function, it is used to plan, direct and coordinate activities in the pure risk area.
Figure 2 illustrates the relationships between business strategy, risk management and external influences.
Figure 3, based on the work of the Society of Risk Managers, illustrates the areas covered by risk management and the overall objectives of an organisation.
b. Pure risk
Pure risk is a risk which results only in loss, damage, disruption, injury or death with no potential for gain, profit or other advantage.
c. Risk control
Risk control comprises the provision of appropriate levels and standards of protection for people and assets to avoid, transfer, control of or acceptance of the pure risks which have been identified and evaluated.
d. Risk financing
Risk financing involves the provision of funds for recovery from potential losses that do occur.
e. Risk evaluation
Risk evaluation is the expression of identified pure risks in an organisation in quantitative / qualitative terms in order to gauge the potential severity and frequency of occurrence of these risks.
f. Risk identification
Risk identification is the identification of the pure risks to which an organisation is or could be exposed.
Risk can be defined as the difference between what is expected and what is experienced. In figure 4 item (a) has a greater uncertainty than item (b) and there is therefore a greater probability that the outcome of item (a) will deviate significantly from the expected value with the resultant impact on operations and severity of loss.
g. Pure risk improvement techniques
Pure risk improvement techniques are those techniques which are used to provide appropriate levels and standards of protection for people, assets and earnings. The four main techniques are as follows:
Avoidance - taking action so as not to incur the risk in the first instance.
Retention - acceptance of the risk in its current make-up or character.
Transfer - insurance, non-insurance or contractual transfer of the consequences of risk.
Control - reducing the risk by controlling its frequency and its severity.
h. Risk finance
Risk financing is intended to provide funds to assist the business to survive and recover from losses that do occur. The two main risk financing components are internal and external financing.
FIGURE 2 : THE RELATIONSHIPS BETWEEN BUSINESS STRATEGY,
RISK MANAGEMENT AND EXTERNAL INFLUENCES
FIGURE 3 : AREAS COVERED BY RISK MANAGEMENT AND THE
OVERALL OBJECTIVES OF AN ORGANISATION
FIGURE 4 : DEFINITION OF RISK
3. PHYSICAL FACTORS GIVING RISE TO EXCESSIVE RISK
Traditionally, the focus of risk management has been on the recording and reporting of claims as they relate to insurers. As a management tool, this did not really identify the real risk exposure of the organization. The tendency today is to focus on the overall cost of risk in an organization which is not only the insurance related cost of risk.
Physical factors that can exacerbate risk are diverse and include maintenance issues, health, environmental and other issues. A few aspects are discussed below.
The maintenance of complex plant, particularly in the production environment is often undertaken on a basis of maintaining the most visible items rather than on maintaining those items that have the greatest potential to give rise to losses or increase risk. For example, a decision to save money on the price of a valve or other low cost component can give rise to greatly increased down-time or even catastrophic failure of the plant. Most maintenance programs do not take account of these factors. An effective risk-focussed maintenance management system will focus on the loss implications of failure of a particular component and prioritize maintenance accordingly. This approach requires a different mind-set in the maintenance department and the provision of appropriate tools to enable the maintenance manager to allocate maintenance resources according to the loss implications of failure rather than traditional criteria. Sophisticated computerized information systems are required in order to accomplish this objective.
In practice, it is not uncommon for losses to result from apparently unrelated circumstances. A recent example involved a major transport operator where it was found that a disproportionate number of drivers suffered from diabetes and that their blood sugar levels were dropping in the afternoons as a result of inadequate diet to a level where serious accidents were more frequent than the industry norm. In another case, drivers were waking at 1 am in order to get to work on time and were losing concentration by mid-morning as a result of exhaustion. Many of these situations are never identified or are only identified in response to a decision from insurers to increase premiums because of poor claims history.
With appropriate information systems it is possible to monitor loss experience and identify unusual trends at an earlier stage. Under certain circumstances, it is also possible to identify relationships for more direct investigation thus reducing the time required for manual investigations.
4. INFORMATION NEEDS IN ORDER TO IDENTIFY TRENDS FOR PHYSICAL RISK CONTROL
Experience has shown that major incidents are normally preceded by a number of minor incidents over a period. Typically, such minor incidents do not attract attention and, in many cases, are not reported so that their occurrence is only highlighted during the investigation that follows the major incident. Appropriate use of a loss information recording system will enable these trends to be highlighted in terms of aggregate cost of risk, frequency of occurrence, etc. Such a system will also enable management to track the full scope of losses occurring and in some cases may highlight that the real cost of small losses exceeds the cost of the high profile losses which constitute the normal focus of attention.
Conventional loss reporting concentrates on the amount claimed from insurers rather than the hidden costs associated with the loss which includes down-time, management time, lost production, lost market opportunities, customer dissatisfaction, unremunerated overtime, staff dissatisfaction and other factors.
Compounding the above difficulties, it is frequently found in many organizations that the personnel responsible for risk control and risk improvement rarely communicate with the personnel responsible for making the financial decisions regarding insurance and self-insurance levels. In order to make strategic decisions with regard to the financial component of risk management, there is a clear need for organizations to restructure these functions resulting in a single line of responsibility for all risk related management as indicated in Figure 1. Tightly integrated risk management information is a vital component for achieving this objective.
In order to fully accomplish the objectives set out above, it is necessary to establish effective communication between the risk improvement and financial functions in order to ensure an integrated approach to risk management. The effectiveness of this communication can be greatly enhanced by having systems which will enable the full financial implications of past losses to be reported thus enabling the full implications of proposed risk management decisions to be accurately projected. This will, in turn, give rise to far better decisions with a long term impact on the profitability of the organization.
A prime requirement indicated by the above discussion is the need for a single integrated database of all risk related information in order to support a single basis of risk related decision making. In addition to information pertaining to incidents that occur, this database should include planned maintenance information, risk audit statistics, information about unaccounted losses, (those losses normally recorded elsewhere but which contribute to the cost of risk such as wear and tear) and other statistics normally recorded separately.
As an example, an organization involved in the introduction of ISO 9000 certification concluded that they were not being particularly effective in their maintenance programs. It was therefore decided to create a database of all major items such as boilers, pressure vessels, etc as well as all other equipment and to associate this database with a database of all relevant legislative requirements. Based on this database, maintenance of all plant and equipment was prioritised and scheduled and it was found that, whereas when the idea was first mooted, increased costs were anticipated, the overall cost of running the plant was reduced and plant efficiency was increased.
5. THE BENEFITS OF ESTABLISHING AN INTEGRATED LOSS DATABASE
The business case in favour of establishing an integrated loss database has been set out above, some of the benefits of such a database are listed below:
a. An integrated loss database will make it possible to introduce a holistic and consistent risk improvement program across the organization in order to enable a standardised approach to be adopted toward financial, and physical risk management.
b. Accountability for losses and risk management can be effectively established by incorporation of an appropriate business model and business rules into the database in such a way that every item can be uniquely associated with a single responsible person who has final accountability. Consideration of these factors during the implementation of the system will frequently cause the organization to identify issues for which accountability has not been effectively defined.
c. The true cost of risk, including hidden costs and high frequency, low value, unaccounted losses, can be established so that management can adopt a pro-active approach centred on reducing the total cost and not only the visible cost.
d. The quality of pure risk management will be greatly improved and duplication of effort will be avoided.
e. Early identification of adverse trends will minimize the probability of the occurrence of catastrophic loses and improve the ability of management to isolate those aspects of business operation that are most at risk of catastrophic loss. This in turn will enable informed decisions to be taken with regard to the need for disaster recovery and business continuity.
f. Accurate centralized information will simplify risk management and reduce risk management costs for comparable results or, more importantly, give rise to a greatly improved return on the risk management investment.
g. Accurate loss and risk management information, centrally available, will give rise to more effective decision making and enable management to see "the big picture". A well designed information system will also support distributed operation so that unit, plant, regional and corporate management will all have access to the components of the database of relevance to them. This will also enable management to benchmark similar business units across the organization in order to identify favourable and unfavourable trends in certain units. This has the potential to greatly improve the dissemination of information with regard to risk management practices that are delivering particularly noteworthy returns.
h. These facilities will also greatly enhance the ability of risk managers at all levels to adopt a coordinated approach to risk management.
i. By providing effective summarization and drill down capability, it will be possible for management to focus on the key issues in risk management within the organization at any time.
j. An effective risk management information system will also provide the tools necessary to ensure that insurance policy endorsements and limitations are constantly monitored thus greatly reducing the risk of policies being revoked due to non-disclosure or other considerations. A comprehensive risk management information system will include policy information at a level that allows full insurance policy management including aggregate management and other funding factors to be taken into account.
6. CONCEPTUAL REQUIREMENTS FOR THE IMPLEMENTATION OF AN EFFECTIVE RISK MANAGEMENT SYSTEM
Paton (1993) has discussed in detail the requirements for implementing a risk management system while Robertson (1992 1&2 and others) have discussed the implementation of computerized information systems. These publications and other work undertaken by the authors comprehensively document the approach necessary to undertake a project of this nature.
In summary, the requirements for the implementation of an effective risk management system include the following:
a. Develop a risk exposure profile of the organization.
b. Identify core business activities impacted by risk management.
c. Analyze past losses and loss trends.
d. Determine market factors influenced by risk exposure.
e. Integrate risk management with business strategy and introduce a program to make risk management part of the corporate culture.
f. Address environmental issues as part of the cost of risk.
g. Restructure the risk management and risk finance functions of the organization.
h. Implement a centralized loss information acquisition system and database and associated risk management information system.
7. CASE STUDY OF AN IMPLEMENTATION PROCESS
A major South African corporation which had previously self-insured all losses recently undertook the introduction of a comprehensive risk management program including the implementation of an integrated risk management information system addressing many of the aspects discussed in this paper. The information system implemented was the prototype of a more comprehensive system proposed for future development. The system was developed and implemented in late 1992 and has been successfully used since then to acquire comprehensive loss statistics and as an information base for introducing comprehensive risk management and risk financing practices throughout the organization.
The system is currently being used to process in excess of 10,000 loss incidents from five regions around the country using four operators. With the statistical base that has now been developed, the basis of risk funding between insured, self-insured and uninsured losses is being optimized and a comprehensive risk improvement program is being implemented. The system is also being used to monitor the progress of insurance claims submitted. It is estimated that a staff of about 12 would have been required to process the same information using conventional techniques without providing any of the management information that the computerized system makes available. Major enhancements to the system are envisaged based on experience to date with the objective of developing a commercial software system aimed at the corporate market.
A wide range of factors applicable to risk management with particular emphasis on the management of the physical factors contributing to risk have been discussed. The need to directly associate the financial implications of losses with the physical factors giving rise to risk is identified as is the need to record losses which are traditionally not accounted for. It is concluded that this can only be effectively accomplished using a comprehensive, integrated loss database and computerized risk management information system. Some of the benefits of this approach and conceptual considerations are addressed and brief case histories are presented.
It is concluded that the effective management of risk in organizations in a manner that will produce significant improvements in loss reduction will also give rise to significant improvements in operational efficiency and substantial overall profitability improvement. These benefits will only be achieved if an holistic approach to risk management and risk finance is adopted that takes account of hidden, as well as visible costs and is associated with a restructuring of the risk management and risk finance components into a single area of accountability. The application of leading edge information technology is a vital component of this solution but must be associated with practical and effective implementation within the organization.
CRM Risk Control Consultants is a firm of specialist risk management consultants within the Price Forbes Group of Companies which specializes in providing a comprehensive risk management consulting service to clients. CRM Risk Control Consultants can be contacted on (011) 637-2148.
Differentiated Strategic Solutions (dS2) is a firm of independent business information system specialists concentrating on offering information systems consulting, software development services and strategic software products with particular emphasis on the fields of decision support and management information. They place particular emphasis on innovative solutions which enable clients to create and sustain competitive advantage and on the effective implementation of such solutions and have been involved with CRM in the development and implementation of the information system on which the case history is based. Through associates in The MaXus Group and other associated specialists they are able to provide a wide range of additional consulting and other services. Differentiated Strategic Solutions can be contacted on (011) 886-9863.
The contribution of our clients and associates without whom we would not have had the opportunity to evolve and develop these concepts is gratefully acknowledged.
Robertson (1992(1)) Effective Implementation of Executive Information Systems. Paper presented at Executive Information Systems Conference, Johannesburg, March 1992.
Robertson (1992(2)) Enhancing Information System Effectiveness: The Human Element. Paper presented at Executive Information Systems Conference. Johannesburg, March 1992.
Robertson (1994(4)) A Practical Approach to Implementing Integrated Information Systems in Real Companies. Paper to be presented at SAICE IT Division Conference on Integrated Information Solutions in Engineering Practice, Johannesburg, October 1994.
Valsamakis, Vivian & du Toit (1992) The Theory and Principles of Risk Management. Butterworths.
22 to 23 June 1994
Download the CRM Risk Control: Designing and Implementing an Integrated Risk Management System -- Article in Adobe pdf format
018 Designing and Implementing an Integrated Risk Management System that Effectively Minimizes your Exposure -- CRM Risk Control Case Study -- by Dr James A Robertson PrEng from James Robertson
Download Designing and Implementing an Integrated Risk Management System that Effectively Minimizes your Exposure -- Slides in Adobe pdf format
Download Designing and Implementing an Integrated Risk Management System that Effectively Minimizes your Exposure -- Paper in Adobe pdf format