Risk Management (business)

This article will focus on risk management. It will explore the history, benefits, and costs of risk management. Risk management's relationship to insurance will be discussed. In addition, the article will describe the main corporate risk management and risk mitigation strategies and approaches including enterprise risk management (ERM), alternative risk transfers (ART), and risk differentiation. The issues surrounding corporate management of geopolitical risk will be addressed.

Keywords: Enterprise Risk Management (ERM); Geopolitical Risk; Insurance; Risk Differentiation; Risk Management; Risk Mitigation; Alternative Risk Transfers (ART)

Insurance & Risk Management > Risk Management

Overview

Organizations face risks from strategic, market, credit, operational, and financial exposure as well as man-made and natural disasters (Banham, 2004). Organizations identify and mitigate these risks through active risk management. Risk management, which refers to the process of evaluating, classifying, and reducing risks to a level acceptable by stakeholders, is common practice in both the public and private sectors. Risk evaluation, classification, and management are undertaken for large and small projects and organizational decisions. Identifying and mitigating risk is the primary role of risk managers (Klinke & Renn, 2002). The potential benefits of risk management practices include the reduction of anticipated deadweight bankruptcy costs, minimization of tax payments, and protection of optimal investment programs. The potential costs of risk management practices include transaction costs and exacerbating corporate conflicts (Tufano, 1993).

Adopting Risk Management Historically

Corporations adopt risk management strategies for the potential performance benefits as well as to satisfy increasingly stringent government regulations. In particular, the Sarbanes-Oxley Act, passed in 2002 in response to corporate auditing scandals, requires that corporations engage in risk assessment and risk auditing to monitor financial reporting and auditing processes. Section 404 of the Sarbanes-Oxley Act, which focuses on management's assessment of internal control over financial reporting, instructs corporations to conduct a top-down risk assessment to evaluate the corporation's internal controls systems (Banham, 2004). Risk management has become a ubiquitous corporate practice.

Risk management is an outgrowth of insurance management. While corporate insurance dates back to 1878 when railroad interests began the practice of offering insurance to offset the inherent risk of railroad work, the practice of risk management did not emerge until the 1960s. The first corporation to explicitly implement risk management practices was the Canadian firm Massey-Ferguson. In 1966, Massey-Ferguson hired a risk manager and developed an explicit policy statement on risk management practices. The adoption of risk management practices was slowed by the lack of professionals trained in risk management strategies.

While risk management was practiced in the 1960s and 1970s by public and private organizations, corporate risk management was not widely adopted until the 1980s. The 1980s were characterized by increasing government regulations, a growing economy, and insurance crisis. The federal government passed laws, such as the Occupational Safety and Health Act, the Environmental Protection Act, and Superfund legislation, which required corporate compliance. Corporations created new positions, such as risk manager, to address liability, safety, and environmental compliance issues. In addition, the business-boom of the mid 1980s, characterized by an increase in production plants, business locations, operations and workers, required new types and larger amounts of insurance. Companies demanded more insurance options and coverage from their insurers and insurance companies balked at the demands. Companies struggled both with financing their increasing insurance needs and finding insurance policies that met the needs of their expanding businesses. Corporations increasingly hired risk managers to assess their risks and select the best insurance options for their expanding businesses.

Thus, as a result of increased government regulation and expanding businesses, the position of risk manager became common in large corporations in the 1980s and largely replaced the positions of insurance clerk, insurance buyer, and insurance manager. Risk manager, as a distinct occupation, functioned as in-house insurance expertise. Prior to in-house risk management, corporations relied on their insurance company's broker to inform the corporation of potential corporate risk and potential insurance options. The creation of risk management divisions reduced potential conflicts of interest in the insurance industry by separating insurance purchasing decisions from insurance commissions. Risk managers tend to have strong relationships with insurance brokers and are responsible for negotiating broker commissions and fees. Corporations that do not wish to hire their own in-house risk managers have the option of hiring risk management consultants. These outside advisers can be hired for discreet projects or periods of time and are generally less expensive than a full-time employee with benefits (Englehart, 1994).

Today, risk management is an established profession supported by professional organizations and numerous higher education programs. For example, the American Risk and Insurance Association (ARIA), founded in 1932, supports the career development of risk management and insurance professionals. The association’s goals also include “the expansion and improvement of academic instruction to students of risk management and insurance” (Hoyt, 2006). The association supports the Risk Theory Society, founded in 1963, to foster research of topics in risk theory and risk management. Risk management career opportunities are being expanded and strengthened by the large number of colleges and universities offering risk management majors and programs of study. For example, top business schools such the University of Pennsylvania's Wharton School of Management and MIT's Sloan School of Management, offer course options in risk management (Rose, 2000).

The following section describes the main risk management strategies and approaches, including enterprise risk management (ERM), alternative risk transfers (ART), and differentiating corporate risks, used in corporations. This section will serve as a foundation for later discussion of the issues surrounding the management of geopolitical risk.

Applications

Risk Management Strategies & Approaches

A corporate risk management strategy is generally a corporate-wide approach to business practice. The main methods and elements of risk management strategy operate to integrate the risk management approach into all levels of operation and the corporate culture itself. There are six main strategies or principles that characterize corporate risk management (Jorgensen, 2005):

  1. Develop intimate company knowledge: Risk managers require intimate knowledge of corporate operations, goals, and missions to successfully evaluate risk exposures relating to all areas of the company.
  2. Align risk management vision with that of the company: Risk managers are responsible for creating an integrated risk management strategy that reflects and furthers the goals and values of the company.
  3. Identify and analyze the company's areas of risk: Risk managers develop successful risk management strategies by analyzing and planning for potential losses vertically and horizontally across an organization.
  4. Balance financials and objectives: Risk managers are responsible determining how much time, effort, and money is required to achieve a given objective. Risk managers use a balanced scorecard methodology (BSC), a management tool that translates the strategy into operational terms, to connect internal and external processes with corporate cultural and financial objectives.
  5. Close the gaps with strategic initiatives: Risk managers should identify the gaps between where the company is in relation to their goals and objectives and their final goals and objectives. Risk managers, along with corporate management, are responsible for finding strategies to close any existing gaps in corporate performance and achievement.
  6. Continual measurement and improvement after implementation: Risk managers are responsible for creating a risk management system as well as evaluating and improving its performance. Risk managers use Data capture and reporting to measure the effectiveness of risk management initiatives (Jorgensen, 2005).

Risk analysis is one of the first and most important steps in the risk management process. Risk analysis involves risk evaluation and classification. Risk classification is performed in an effort to create or select effective, efficient, and feasible strategies for risk reduction and mitigation. Risk management works to transform unacceptable risks into acceptable risks within a normal range.

Different types of risks require different types of risk management tools such as risk-based, precaution-based, and discourse-based approaches. Once the risk evaluation and risk classification are conducted, the proper risk management tool can be chosen and applied to the problem or situation (Klinke & Renn, 2002). The most common risk management tools include enterprise risk management (ERM), alternative risk transfers (ART), and risk differentiation (Coffin, 2007).

Enterprise Risk Management

Recent economic and political events, such as the September 11, 2001 terrorist attacks and the collapse of the Enron Corporation, have brought a new awareness of business risk and exposure to corporations around the world. More businesses are employing enterprise risk management (ERM) to address this new awareness of corporate risk and vulnerability. Enterprise risk management refers to the holistic re-conceptualization of corporate risk and loss management. Contemporary enterprise risk management employs tools such as alternative risk financing tools, risk control, business process reengineering, and new corporate governance (Strazewski, 2002).

Enterprise risk management differs from traditional risk management in its wholistic, integrated, and centralized approach to managing risk. Traditional risk management, often referred to as the silo or stovepipe approach, focuses on a single category of risk or exposure. Enterprise risk management centralizes risk management under the control and oversight of a chief risk officer or risk committee. The chief risk officer or risk committee is responsible for identifying the amount of risk the corporation can tolerate and assessing mitigation tactics. Enterprise risk management prepares corporations for a wide range of problems caused by strategic, market, credit, operational, and financial exposure as well as man-made and natural disasters. These risks will be identified, quantified, and monitored through a holistic, portfolio-based management system (Banham, 2004).

The chief risk officer or the risk committee will ask the following questions as part of the enterprise risk management process: Are our risk management policies and structures clearly identified, communicated and endorsed by the board? Is the process for identifying and analyzing risk part of the organizational process? What is our risk culture? What is our risk appetite? With the answers to these questions in mind, enterprise risk managers proactively manage the strategic, operational, reputation, regulatory, and information risks across organizations. In the final analysis, factors and variables that influence the success of enterprise risk management strategies include the following: Visible board commitment; organizational infrastructure and managing processes; integrating existing practices into the risk management framework; adopting the right kind and amount of risk; risk assessment of the activities of the board and strategic leadership; consensus swiftly on exposure, accountability, and action to control the risk; acknowledgement of risk/functional interdependencies; implementation of a common language and framework; and a risk-based approach to organizational planning and strategy stages (Sharman, 2002).

Alternative Risk Transfers

Corporations use alternative risk transfers (ART) to manage their own risk without involving outside insurers. Examples of alternative risk transfers include captives, risk-retention groups and pools, self-insurance, credit wraps, integrated risk programs, large deductible plans, catastrophe bonds, and weather derivatives. Alternative risk transfers were developed in the 1980s, when corporations were growing at a pace that insurance providers could not or would not sufficiently insure, and grew further post-September 11, 2001 when some insurers began to raise rates or refuse to insure the risks associated with terrorism and other high risks. Businesses have combined risk transfer and risk retention strategies to form the alternative risk transfer market. The most common alternative transfer mechanisms used today are self- insurance and captives.

Self-insurance, also referred to as self-funding, refers to a method of funding the claims of a benefit plan directly from the employer on an ongoing basis. Organizations choosing self-funding may be partially or fully self-funded. Organizations with a small number of employees, between 30 and 1,000, or those wanting greater control over the costs and services of benefit plans may choose to self-finance their employee benefit plan. Small employers find that self-funded insurance offers both cost-savings and benefits flexibility. Variables that affect the effectiveness of self-funding include the average age of the employees, level of benefits, cash flow, multiple plan options, and multi-state locations. The potential disadvantages of self-funded insurance are many. In particular, catastrophic situations, such as multiple employee sicknesses or deaths, may result in a significant financial burden for the company as it pays for medical bills and life insurance. Small companies may protect against a catastrophic scenario, and share some of the insurance risk with an outside party, through the purchase of stop-loss insurance. Stop-loss insurance is a type of security coverage that small and mid-sized employers use to limit the actual claims liability to the employer. Ultimately, stop-loss insurance is the key for many companies to making self-financed benefit plans a feasible option. Stop-loss coverage transforms self-funding from a high-risk option to a moderate risk option that many small companies choose (Halterman, 2000).

Captive insurance refers to a type of insurance company owned by the parent company that acts as a safety net by insuring or reinsuring the risks of that company. Captive insurers protect employees, and their dependants, against loss of earnings, or savings, due to illness or accidental injury, disability or death. Benefits covered by captive insurance include death benefits in lump sums; death benefits in dependants' pensions; personal accident benefits; short-term sickness benefits; long-term disability income benefits; medical and hospital expenses benefits; and retirement benefits. Organizations use captive insurance to lower the costs for many types of business insurance plans and to keep control of financial assets that would, in other financing situations, be funding the insurance costs. Captives offer numerous advantages including gaining control over both reserves and investment return; evening out rates for individual country operations; providing coverage not easily available in the commercial market; and improving health care costs by analyzing health related trends and offering managed cared in place of increased rates (Cole, 2001). Captive insurers were first used in the mid-19th century and have been used as a benefit risk management tool ever since. Ultimately, risk transfer mechanisms are an expanding risk financing option for corporations interested in maintaining complete control over their risk management operations.

Risk Differentiation

Risk management requires long-term strategic planning and analysis to achieve favorable insurance coverage terms and conditions. Risk managers must differentiate corporate risks to identify, evaluate, and mitigate each risk through a customized insurance package. Risk managers can differentiate their business' risks by providing as much information as possible to the insurer who then can outline the risk characteristics and risk management tools. Risks can be differentiated through the following strategies: Reducing loss; changing the company's risk profile; increasing risk transparency; and improving insurance policy terms and conditions. The potential benefits of risk differentiation include reliable access to capacity; an increase in stability, flexibility, and predictability; and access to better services from the firm's insurance provider (Brazeua, 2007).

Issues

Risk Management & Geopolitical Risk

Geopolitical risk, which refers to any peril that arises from geographic, historic, and societal variables related to international politics, is a concern for the majority of corporate risk managers. Examples of geopolitical risk include terrorism, regional nationalism, frequency of government changes, amount of violence in the country, number of armed insurrection, conflicts with other countries, inflation, balance of payments, deficits, surpluses, and the growth rate of the gross national product (GNP). The losses associated with geopolitical risks may be catastrophic for businesses (Galvao, 2007). Risk managers assess and manage political risk through global strategies and organizational planning. These two approaches, global strategy and organizational planning, differ in scale. Global strategy is a macro-level activity that actively tries to connect the proposed project to a firm's overall goals and objectives. Organizational planning is a micro-level activity that actively works to connect the proposed project with project-level goals, objectives, and tools.

Global strategy refers to the methods, approaches, and objectives developed by a business to increase competitive advantage in the market by increasing competitive scope worldwide. A global strategy allows a company to determine the real cost of capital for a foreign investment. The majority of global strategies involve a combination of trade and direct investment in foreign countries. Global strategy requires capital investment decisions. The investment decision-making process involves seven steps:

  1. Determine that the project meets the firm's strategic objectives.
  2. Compute the costs, revenue, and benefits of the project.
  3. Assess the risk associated with the project.
  4. Determine the cost of capital to be used in the evaluation.
  5. Conduct the evaluation analysis.
  6. Select or reject the project.
  7. Perform a follow-up evaluation and tracking on selected project.

Determining the true cost of capital required for a foreign project is crucial to the profit margin of the project. The appropriate cost of capital for an investment project is a function of the perceived risk of the investment. Country specific factors that influence perceived investment risk include political risk, interest rate differential, and tax rate differential. Country risk surveys and country ratings, produced by independent services, provide the information businesses use to measure geo-political risk (Martinson, 2000).

Political risk to a specific foreign investment is managed, in large part, through organizational planning. Organizational planning is conducted prior to final investment decisions. The pre-entry planning or pre-investment stage involves the following eight steps:

  1. Describe investment objectives.
  2. Assess company's knowledge and expertise related to proposed foreign investment.
  3. Integrate political risk assessment into global strategy.
  4. Identify opportunities that benefit company and avoid risk.
  5. Establish structure of operations.
  6. Development of strategy and contingency plans.
  7. Develop security plans for the protection or evacuation of employees.
  8. Choose insurance coverage.

Organizational planning occurs both within and outside of organizations. In-house centers gather, process, and disseminate information. Consulting firms also assess country, regional, and global political risk and monitor foreign political environments (Dugan, 1999). When geopolitical risk assessment is completed, the information and knowledge gained through global strategizing and organizational planning allows managers to make informed decisions about the type, degree, and probability of political risk in a business scenario. With this information in mind, geopolitical risk mangers may choose to mediate political risk through use of a geopolitical risk strategy such as adapting, politick, negotiating, withdrawing, or political risk insurance (PRI) (Morales & Kleiner, 1996). Worldwide political upheaval during the last two decades has resulted in the demand for political risk insurance to protect businesses engaged in international business. Businesses obtain political risk insurance coverage during the initial stages of the project. Businesses pay a small commitment fee to the insurance underwriters and are guaranteed coverage often for the life of the project.

Conclusion

In the final analysis, risk management provides numerous potential financial and organizational benefits to corporations and is, in some forms, required by the federal government. Risk management, while once an extension of the insurance industry, has grown into its own industry with its own tools and strategies. Enterprise risk management promises to establish risk management as an even more central and necessary component of effective business strategy and practice (Coffin, 2007).

Terms & Concepts

Alternative Risk Transfers: Risk managements strategies, such as captives, risk-retention groups and pools, self-insurance, credit wraps, integrated risk programs, large deductible plans, catastrophe bonds, and weather derivatives, used to transfer risk outside of the corporation.

Captive Insurance: A type of insurance company owned by the parent company that acts as a safety net by insuring or reinsuring the risks of that company.

Corporation: An entity that allows for limited liability in that it is legally separate from its individual owners but reserves most of the business rights and abilities of an individual.

Enterprise Risk Management: The holistic risk management strategy that employs tools such as alternative risk financing tools, risk control, business process reengineering, and new corporate governance.

Federal Government: A form of government in which a group of states recognizes the sovereignty and leadership of a central authority while retaining certain powers of government.

Geopolitical Risk: Any peril that arises from geographic, historic, and societal variables related to international politics.

Insurance: A contract that guarantees an individual or a business financial security in the case of certain losses.

Mitigation: Efforts taken to reduce either the probability or consequences of a threat.

Political Risk Insurance: Insurance that protects businesses engaged in international business from loss associated with political upheaval such as regime or policy change.

Sarbanes-Oxley Act: A law, enacted in 2002, which introduced highly significant legislative changes to financial practice and corporate governance regulations.

Self-Funding: A method of funding the claims of a benefit plan directly from the employer on an ongoing basis.

Bibliography

Banham, R. (2004). Enterprising views of risk management. Journal of Accountancy, 197, 65-71. Retrieved July 3, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=13318843&site=ehost-live

Brazeau, P. (2007). Managing your costs by differentiating your risks. Canadian Underwriter, 74, 36-38. Retrieved July 3, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=25023394&site=ehost-live

Carbone, T., & Tippett, D. (2004). Project risk management using the project risk FMEA. Engineering Management Journal, 16, 28-35. Retrieved July 5, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=16605660&site=ehost-live

Coffin, B. (2007). The i word. Risk Management, 54, 4-5.

Dugan, W. (1999). Global dangers. Risk Management, 46, 13-16.

Ellul, A., & Yerramilli, V. (2013). Stronger risk controls, lower risk: Evidence from U.S. bank holding companies. Journal of Finance, 68, 1757-1803. Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=90167651&site=ehost-live

Englehart, J. A historical look at risk management. Risk Management, 41, 65-72.

Galvao, D. (2007). Handling global political risk. Canadian Underwriter, 74, 46-47. Retrieved July 3, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=25023396&site=ehost-live

Hoyt, Robert. (2006) “American Risk and Insurance Association (ARIA).” Encyclopedia of Actuarial Science. Retrieved July 6, 2010 from Wiley InterScience. http://mrw.interscience.wiley.com/emrw/9780470012505/eas/article/taa034/current/abstract

Jorgensen, H. Methods & elements of a solid risk management strategy. Risk Management, 52, 53-54.

Klinke, A., & Renn, O. (2002). A new approach to risk evaluation and management: Risk-based, precaution-based, and discourse-based strategies. Risk Analysis: An International Journal, 22, 1071-1094. Retrieved July 5, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=8979743&site=ehost-live

Krivkovich, A., & Levy, C. (2013). Managing the people side of risk. Mckinsey Quarterly, , 123-128. Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=91665820&site=ehost-live

Martinson, O. (2000). Global investments: Discover your real cost of capital -- and your real risk. Journal of Corporate Accounting & Finance. 11, 23-28. Retrieved March 31, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=16853716&site=ehost-live

Morales, R. & Kleiner, B. (1996). New development in techniques for analyzing diversified companies in today's global environment. Management Research News, 19, 41-49.

Pérez-González, F., & Yun, H. (2013). Risk management and firm value: Evidence from weather derivatives. Journal of Finance, 68, 2143-2176. dRetrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=90167658&site=ehost-live

Rose, J. Promising career opportunities in risk management and insurance. Baylor Business Review, 18, 10-11.

Sharman, R. Enterprise risk management -- the KPMG approach. The British Journal of Behavioral Management, 31, 26-29.

Strazewski, L. Awareness of risk sparks renewed interest in ERM. Rough Notes, 145,111-114.

Tufano, P. (1998). Agency costs of corporate risk management. FM: The Journal of the Financial Management Association, 27, 67-77. Retrieved July 3, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=557945&site=ehost-live

Suggested Reading

Burchett, J., Tummala, V., & Leung, H. (1999). A worldwide survey of current practices in the management of risk within electrical supply projects. Construction Management & Economics, 17, 77. Retrieved July 5, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=1576480&site=ehost-live

Iversen, J., Mathiassen, L., & Nielsen, P. (2004). Managing risk in software process improvement: An action research approach. MIS Quarterly, 28, 395-433. Retrieved July 5, 2007, from EBSCO Online Database Business Source Complete http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=14406327&site=ehost-live

Tufano, P. (1996). Who manages risk? An empirical examination of risk management practices in the gold mining industry. Journal of Finance, 51, 1097-1137. Retrieved July 5, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=9704101527&site=ehost-live

Essay by Simone I. Flynn, Ph.D.

Dr. Simone I. Flynn earned her doctorate in cultural anthropology from Yale University, where she wrote a dissertation on Internet communities. She is a writer, researcher, and teacher in Amherst, Massachusetts.