1.2 The Practice of Risk Management
Risk management is the process of assessing, treating and monitoring all of an organization’s risks in order to minimize their adverse effects on the organization.
The practice of Risk Management has gone through two major changes since its inception to keep pace with the evolution of risk and the fact that yesterday’s practices are not able to address the threats of today. Although the management of risks has occurred throughout history, Traditional Risk Management was practiced as a science after World War II and continued in its original form until the mid-1950s. Traditional Risk Management, formally described as just risk management, has long been associated with only hazard risks, which are the subject of insurance based on accidental losses; that is, losses that are not intentional. Hazard risk is pure risk, meaning that the outcome is one of loss, no loss, but no gains can be realized. In comparison, speculative risk, which is not the subject of insurance, involves a chance of loss, no loss but the realization of a gain. The following statement is important to understanding hazard risk and its connection to insurance:
Pure Risk is Hazard Risk…Hazard Risk is an Insurable Risk
The next major step in the evolution of risk management was the introduction of Enterprise Risk Management, which emerged during the 1990s as an approach to address all an organization’s risks. Enterprise Risk Management gained a lot of traction between the years 2000 and 2010, especially during and after the financial debacles occurring in 2007-2008.
Enterprise Risk Management (ERM) is a holistic approach to risk management, meaning there is a broader understanding of how all the risks affect the organization. Traditional Risk Management places individual risks into silos; Enterprise Risk Management views risks as being interrelated and, in a sense, wraps its arms around all the organization’s risks allowing the risks to communicate with others.
Where Traditional Risk Management focuses only on hazard risk, Enterprise Risk Management focuses on all the categories of risk which include hazard, operational, financial, and strategic risks (HOFS). Included in these four categories of risks are business risks, which are speculative in nature as they can result in a loss, no loss, but a gain can be realized.
Enterprise Risk Management or Enterprise-Wide Risk Management is an organizational approach to managing all key business risks and opportunities to maximize the potential of an organization to achieve its objectives.
Differences between Enterprise Risk Management (ERM) and Traditional Risk Management:
- ERM focuses on all of the organization’s risks (hazard and business risks). Traditional Risk Management focuses only on Hazard Risks.
- ERM helps an organization maximize its productive potential. Traditional Risk Management restores an organization to its pre-loss condition prior to the occurrence of a negative event.
- ERM focuses on the worth of the organization. Traditional Risk Management focuses on the cost of the accidental loss.
- ERM focuses on the entire organization. Traditional Risk Management can be practiced separately or as a component of enterprise risk management.
- ERM focuses on a balance between the upside and downside of risk and can be applied to all organizations. Traditional Risk Management focuses on the downside of risk and can be applied to safeguard an organization against the adverse effects of insurable risk.
The focus of this course will be on the Enterprise Risk Management approach.
It is important to note that Enterprise Risk Management concepts, elements and techniques are applicable to all organizations regardless of size. They can be used by multinational organizations spanning the globe or by sole proprietors operating in much smaller environments; it is a matter of the size and scale of the risk management offering. Larger organizations will very likely have dedicated risk management departments consisting of risk officers, risk managers, loss control specialists, legal teams, and an insurance team.
Roles in Risk Management
- Risk officer: an individual with direct authority over the risk management team and reports to senior management.
- Risk manager: an individual who oversees the risk management process in the organization to protect its assets.
- Loss control specialist: an individual who has the expertise to perform physical risk inspections within the organization to identify risk and to make recommendations to minimize the frequency or severity of risk.
- Legal team: an individual who performs legal functions as lawyers, legal experts, or legal specialists in the organization.
- Insurance team: an individual with an insurance background who has the expertise to negotiate insurance contracts and manage claim settlements.
In a smaller organization, the responsibilities for risk management are often placed on top of the daily activities of individuals associated with operating the business.