6.2 Risk Treatment Techniques for the Enterprise-Wide Risk Management Process
The Enterprise-wide risk management process is a five-step process that holistically addresses the upside and the downside of the risks faced by an organization across four risk categories:
- Hazard Risk
- Operational Risk
- Financial Risk
- Strategic Risk
Organizations have the option to choose the language that will be used not only to describe the way that its risks are categorized but also to describe the techniques that are used to treat them. For hazard risks, which are pure risks, the risk treatment should focus on modifying the potential for only negative outcomes. Risk treatments for speculative risks must focus on modifying the outcomes of both positive and negative outcomes. Risk treatment is a continuous process, and the techniques selected to modify risks at one time might no longer be viable in the future. This is particularly true in cases involving emerging risks created by introducing new technologies, changes in existing processes and risks that have developed or evolved beyond their known context.
Risk Control & Risk Financing
When an organization is faced with treating its risks, there are two main options available to the organization. The first option is to use Risk Control to avoid activities that have the potential to cause future losses or to take corrective actions to modify the likelihood and/or impact of risk. The second option is to use Risk Financing techniques to generate funds to pay for loss events. Organizations will often implement elements of both options in combination to create an effective risk treatment package.
Risk Control…Risk Financing or both!
There are five accepted risk treatment techniques that can be used to address the categories of risk included in enterprise risk management:
- Risk Avoidance
- Modifying the likelihood and/or impact of the risk
- Risk Transfer
- Risk Retention
- Risk Exploitation
Risk Avoidance
Risk avoidance is a risk treatment technique that terminates risk by stopping or never undertaking the activity or activities that have the potential to cause a risk to occur. This technique reduces the probability of the loss to zero except in cases where the activity was previously conducted and a decision was made by management not to continue with the activity. When risk avoidance is implemented by an organization as a risk treatment, additional risk treatment techniques are often not required.
The obvious upside to risk avoidance is that the chance loss is removed because the activity is no longer conducted by the organization. The downside is that the organization will lose any benefits or gains that the activity could have provided.
Examples
- An individual who does not drive a car cannot cause an automobile accident because the activity of driving is avoided.
- When a manufacturer of furniture decides to stop producing its line of baby furniture and cribs due to the potential of product liability actions, the probability of future losses caused by baby furniture is reduced to zero because this activity is avoided. The organization could still face losses from baby furniture and cribs that were manufactured prior to the cessation of their production.
- A fabrication shop that manufactures agricultural equipment spray paints finished products before sending them out to customers. A decision was made by management to contract out spray painting operations due to the complexities and costs of complying with environmental regulations. This example of risk avoidance has a downside because the organization will have the inconvenience and additional expense of transporting the equipment to an offsite facility and paying the contractor for spray painting services, which could lead to a loss of competitive advantage due to a possible price increase. The organization will also face a loss of revenue as it will no longer be including the price of spray painting in its invoices.
- An auto body shop that uses a solvent-based painting system reduces levels of volatile organic compounds by changing to an aqueous or water-based technology. By substituting solvent-based paints with water-based paints, the auto body shop is avoiding the use of more hazardous materials and the requirements to store, dispense and apply them.
Modifying the Likelihood and/or Impact of the Risk
Modifying the likelihood of a risk is a risk treatment technique that involves measures to decrease or change the probability or frequency of the positive or negative effects of a risk through corrective actions or controls. These are steps that are taken by the organization before an event occurs. Likelihood can be measured quantitatively or qualitatively. For example, quantitative analysis could determine that the probability or frequency of a delivery vehicle being involved in an accident is 18%. The qualitative analysis would be based on the experience of the fleet manager and could describe the probability or frequency of an accident as being extremely low, low, moderate, high, or very high.
The other component of this risk treatment technique is modifying the impact of the risk. These are steps that are taken by the organization to reduce the consequences or impact of an event after it has occurred and affected the organization. As with likelihood, impact can be measured using quantitative and qualitative analysis. Quantitative analysis involving the magnitude or size of an event as the result of risk can be measured by calculating the probability of the risk occurring and the consequences or severity associated with the risk. Qualitative analysis could describe the impact, severity or consequences of the risk by assigning levels such as minimal, moderate or severe ratings.
Often, the approach when using this risk treatment technique is to either modify the likelihood of the risk or to modify the impact of the risk. It is not uncommon to use both elements of this risk treatment technique when responding to a risk.
Examples
- The impact of a fire on a distribution centre would be modified by installing an automatic sprinkler system inside of the premises. Although the sprinkler system will not affect the frequency of a fire, it would lessen its effects by controlling or suppressing the fire once it has started, thereby reducing the consequences. In this case, the risk response will modify the impact of the risk.
- Installing high-security locks on doors and bars on the interior surfaces of windows will modify the frequency of break-and-enter occurrences by intruders. This is an example of modifying the likelihood of the risk.
- A retail operation considering expansion in Canada could take steps to modify the likelihood and impact of this initiative to ensure a positive outcome and to prepare for any negative effects that could arise. The organization is deliberately pursuing this speculative risk with the intention of achieving growth and profits, but there could be a downside associated with taking this opportunity. The negative aspect of this risk would be the need for more profitability achieved by the new location. Additionally, not pursuing this opportunity risk could result in the organization falling behind its competitors and losing market share in that region.
- Organizations can modify the frequency and impact of risks involving commodities by using financial instruments. For example, airlines require fuel to operate aircraft. Aviation fuel is a commodity that is subject to volatility in its price per litre because of many factors. A futures contract is a financial instrument that can be used to lessen the impact caused by an increase in the price of aviation fuel. If an airline agrees to purchase fuel from a supplier for a set price over the next three years to protect itself from the variability of fuel prices, it is using a futures contract to modify the impact of the risk. If fuel prices rise and the airline is locked in at a lower price per litre, it will have a positive outcome and a competitive advantage over its competitors. A negative outcome will be realized if prices decrease and the airline is locked in at a higher price.
Risk Transfer
Risk transfer is a risk treatment technique that is used to shift the financial responsibilities of future losses to another party. Risk transfer is one of two risk financing techniques that can be used to provide assets and resources to an organization. The second risk financing technique is Risk Retention, which will be discussed after the risk transfer. In almost all cases, risk transfer is applicable to pure risks, which are hazard risks.
An organization can transfer risk using any of the following methods:
- Guaranteed cost insurance is a primary risk transfer mechanism involving insurance contracts that provide coverage for insurable perils. A known cost in the form of a premium is paid to the insurance company with the promise that the insurance company will place the organization or individual back into the same financial position that it was in prior to the loss in compliance with the principle of indemnity.
- Non-insurance contracts transfer the financial consequences of an event or future event based on a relationship with a party other than an insurance company by contractual agreement. The relationship will involve an agreement where one party agrees to assume the financial responsibilities of a second party for losses that incur as per the terms of the contract. A hold-harmless or indemnity agreement is an example of a non-insurance contract where one party (indemnitor) agrees to assume the financial consequences caused by the liability of another party (indemnitee).
- Derivatives are financial contracts that derive their value from another asset. Forward contracts, future contracts, options and swaps are all examples of derivatives. Derivatives can be used to transfer financial risk by offsetting the consequences of financial risk using a technique called hedging. Hedging does not mean that financial instruments will not experience a decrease in value but what it does do is to offset the losses from one investment and balance them against the gains from another investment with the intention of mitigating the adverse effects of financial risk.
Examples
- Fire is a hazard risk that has a low likelihood and a high severity on a risk map placing it in the top left corner of the risk map. Risks that lay in this quadrant are ideally situated to be insured. An organization that wants to minimize the financial impact or consequences resulting from a fire that could occur in the future could purchase guaranteed cost insurance. The purchase of guaranteed cost insurance will reduce the financial uncertainty associated with a potential fire loss by indemnifying the policyholder should the peril of fire occur.
- The management of a chain of retail furniture stores contracts a furniture manufacturer to provide chairs to be sold in their stores. The management of the retail furniture store requests that the manufacturer sign a hold-harmless agreement holding the retailer harmless as a part of the contract. If this agreement is signed, then the manufacturer of the chairs would assume the financial responsibility for any liability that results from their chairs. A customer purchasing a chair that causes an injury could bring legal action against the retailer and the manufacturer. If the manufacturer signs a hold harmless agreement with the retailer, then the financial consequences of the retailer’s liability will be transferred to the manufacturer.
- A Canadian-based company engages in a forward contract with a financial institution to purchase U.S. dollars at a future date but at the current exchange rate. The Canadian company will be protected from financial losses if the U.S. dollar increases in value at a future date. The downside is that if the exchange rate decreases, the Canadian-based company will be obligated to purchase U.S. dollars at the exchange rate that was agreed upon.
Risk Retention
Risk Retention is a risk treatment technique where the organization retains the financial responsibilities of future losses. This risk treatment can be the most or least preferred risk financing technique selected by an organization, depending on many factors. Organizations often choose to practice risk retention because it is the most economical way to finance risk when compared to the cost of guaranteed cost insurance. The property and casualty insurance industry is cyclical in nature; during a soft market, there is an abundance of insurance markets available, and rates are low. In contrast, a hard market results in higher insurance rates and a reduced capacity or availability of insurance. Organizations may decide to purchase guaranteed cost insurance to transfer financial risk during a soft market cycle and to retain financial risk during a hard market cycle. It should also be understood that the activities or claims experience of some organizations might fall outside of the appetites of insurance companies, resulting in risks that are uninsurable. In this case, risk retention is the only option.
Self-insurance is a practice that involves setting funds aside to cover the consequences of retained losses. It is a technique that is selected by an organization to reduce its cost of risk when the organization can predict its future losses with a degree of accuracy. Losses that are predicted to be high frequency and low severity are ideal risks to self-insure, as risk control techniques can be implemented to decrease their frequency. Although there are many advantages associated with self-insurance, such as improved cash flows, focus on loss control, cost savings, flexibility and control over claims, there are disadvantages, such as the uncertainty of large losses, lack of resources, and administration requirements. An organization that is self-insuring can actively retain the financial consequences of its predicted losses by ensuring that funds are available in advance. In contrast, some organizations practice in-active or informal risk retention and do not have funds set aside to cover the financial consequences of losses that could affect the organization.
A hybrid risk financing plan incorporates the elements of both risk transfer and risk retention as funds are available from both inside and outside of the organization. A deductible is a specified amount of money that an organization is required to pay towards a loss that an insurance company does not pay. Deductibles are used to lower insurance costs and to minimize nuisance claims involving small losses.
Example
If a total loss occurs on a property that is insured for $1 million dollars with a $50 thousand-dollar deductible, then the loss would be paid as follows:
- Amount paid by the insured is $50 thousand dollars
- Amount paid by the insurer is $950 thousand dollars
The organization retains $50 thousand dollars of the loss and transfers $950 thousand dollars of the loss to the insurance company.
A captive insurance company is a hybrid risk financing plan that is a subsidiary of a parent company that is not an insurance company. The primary reason that an organization will form a captive insurance company is to insure the parent companies’ risk and the risk of its affiliates with the intention of reducing the cost of risk. Captive insurance companies are alternatives to self-insurance; they are licenced insurance companies that must meet the requirements of the domicile in which they are located. A captive insurance company can be located anywhere in the world, but some domiciles are captive-friendly domiciles that offer favourable regulatory requirements, tax implications, stability, capital and solvency requirements. It should be noted that a captive is a legitimate insurance company that issues policies and collects premiums from its parent company. It could also take on insurance risks outside of its parent company.
A captive insurance plan will retain the first layer of losses where there is a high frequency and low severity by issuing a policy to the parent company and transfer losses with a higher severity to an insurance company or by purchasing reinsurance through the captive.
Reinsurance is a transaction that transfers the financial consequences of insurance risk from a primary insurance company (in this case, the captive) to another insurance company known as a reinsurer.
Examples
- An organization seeking to lower its cost of insurance plans to assume the financial consequences of its risks decides to self-insure by putting money into a fund to pay for high frequency/low severity losses that it predicts will occur in the future. The organization is practicing risk financing using retention.
- A hard insurance market has resulted in higher insurance rates for an organization. The organization decides to investigate the possibility of forming a captive insurance company or self-insuring to reduce the organization’s cost of risk. The fact that captive insurance companies have elements of retention and transfer is more appealing to the organization than self-insurance, which only has the element of retention. After evaluating the domicile where the captive will be located, the organization selects the risks that the captive will be retaining and the risks that it will transfer through a reinsurance arrangement.
Risk Exploitation
Risk Exploitation is a risk treatment technique that involves actions or activities that are taken to ensure that the benefits from an opportunity are maximized by the organization. While there is a risk to an organization when it pursues an opportunity, there is also a risk to an organization when it does not pursue an opportunity. The risk treatment of exploit can be applied to risks that have an upside and a downside, but it is more commonly used with events that have positive outcomes. Organizations that conduct activities to exploit risk are taking steps to eliminate the uncertainty associated with events to ensure that a positive result occurs in order to meet objectives. An organization can take steps to measure the probability and impact of risk events to achieve a positive outcome, whereas with uncertainty, future events are not known, and the organization would have doubts about what the outcome would be.
Example
Risk Control for Hazard Risks
The five accepted risk treatment techniques applicable to enterprise risk management that have been explained above are:
- Risk Avoidance
- Modifying the likelihood and/or impact of the risk
- Risk Transfer
- Risk Retention
- Risk Exploitation
These risk treatment techniques can be used to respond to risks across the four risk categories of Hazard Risk, Operational Risk, Financial Risk and Strategic Risk.
Hazard risks are pure risks that have a chance of loss; no loss but no gains can be realized; there are only negative outcomes. Insurance companies deal with the negative outcomes of pure or hazard risks resulting from accidental losses; speculative risks are not to be considered insurable. Hazard risks are defined by their capacity to cause harm to people, property or legal liability.
There are six risk control techniques exclusive to hazard risks which were the sole focus of traditional risk management practitioners. These techniques are very specific to hazard risks and were not intended for use with speculative risks, in other words, risks with positive or negative outcomes.
Avoidance
Avoidance is a risk control technique that terminates risk by stopping or never undertaking the activity or activities that have the potential to cause a risk to occur. It is identical in meaning to risk avoidance, which was described earlier as a risk treatment for the upside and downside of risk under enterprise risk management. It is not practical to terminate some activities to avoid the downside of risk, but when a risk is avoided, the probability of loss is zero unless the activity was previously undertaken by the organization prior to being terminated.
Loss Prevention
Loss prevention is a risk control technique that is similar in its intent to modify the likelihood of the risk, which was described as a risk treatment for risks included under enterprise risk management. Loss prevention measures are implemented prior to the occurrence of a negative event with the intention of reducing the likelihood, frequency or probability of the event. Loss prevention differs from avoidance because it does not terminate or eliminate the chance of loss. Risk control techniques associated with loss prevention do not affect the impact or severity of a risk because they are pre-loss measures intended to prevent the occurrence of an event before it starts.
Loss Reduction
Loss reduction is a risk control technique that is similar in its intent to modify the impact of the risk, which was described as a risk treatment for risks included under enterprise risk management. Loss reduction measures are implemented after the occurrence of a negative event with the intention of reducing the impact, severity or consequences of the event. Loss reduction measures can be identified as being either pre-loss measures, post-loss measures or both. Pre-loss measures, as stated earlier, are steps that are taken to reduce the frequency of a loss, but they can also be taken to reduce the severity of a loss. An example of a pre-loss measure for the peril of fire is to construct buildings with fire-resistant materials that do not contribute fuel to the fire. Post-loss measures focus on the negative event after it has occurred and are normally associated with emergency procedures or recovery from the event. An example of a post-loss measure for the peril of fire would be the operation of an automatic sprinkler system that responds to a fire that has started inside the building.
Separation
Separation is a risk control technique that spreads assets or activities over several locations to reduce the severity, impact or consequences of a negative event at one location, affecting only that location and not the entire organization. An example would be an organization shipping products from two distribution centres located in different geographical locations in Canada. If a fire causes a total loss at one location, then the company could still distribute products from the second location. The second location must have the capacity and resources to operate independently across a region formally served by two distribution centres to prevent an interruption in service.
Duplication
Duplication is a risk control technique that keeps alternate assets in reserve to reduce the severity, impact and consequences caused by the loss of an organization’s primary assets. The duplicate assets are used to maintain continuity of operations in the event of a loss to the primary assets. Duplication is often not practical as it can be costly to an organization because the duplicate assets are sitting in reserve and are not used unless called upon. The main difference between separation and duplication is that all the assets associated with separation are in regular use, whereas the assets associated with duplication are not used and are held in reserve.