Regardless of the size of your organization, or the industry in which you do business, good and accepted practice requires that there be someone responsible for risk management, and that you have internal risk management controls, i.e., a risk management policy or plan, to address risk issues relevant to your business.
Risk management concepts are applied across all businesses and industries, including banking and investment, education, health care, legal and manufacturing, just to name a few. Each industry has its own specific approach and perspective to risk management. There are, however, widely recognized risk management concepts that can be applied to all businesses and industries. These include (1) identification of the potential risks; (2) evaluation of risks to determine likelihood, frequency and severity of risks; (3) prioritization of risks; (4) development of structure and internal controls to mitigate risk; and (5) because risks cannot be eliminated, insuring against risks. Information gathering on these concepts is key to the development of any structure and strategy for mitigation of risk.
Identification of risks
As indicated above, each industry has its own unique risks. For example, in the health care industry, in addition to patient care concerns, risk areas may include accuracy, compliance and patient privacy. Research should be conducted to identify the types of risk concerns that most frequently arise in your industry. In this regard, there is likely significant information available in the public domain that will address risk management issues that are pervasive to your business or industry. In addition to external research, internal group discussion will be critical to identifying risk concerns.
There are also risk concerns that apply across all businesses and industries. These include, but are not limited to, security and safety risks for the business and its employees; information technology risks; personnel risks, such as discrimination and harassment; and document storage and retention risks.
Evaluation of the risk
Once risks have been identified, there must be an evaluation of those risks, which will inform you of important considerations, including the likelihood and frequency of the risk event; the severity of the risk event (even if the risk of that event is not frequent); and the potential consequences of the risk event. Evaluation will also inform you as to whether the potential risk warrants internal control and the level of priority the risk will have within your risk structure.
Some examples here may be instructive. For example, a risk manager in the field of accounting is aware that, depending on the complexity of a business, there may be risk concerns of material misstatement in the auditing process. Addressing severity may be more difficult, but is equally important. One can foresee that a single event, although infrequent, could lead to a significant loss and even be catastrophic to a business. For example, in construction, given the nature of the work, a risk event could lead to significant injury or the loss of life.
Risk evaluation must further address the potential consequences of a risk event, including the effect those consequences will have on your business. Is the consequence of a risk event reputational or financial? Does the consequence preclude continued work in a business segment? To properly evaluate all of the foregoing, consideration of applicable laws, regulations, industry standards and best practices may be necessary.
As a final point on evaluation, it bears noting that thorough evaluation will almost certainly inform the development of mitigation strategies.
Prioritization of risk
Once evaluation of the risks attendant to your business is complete, the risks should be prioritized. Risks should be prioritized by frequency, severity and consequence, with appropriate weight given to each factor depending on your business or industry. Prioritization will provide an overview of all risks and place the focus on the risks that present the most significant threats to your business.
Structure and internal controls to mitigate the risk
Every business organization, regardless of size, should have a person with designated responsibility for risk management and have internal risk management controls.
With respect to a designated risk manager function, the size of an organization and the risks attendant to the business will dictate the size of the risk management function. It is not unusual for large companies to have extensive risk management teams. Other companies contract with an outside vendor to provide risk management services. Smaller organizations, or professional organizations such as law and accounting firms, may address the risk management function internally.
Internal control documents and risk management policies vary widely from business to business and industry to industry. There are, however, certain sections/topics that should be included in any risk management policy. These include, but are not limited to:
- A section setting forth purposes and objectives
- A section that identifies the organization’s risk management functions, including designated risk management personnel and the roles and responsibilities of all individuals charged with risk management functions. With respect to roles and responsibilities, it is critical to convey in the policy, and training sessions related to the policy, that it is the responsibility of all employees in the organization to assist in the mitigation of risk.
- Sections that set forth the procedures and strategies that have been developed to mitigate the specific risks that have been identified and evaluated through the information gathering process outlined above.
Insuring against risk
Because risk can only be mitigated, not eliminated, risk management considerations must include insuring against risk. The risk management process, however, will help identify the types and amounts of insurance needed to ensure the continued viability and success of your organization. Moreover, engaging in the risk management process, designating risk management personnel and responsibilities, and adopting written internal controls and procedures for mitigation of risk, may result in insurance premium reductions.
Kevin J. English is the risk management partner with Phillips Lytle and leader of the firm’s Insurance Coverage Practice Team.