Understanding Risk Management


If the future could be predicted with 100% accuracy, individuals and organizations could plan to completely avoid or flawlessly address their exposures to loss. In reality, unknown events can upset even the best predictions of performance and prevent individuals and organizations from accomplishing tasks, meeting goals or attaining expected results. The threat of loss requires consideration of ways to deal with it and the consequences of loss if it occurs. Risk management is the method and discipline used to address this uncertainty.

Risk Management Decision Tree

In the last half of the twentieth century, risk management developed from a group of vague, unorganized concepts, relying heavily on common sense, to a highly developed and organized discipline that enables organizations to anticipate losses and suggest actions to take to prevent or reduce those losses.

What Is “Risk”?

Risk is the uncertainty, possibility or chance of loss. A chance occurrence that results in monetary losses makes the profit predictions of an organization unreliable. Taken a step further, such chance occurrences may expose the organization to a loss or series of losses of a magnitude that could compromise its financial stability and ability to survive.

Risk Management Defined

Risk management is the active identification, evaluation and management of all potential hazards and exposures to loss that a risk may experience. It incorporates insurance in the process but also provides organized alternatives if insurance is not available, inappropriate or too expensive.

Risk management is a continuous process of identifying loss exposures, measuring them against the firm’s ability to tolerate them and then handling them with the appropriate control, transfer or financing techniques. Constant monitoring of exposures and attention to them affects risk management decisions. Exposures identified but not already addressed by a strategy must be reevaluated and decisions made about the best methods for handling them.

In a current, broader concept of Enterprise Risk Management, the goal includes using concepts that will allow a business to identify and assess additional business opportunities with the evaluation including how well that opportunity fits with the entity’s risk appetite.

Types of Risk

Risk is either speculative or pure. Speculative risk has two possible outcomes: the chance of gain or the chance of loss. When a business commences operations, it will experience only two possible outcomes over a period of time. It may be successful and make money or it may lose money because income does not cover expenses. Organizations deal with this type of risk by choice, actually seeking or exposing themselves to certain risks with the hope of taking advantage of opportunities. Speculative risk includes consideration of opportunity costs and what might be lost by not taking a chance on a potentially profitable venture. Risk managers involved with this type of risk must be able to evaluate business, credit and commodity risks, hedging exposures and investment risks.

The other type, pure risk, also offers two possible outcomes: loss or no loss. Examples of this type of risk include loss to property by fire, wind, or theft; third party liability claims for damages; or the interruption or reduction of income from loss of power, strikes or fire. With pure risk, the most favorable outcome is to have no loss. The only other possibility is that a loss will occur. This is why exposures need to be identified and analyzed to determine the effect they may have on continuing business operations. Whether identification and analysis takes place, the only two outcomes with pure risk situations are loss or no loss. Risk managers involved with this type of risk must be knowledgeable and experienced with insurance, various risk transfer clauses in operating contracts, loss control and safety and accident prevention.

Pure risk exposures involve a number of broad and diverse classes of risk. They include:

·         Economic

·         Legal

·         Political

·         Social

·         Physical

·         Juridical

Any or all of these can present significant exposures to any organization. Pure and speculative risks do not exist independent of one another. Both types exist and interact with one another in varying degrees in most organizations. The focus of this article is confined to pure risk exposures.

The Risk Management Process

The risk management process consists of activities organized into five sequential steps or phases:

1.     Risk Identification

2.     Risk Analysis

3.     Risk Control

4.     Risk Financing and

5.     Risk Administration

1. Risk Identification

The first risk management step is identifying the existing exposures to loss as well as exposures that may exist in the future. This is accomplished by gathering information by any number of methods, including survey forms, questionnaires, physical inspections, product and procedure flow charts and contracts, financial records and loss history reviews. These approaches attempt to discover the exposures to loss faced by an organization. This phase is the foundation of risk management, since a risk not properly identified or addressed by the organization or an individual is retained.

2. Risk Analysis

Once the exposures are identified, they must be organized and quantified. This is accomplished in this phase. Organizing risk, also known as the qualitative portion of the analysis phase, requires reviewing and categorizing exposures into those sharing common elements. One method is to place exposures into similar classes representing potential losses, such as:

·         Property exposures

·         Liability exposures

·         Net income exposures

·         Human resource exposures

This phase also includes quantifying the loss potential from the identified exposures. This is accomplished by estimating the dollar amount of future losses that may occur.

One method of projecting future losses is to review past loss experience, then use statistical probability and trend analysis to extrapolate that past experience into estimated future losses. Quantification also assists the risk manager in prioritizing the order or sequence in handling possible loss exposures.


Example: The new Risk Manager for Southwest Machine Manufacturers Unlimited has no idea about which loss exposures need greater attention. She pores over the last ten years of the company’s loss experiences and discovers the following: Risk management situations
Situation A Situation B Situation C
Property losses occurred twice a year and each incident averaged $15,000 Fleet auto losses occurred more than a dozen times a year and each incident averaged $6,000 Commercial General Liability losses occurred about once every four years and averaged $45,000
Based on this information, she decides to tackle the company’s auto losses. Although the average loss per incident was far lower than the property and liability losses, their annual frequency was much higher, resulting in the highest amount of total annual loss. A total cost, $30,000. B total annual cost, $48,000. C annual total cost, $11,250.


3. Risk Control

This is the action phase. It includes any action taken, at the most optimal cost, to minimize or reduce losses that may occur. The principal types of risk control methods most commonly used in this phase are:

a.     Avoidance

  1. Prevention
  2. Reduction
  3. Segregation
  4. Contractual Transfer

Let’s look at exactly what is meant by each of these terms.

a. Avoidance

Avoidance is a decision to not engage in a particular activity that creates an exposure to loss. It can also mean the elimination of an activity that creates an exposure to loss.

Example: Risk Management by Risk Avoidance Example: Jana, Acme Filters Inc.’s CFO, studies an offer to buy a small filter company that has developed a new process meant to strengthen filter fibers. Jana decides to decline the opportunity after research discovers that the method would increase manufacturing costs by nearly 30%. Further, the firm’s insurance records show that the process used has resulted in worker injuries from chemical burns. Therefore, she avoids the exposure of increased costs, a per unit, lower margin of profit and the higher worker injury hazard.

When a risk is avoided, loss probability is zero. Be aware that this method is not practical in all cases, since it could involve avoiding activities that might be positive and result in profits. In the example above, Jana’s decision to not invest in the stock also eliminates the chance to benefit from that stock’s possible market gains.

Related Article: The Cost of Doing Nothing

b. Prevention

Prevention is any measure that reduces the probability or frequency of a particular loss occurring but which does not completely eliminate all possibility of that loss occurring. Prevention attempts to reduce the likelihood of an occurrence.

Example: The safety supervisor for Nifty Manufacturing adds machine guards to their equipment in order to prevent access to moving parts which could injure its machine operators.

c. Reduction

Reduction efforts attempt to reduce the severity of the losses that do occur. Wearing a motorcycle helmet when riding does not stop the accident from happening, but it should reduce injury to the rider if an accident does occur. This approach recognizes that, since certain losses are inevitable and cannot be avoided or prevented, they should be acknowledged and steps taken to minimize their impact.

d. Segregation

Segregation consists of two techniques. The first is separation of loss exposure units and it is used in conjunction with the second technique, which is the duplication of loss exposure units. With separation, assets are divided into two or more separate units. If they are then further separated geographically, the likelihood of all assets being lost in a single event is greatly diminished. Duplication, on the other hand, involves the reproduction of an asset to be a standby kept in reserve. A common example of risk control by segregation is in the use of computer backups. The backup disk becomes the duplication function and storing the backup disk in a separate location is an example of the separation function.

e. Contractual Transfer

Contractual transfer is the shifting of a loss exposure in conjunction with an asset or activity, using a written contract or agreement, from one party to another. In contractual transfers for risk control, there is no indemnity or compensation between the parties. The obligations for loss exposures resulting from the performance of certain activities that one party deems hazardous are transferred. An example of risk control by contractual transfer is the outsourcing of a “risky” activity to an independent contractor.


Example: An automobile dealership service center accepts vehicles requiring all types of repairs but arranges for independent contractors to perform the painting and welding repairs.


The risk control phase is important but it only rarely eliminates risk unless avoidance is practiced. The undesirable event may still occur and if it does, the organization will need funds to pay for the damage caused by the loss. These funds are obtained through the function of risk financing.

4. Risk Financing

Risk financing involves acquiring funds at the lowest cost from which losses will be paid.

There are only two answers to the question of who pays for damages caused by losses. In one case, the organization experiencing the loss pays for the damages (risk retention). In the other case, another person or a different organization pays for the damages (risk transfer). There is a distinction between risk transfers made for risk control and risk transfers made for risk financing. Risk control transfers shift or transfer the acts or obligations to perform to another party. Risk financing transfers shift the obligation to pay. It is possible to transfer the obligation to perform a given act or process without transferring the obligation to pay for losses as a result of the obligation to perform. The reverse is also true and allows transfer of the obligation to pay without transfer of the obligation to act. It is normal to transfer both the obligation to act and the responsibility to pay losses arising from the transferred obligation but it is not necessarily done that way in every case.


Risk Management - Subcontractors Example: A general contractor hires a sub-contractor to install the heating and cooling equipment at a work site and the general contractor is listed as an additional insured on the sub-contractor’s insurance policy.


Financial risk transfer is accomplished in one of two ways. One is to transfer it to a professional risk bearer (an insurance company) by purchasing an insurance policy. The other is to transfer it to someone other than an insurance company. The financial transfer of risk to an insurance company is well known and understood and was briefly discussed in the first part of this article. The financial transfer of risk to a non-insurance entity is not necessarily as well known but is still fairly common. Hold harmless agreements, indemnification clauses and liquidated damages clauses are examples of frequently used risk financing transfer clauses. They are found in a number of different written operating contracts, such as lease agreements, customer sales agreements and agreements with independent contractors. Other examples of financial risk transfers include the obligation of a tenant to pay for plate glass damage or for the repair/replacement of mechanical equipment damage to the landlord’s building.

Persuading another entity to pay for losses may be desirable but the cost of actually doing so may be prohibitive or impractical. As mentioned above, any risk not transferred is retained. In many cases, it may be more cost-effective to retain certain risks and the resulting damages and pay them like operating expenses. Losses that occur frequently and predictably but which have fairly low dollar amounts attached to them can usually be budgeted and efficiently financed internally through risk retention. Other methods of risk retention and financing include pre-loss funded and unfunded reserve accumulations and post-loss borrowing of funds.

Defining and coordinating financial risk transfer methods with financial risk retention methods is one of the most challenging tasks confronting the risk manager. The ability to anticipate losses, making arrangements to prevent, reduce or control their impact and adequately arranging for funds availability to pay for them is the reason the position exists and is one of the measures of the worth of the risk manager to the organization.

Risk control and risk financing activities interact with each other. An effective risk management program must use at least one risk control technique and one risk financing technique for each identified exposure.

5. Risk Administration

Risk administration is the implementation and monitoring of risk management policies and procedures. Risk administration covers a broad range of activities frequently assigned to the risk management department. Some examples are:

·         Corporate planning

·         Policy development

·         Safety programs

·         Contingency and catastrophe planning

·         Crisis management

Other regular or frequent administration activities include claims administration, allocation of the costs of risk, litigation management, insurance acquisition, loss monitoring and incident (near-miss) investigations.

How Does the Risk Manager Help?

The risk manager’s job is to identify and analyze risks and to make recommendations to management concerning how to control and finance them. To do this effectively and efficiently, the risk manager must be aware of all the activities, assets, locations, products and processes of the organization. Risk managers must also have knowledge of business law, statistics, economics, safety and loss control, business finance and insurance. Most of all, the risk manager must be innovative in applying this knowledge in the performance of his duties. The risk manager is responsible for anticipating losses, adequately preparing the organization for them and minimizing the costs of doing so.

Related Court Case: Loss Prevention Representative Did Not Have Duty To Make Specific Inspection

The Role of Insurance in Risk Management

Insurance is a component of risk management, not a substitute for it. In exchange for the payment of a known loss (the premium), insurance transfers the financial consequences of covered loss exposures from the insured to the insurance company. This transfer of loss exposures by purchasing insurance to cover them is the most common and frequently used method of handling risk. However, some exposures are simply too trivial to justify the purchase of insurance and others are so monumental, uncertain or uninsurable that no insurance carrier will accept them. In addition, worldwide exposures, certain unique types of risks and exposures created by government-enacted legislation are normally avoided by most insurance companies. To summarize, insurance is simply not available for many of the risks and exposures that organizations face. If insurance for a given risk or exposure is not available, that risk or exposure becomes retained by the insured and must be financed with funds from within the organization if it causes a loss.

Insurance availability is not the only reason to seek alternatives to handling risk. Organizations monitor use of corporate funds closely because of the ever-present need to maximize profits. If organizations do not use the most effective and efficient methods of financing identified risk or loss exposures, they jeopardize their competitive position in their marketplace and possibly their future survival.


Insurance may be the first or last way to handle risk but it is not necessarily the only way or the best way. Risk management is a comprehensive approach to handling risk by identifying, analyzing, controlling and financing risk, and finding and implementing the most efficient methods for doing so. The risk management function plans pre-loss activities, prepares the organization for losses and executes post-loss activities. When risk management activities are done effectively and efficiently, they offer a thorough and efficient approach for addressing the expenses and effects of losses that face an organization.