This is “The Risk Management Function”, section 4.1 from the book Enterprise and Individual Risk Management (v. 1.0). For details on it (including licensing), click here.

For more information on the source of this book, or why it is available for free, please see the project's home page. You can browse or download additional books there. To download a .zip file containing this book to use offline, simply click here.

Has this book helped you? Consider passing it on:
Help Creative Commons
Creative Commons supports free culture from music to education. Their licenses helped make this book available to you.
Help a Public School
DonorsChoose.org helps people like you help teachers fund their classroom projects, from art supplies to books to calculators.

4.1 The Risk Management Function

Learning Objective

  • In this section you will learn about the big picture of all risk management steps.

Traditionally, a firm’s risk management function ensured that the pure risks of losses were managed appropriately. The risk manager was charged with the responsibility for specific risks only. Most activities involved providing adequate insurance and implementing loss-control techniques so that the firm’s employees and property remained safe. Thus, risk managers sought to reduce the firm’s costs of pure risks and to initiate safety and disaster management.

Typically, the traditional risk management position has reported to the corporate treasurer. Handling risks by self-insuringRetaining the risk within the firm. (retaining risks within the firm) and paying claims in-house requires additional personnel within the risk management function. In a small company or sole proprietorship, the owner usually performs the risk management function, establishing policy and making decisions. In fact, each of us manage our own risks, whether we have studied risk management or not. Every time we lock our house or car, check the wiring system for problems, or pay an insurance premium, we are performing the same functions as a risk manager. Risk managers use agents or brokers to make smart insurance and risk management decisions (agents and brokers are discussed in Chapter 7 "Insurance Operations").

The traditional risk manager’s role has evolved, and corporations have begun to embrace enterprise risk management in which all risks are part of the process: pure, opportunity, and speculative risks. With this evolution, firms created the new post of chief risk officer (CRO). The role of CROs expanded the traditional role by integrating the firm’s silos, or separate risks, into a holistic framework. Risks cannot be segregated—they interact and affect one another.

In addition to insurance and loss control, risk managers or CROs use specialized tools to keep cash flow in-house, which we will discuss in Chapter 6 "The Insurance Solution and Institutions" and Chapter 7 "Insurance Operations". Captives are separate insurance entities under the corporate structure—mostly for the exclusive use of the firm itself. CROs oversee the increasing reliance on capital market instruments to hedge risk. They also address the entire risk mapA visual tool used to consider alternatives of the risk management tool set.—a visual tool used to consider alternatives of the risk management tool set—in the realm of nonpure risks. For example, a cereal manufacturer, dependent upon a steady supply of grain used in production, may decide to enter into fixed-price long-term contractual arrangements with its suppliers to avoid the risk of price fluctuations. The CRO or the financial risk managers take responsibility for these trades. They also create the risk management guideline for the firm that usually includes the following:

  • Writing a mission statement for risk management in the organization
  • Communicating with every section of the business to promote safe behavior
  • Identifying risk management policy and processes
  • Pinpointing all risk exposures (what “keeps employees awake at night”)
  • Assessing risk management and financing alternatives as well as external conditions in the insurance markets
  • Allocating costs
  • Negotiating insurance terms
  • Adjusting claims adjustment in self-insuring firms
  • Keeping accurate records

Writing risk management manuals set up the process of identification, monitoring, assessment, evaluation, and adjustments.

In larger organizations, the risk manager or CRO has differing authority depending upon the policy that top management has adopted. Policy statements generally outline the dimensions of such authority. Risk managers may be authorized to make decisions in routine matters but restricted to making only recommendations in others. For example, the risk manager may recommend that the costs of employee injuries be retained rather than insured, but a final decision of such magnitude would be made by top management.

The Risk Management Process

A typical risk management function includes the steps listed above: identifying risks, assessing them, forecasting future frequency and severity of losses, mitigating risks, finding risk mitigation solutions, creating plans, conducting cost-benefits analyses, and implementing programs for loss control and insurance. For each property risk exposure, for example, the risk manager would adopt the following or similar processes:

  • Finding all properties that are exposed to losses (such as real property like land, buildings, and other structures; tangible property like furniture and computers; and intangible personal property like trademarks)
  • Evaluating the potential causes of loss that can affect the firms’ property, including natural disasters (such as windstorms, floods, and earthquakes); accidental causes (such as fires, explosions, and the collapse of roofs under snow); and many other causes noted in Chapter 1 "The Nature of Risk: Losses and Opportunities";
  • Evaluating property value by different methods, such as book value, market value, reproduction cost, and replacement cost
  • Evaluating the firm’s legal interest in each of the properties—whether each property is owned or leased
  • Identifying the actual loss exposure in each property using loss histories (frequency and severity), accounting records, personal inspections, flow charts, and questionnaires
  • Computing the frequency and severity of losses for each of the property risk exposures based on loss data
  • Forecasting future losses for each property risk exposure
  • Creating a specific risk map for all property risk exposures based on forecasted frequency and severity
  • Developing risk management alternative tools (such as loss-control techniques) based upon cost-benefit analysis or insurance
  • Comparing the existing solutions to potential solutions (traditional and nontraditional)—uses of risk maps
  • Communicating the solutions with the whole organization by creating reporting techniques, feedback, and a path for ongoing execution of the whole process
  • The process is very similar to any other business process.

Key Takeaways

  • The modern firm ensures that the risk management function is embedded throughout the whole organization.
  • The risk management process follows logical sequence just as any business process will.
  • The main steps in the risk management process are identifying risks, measuring risks, creating a map, finding alternative solutions to managing the risk, and evaluating programs once they are put into place.

Discussion Questions

  1. What are the steps in the pure risk management process?
  2. Imagine that the step of evaluation of the risks did not account for related risks. What would be the result for the risk manager?
  3. In the allocation of costs, does the CRO need to understand the holistic risk map of the whole company? Explain your answer with an example.