The Process*

Managing risk is good business sense. It is one of the most important things you can do to maintain the viability of your organization. An effective risk management strategy provides the opportunity for better pricing on your insurance premiums, saves you out-of-pocket costs like deductibles and ensures a safe and stable environment for your employees/volunteers and customers. An effective risk management program also helps you to understand and be prepared for the risks you face before losses occur. That preparation can mean the difference between an organization that thrives and one that fails.

No matter how you choose to manage your risk and reduce or eliminate potential losses, it is important to document the steps you take. A risk management plan without proof is of no use to an insurer.

Our will take you through the steps below. It can also be used to ensure all essential elements of the process have been identified and completed. The will give you a picture of your risk to help you establish your risk management priorities.

The basic steps of the risk management process are:

Step 1: Identify potential exposures to loss

Every activity of an organization poses a risk. Before an organization can control its risks and decide what to do (if anything), it must identify the risks.

Some risks are generic and inherent to many organizations – for example, the possibility of a visitor slipping on a wet floor, an employee/volunteer embezzling the organization's funds, or a former employee or client alleging violation of his rights.

Other risks are unique to your organization and based upon the services you provide. If it can happen in your organization, you should list it during this step of the risk management process.

• List your business’ objectives (key practices that must be in place so the business will not fail), activities, assets and key stakeholders. Then determine the associated risks.
• You can also consult other sources to get a picture of your risk, including:
• Your experience and your business’ experience.
• Past losses/claims (your agent or broker may be able to help)
• The experience of similar businesses or those in a similar industry
• Past accidents and incidents
• Statistics
• Industry associations
• Employee/volunteer feedback
• Complaints and/or suggestions of customers, the public and other stakeholders
• Consultants

Step 2: Evaluate the risk; look at the possible number and severity of claims

You may feel overwhelmed after completing the first step of looking at your exposure. Assessing the probability of each risk becoming reality (frequency) and estimating its possible effect and cost to the organization (severity) are the solutions.

For example, if you have a home-based business and most of your interaction with customers is over the phone or via e-mail, you would probably have a lower chance of many or expensive claims. (You can still have losses; consider the courier who is delivering business papers to your home and trips and falls on your sidewalk.) This would be in contrast to a bus company that transports senior citizens to special events. There is a greater chance of incurring a higher number of claims – you are driving on busy roads – and claims that are more severe – seniors can be of more fragile health.

Of the exposures identified in step 1, determine:

• Which are most likely to cause a claim or incident?
• Which will have the greatest impact on the organization, if they occur? A Risk Map may help you identify the risks that require the most attention.

Step 3: Examine options

Select and implement the appropriate risk management techniques. There are ways to manage an organization’s risks. Select the techniques that work the best for your organization. The five major risk management techniques are:

1. Avoidance: Can your organization eliminate a service or an activity it considers too risky?
2. Prevention or modification: What steps can be taken to reduce the likelihood of losses occurring? Can you change the activity so that the chance of harm occurring and impact of potential damage are within acceptable limits? (Establishing policies and procedures is the most common form of modification. For example, if your organization owns an automobile you may use modification techniques to manage risk by selecting and screening drivers, training drivers and developing other transportation policies.)
3. Mitigation: What steps can be taken to lessen the impact of losses should they occur?
4. Retention: Accept the risk as is. Some risk is inherent in the activities of your operation; your organization can accept or retain all or a portion of the financial consequences of a risk. (Deductibles are a form of retention. Another form of retention is deciding not to purchase an insurance policy for a specific exposure.)
5. Transfer (sharing): Your organization may transfer either the actual risk or the financial consequences of a loss to another party. For example, you may decide to hire a taxi company to transport your clients instead of using agency vehicles or volunteers driving their own cars. Insurance is a form of transfer where you pass the risk of financial loss to the insurance company. There are aspects of risks that cannot be fully transferred such as damage to your reputation or goodwill. As a result, most examples of risk transfer actually involve sharing the risk with another party.

^Back to top

Step 4: Decide which option to use

After reviewing all the possible options and looking at your risks, decide which of the possible risk management techniques best strikes a balance between effectiveness and affordability.

Step 5: Implement the chosen option

The first part of this step is to create the risk management plan. You are going to address in real, practical terms how you are going to make the option you choose work for your organization. Maybe this will involve creating a risk management committee.

An important part of the plan is to ensure that there is buy-in from senior management, staff, customers, volunteers and other stakeholders. This may involve a campaign that isn’t as much about training as it is about letting them know that changes are going to happen.

Ensure that staff and others are trained and informed about the plan. Not only do they need to understand the policies and procedures resulting from your risk review, they must understand that they have a broader role to play. They should be risk sensitive and understand that everyone in the organization suffers the consequences of the increased cost of risk.

Employees/volunteers should understand how to complete the appropriate forms and reports. They should also be updated on accident and claims frequency and cost.

Step 6: Monitor results

In this day and age, change is the only constant. The dynamic nature of your organization requires that your risks and risk management plan be reviewed at least once a year.

First, you should evaluate the plan to determine if it is working. You should also look at whether your risks changed during the course of the year, and if changes to the plan are required. Changes in your operation must be reviewed to ensure that the risk management program continues to be relevant, comprehensive and effective. In the annual review of your operation, you may find that you are over-insured (e.g., if you have discontinued a service) and can drop the additional coverage. If your operation has expanded, you can see where you may require additional coverage to ensure that you and your organization are fully protected.

Keep accurate records of how the plan has changed and the results of the annual reviews. It shows your insurer that you are committed to risk management and have a history of implementing thoughtful and adaptive plans.

Conclusion

Risk management is a pragmatic process with real-world implications. An organization cannot craft a plan and then put it on the shelf. Risk management is a way of thinking that must permeate the whole organization – from the most senior board member to the newest volunteer. It is everyone's responsibility to ensure risk management becomes an integral part of an organization.

Risk management seeks to preserve an organization’s continued ability to perform its mission, grow, maintain good health, and preserve its social responsibility to the entire community.