Printer Friendly

Determining acceptable risk levels.

An organization daily faces risks that can disrupt the continuity of its operations. It is generally accepted that the objective of risk management is to treat these risks in the most economical way. This is most often effectively achieved through an integration of these risks into the management of the organization rather than through a pure transfer to an insurer. In this context, the question of whether a risk management approach should be adopted is not a topic of primary importance.

There is another principle, however, that is implicit in the risk management approach: if a large loss happens tomorrow, is the organization going to survive despite all existing insurance contracts? Chances are, the answer is no, according to figures from the Chubb Group of Insurance Companies, a recent statistic revealing that 85 percent of the organizations that have suffered a major loss in their largely computerized administrations are going to go under within the following three years.

It is logical to assume that these organizations have considered the risk of a loss on their computer system to be "acceptable" and this has turned out to be a serious mistake. The again, these organizations may not have considered the possibility of a loss at all (a mistake in the identification of the risk). Perhaps these organizations may have thought that the probability of a loss was so small that it be neglected (a mistake in the evaluation of the risk). Or these organizations may not have considered all the consequences of a loss, and therefore the risk has been underevaluated (a second mistake take in the evaluation of the risk). It is also possible these organizations may not have treated the risk by developing the necessary recovery measures in order to have their computer systems operable shortly after the loss (a mistake in the treatment of the risk). Furthermore, these organizations may have failed to anticipate the financial resources necessary to get the company up and running again after a loss (another mistake in the treatment of the risk).

When this group is contrasted with the 15 percent of the organizations that survived, one learn that the main difference between the two groups has been in the survivors' prior creation of necessary recovery measures. This action implies that the survivors had correctly performed risk identification and evaluation. Since there were no significant differences in the insurance policies owned by the 85 percent that folded and by the 15 percent that survived, it appears that, in this case, financing was not a relevant factor. Thus, it is because the survivors correctly performed their risk analyses that they were able to determine the risk level, consider it to be unacceptable and therefore take recovery measures.

Defining Risk

Management

Besides the economical treatment of the accidental risk, there is a more significant objective in the definition of risk management - to secure the survival of the organization. The risk management process itself can likewise be defined: the various technical and economic analyses and treatment operations for accidental risks that can threaten the existence of an organization. Here, "analyses" means identification and evaluation; economic "treatment" means lowest cost. Moreover, "existence" can mean the organization's ability to achieve its objectives, as well as its survival.

In the first definition of risk management, where the objective was to treat risks in the most economical manner, the "acceptable risk" was an implicit and rather vague concept. Under the definition of the process itself, an acceptable risk now becomes a criterion against which all risks need to be assessed. The question of staying in business or disappearing becomes a direct responsibility for the organization's top management, who then often rely upon the advice and experience of the risk manager.

If computer risks, as well as liability risks for environmental impairments or products defects, are considered major risks today, it is precisely because these risks exceed the "acceptability" level for a large number of organizations. Ultimately, it is general management that decides whether a risk is acceptable or not. But as long as the concept was vague and the context of the problem not well defined, there was no need to for the organization to provide a clear answer.

However, once a risk is recognized as "unacceptable" - a PCB-cooled transformer located in the middle of a storage facility that houses flammable materials, for example - its treatment must be considered a priority. Therefore, risk analysis and risk reduction (i.e., loss control) operations become even more critical. In order to decide if a risk is or not "acceptable," it is important to evaluate not only the direct effect but also all other consequences of a major loss.

What is an "acceptable risk?" It is a risk that can be treated in such a way that if a loss occurs, the existence of the organization cannot be threatened. The treatment of the risk necessarily focuses on several areas: the situation after the loss; all the material means of the organization that will be requested in such a situation; the way to finance these means; and the cost of these financing instruments.

Dealing With the

Unacceptable

How does one deal with an unacceptable risk? There are two ways to answer this question: one reduce the risk so as to make it "acceptable"; or two, eliminate the risk, which entails in most cases the interruption of the activity the risk relates to.

Risk reduction addresses the two parameters of a loss, which are its probability of occurrence and its severity. "Prevention" is the method of risk reduction that looks to lower the probability of occurrence - for example, prohibiting smoking in a dangerous workplace reduces the number of possible fires. Prevention's contribution to the "acceptability" of a risk, however, is limited since the only effect it can have is to reduce the probability of occurrence to such a low level that the risk can be ignored. Yet, prevention can improve the economy of the treatment by reducing the number of losses over a given period.

Regarding severity, risk managers must turn to the method of "protection," where once the process of the loss has begun, its development can still be retarded. For example, if a steel or concrete barrier is erected between the two lanes of a motorway, it is done not in order to reduce the number of accidents, but rather to reduce their severity by preventing a car whose driver has lost control from going the contrary way. Protection measures have a direct effect on the acceptability of a risk, and they also have a positive effect on the economy of the treatment. Still, once the risk has been reduced, a new evaluation needs to be performed to check that the risk actually has been made acceptable.

Risk Reduction

Economy

Is there a limit beyond which the cost of the risk reduction measures becomes uneconomical? For lack of reduction measures, an "unacceptable" risk will require the organization to interrupt the activity the risk relates to. It is against the loss of revenue resulting from this interruption that the cost of the reduction measures shall be weighed. This rule is applied at least implicitly in the design of new products. For an automobile manufacturer, the consequences of the company's liability exposure are such that the cost of all safety measures needs to be taken into account in the feasibility study of a new model.

The "acceptability" criterion is not the only one that governs the risk reduction policy. The entire economy of the treatment also needs to be considered in the various ways to treat a risk. The treatment is made according to various measures: organizational, material and financial ( in general, the financial measures are devoted to the availability of the material and organizational resources after a loss).

According to the way these resources are structured, they will fall into two basic categories for treatment: retention or transfer. In the first case, the process (e.g., the formation of a captive insurance company) is purely internal, and in the second case, a third party (e.g., an insurance company) is involved. Retention can be mandatory for the portions of the risks that cannot be transferred to a third party; in most cases, they are simply forgotten - many aspects of the aforementioned computer risks fall into this category.

Retention can also be a deliberate choice every time the cost of the retention appears to be lower than the cost of an equivalent transfer. This can be determined from the "cost of risk," which is the sum of the expenses related to: the cost of the retention measures, transfer measures and reduction measures; and the cost of the administration of the risk management program. In order to achieve economical treatment, reduction measures have to be taken to reduce the total cost of risk by reducing the cost of the transfer or the cost of the retention. For the risks associated with workplace-related accidents, the cost of the various prevention measures should be balanced or bettered by the lower cost of all the uninsured consequences of an accident (retention) and by a lower insurance premium (transfer).

For an unacceptable fire risk, installing a sprinkler system in an industrial building would be considered a reduction measure. In this respect, the cost involved would be balanced by the cost of the interruption of the activity in this building. The installation of such a system might also reduce the insurance premium as well as all of the uninsured consequences of a large fire. If, instead of installing such a system, the heat load in the building is reduced by removing most of the combustible materials, the risk can be brought to an "acceptable" level. The risk manager will weigh the pros and cons of the two approaches and will recommend the solution that gives the lowest cost of risk and, as a result, an improved economical balance.

The Contingency Plan

More and more organizations are concerning themselves with contingency (or emergency) plans. Such a plan can address two types of situations: a loss suddenly becomes more probable (e.g., due to a bomb threat); or the loss has already occurred. In the latter case, although such a plan is intended to reduce the consequences of a loss, a contingency plan is not in itself a component of the "risk reduction policy" that could be applied at the end of the risk management process. The contingency plan is directly derived from the risk evaluation. In order to evaluate a risk, a scenario must be developed from which a plan can be drawn to enable the organization to continue its operations after the shortest possible interruption.

An organization must be able to manage the loss and to usefully spend the money provided by the financing instruments. This "loss management" is the contingency plan. While reduction measures can be selected according to "acceptability" or "economy" considerations, the contingency plan is a must and cannot be escaped. Unfortunately, it is because such a plan too often is not established and put into practice that, for example, 85 percent of the organizations that suffer a large computer loss will close up shop within their next three years of operation.
COPYRIGHT 1993 Risk Management Society Publishing, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1993 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:risk management techniques
Author:Leytens, Anthony
Publication:Risk Management
Date:Oct 1, 1993
Words:1864
Previous Article:Cleaning up the World Trade Center.
Next Article:Catastrophe derivatives: insuring the insurer against catastrophic losses.
Topics:

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters