Risk Management Process
The risk management process
The risk-management process is the activities that make up an organization’s approach to managing risk. This differs from company to company. Each company has a unique process for managing risk. Each company’s risk management framework is unique, and changes based on the organization’s unique risks. This process is used by risk-management and insurance professionals to identify loss exposures.
The risk management process is made up of a few key steps and activities. The key risk management activities that make up the risk management process include:
- Step 1: Scan the Environment for Risks (scan, review, and analyze the risk environment)
- Step 2: Identify the Risks (identify any exposures or risks)
- Step 3: Analyze the Risks (analyze exposures and risks)
- Step 4: Treat the Risks (apply risk treatment)
- Step 5: Monitor the Risks
We will cover each step in the risk management process in more detail below.
Step 1: Scan the Environment for Risks (scan, review, and analyze the risk environment)
The first step in the risk management process is to scan, review, and analyze the organizational environment. The risk management professional should evaluate the internal and external environment of the organization. This review should include an evaluation of the organization’s goals, to ensure the risk management process does not interfere with company goals.
In this process, the organization should define its risk criteria. Risk criteria is the criteria that defines the significance of the risk.
In this process the review should consider the following:
- The effect the risk has on the company
- The best method to measure the effect of the risk
- The length of time a risk will affect the organization
- The underlying cause of the risk
Step 2: Identify the Risks (identify any exposures or risks)
The next step in the risk management process is to identify any risks faced by the organization. Loss exposures can be identified through inspections, compliance reviews, documentation analysis, or the help of a risk-management expert.
Step 3: Analyze the Risks (analyze exposures and risks)
Once the loss exposures are identified, they must be analyzed to determine the significance of each exposure. This helps to prioritize the exposures that need to be addressed immediately.
Loss exposures are analyzed using the four dimensions of loss analysis:
- Loss frequency – The number losses in a period of time
- Loss severity – The dollar value of a loss
- Timing – The period of time when losses and payments occur
- Total dollar losses – The total dollar amount of all loses in a period of time
Step 4: Treat the Risks (apply risk treatment)
Once the risk is analyzed, a risk-management treatment must be selected and implemented to mitigate the risk.
Implementation means the individual or organization takes action on the plan and works to apply their chosen risk-management techniques. For example, purchasing and installing loss-preventing devices and purchasing insurance is considered implementing risk management.
There are two ways to address a loss exposure:
- Risk control
- Risk financing
Risk control is used to reduce the frequency and severity of losses. There are six risk-control techniques:
- Avoidance – The act of never taking an action. With avoidance, the individual is choosing to never partake in an activity, that way a loss can never happen. For example, one may choose to never use the stove to cook in the house so that there is no risk of starting a fire from using the stove.
- Diversification – The process of dividing up loss exposure and spreading the exposure over multiple projects or regions. For example, choosing to invest in five different stocks and five different bonds in five different industries to ensure that the investor will not be financially crippled if one company or one segment performs poorly.
- Duplication – The process of creating a duplicate or backup of information and personal property. Backing up data from a computer to a cloud server to save critical data in case the physical computer breaks down is one example.
- Loss prevention – Any risk-control method that reduces the frequency of loss. For example, a deadbolt lock keeps burglars out of the home, reducing the frequency of theft.
- Loss reduction – Any risk-control technique that reduces the severity of a loss. For example, fireproof shingles minimize the damage caused by a fire. A burglar alarm is an example of risk control that is both loss-preventing and loss-reducing because it deters a burglary from happening (loss-preventing) and reduces the loss that does occur as police will arrive at the scene (loss reducing).
- Separation – The act of splitting up and isolating one exposure from another. This helps to minimize the effect of a single loss. Separating a collection of high-value pieces of artwork so some are stored at home and some are stored at the bank is an example of separation.
Risk Financing: Risk financing is the technique most individuals are familiar with. This technique generates the necessary sum of money to pay for losses. There are two forms of risk financing:
- Retention – Retention is the process of saving or setting aside funds to pay for a loss. This is needed if the loss is not fully covered by insurance. A deductible is a common retention technique. This is a predetermined amount of money that must be paid by the insured before the insurance policy pays the claim. Savings is another form of retention; this is money set aside that can be used to pay for a loss.
- Transfer – Transfer shifts the financial burden of a loss to another party. Insurance is the most common form of transfer. Insurance shifts the financial burden of loss to the insurer, and the insurer is responsible for paying the loss.
Step 5: Monitor the Risks
Once the risk-management program is implemented, it must be monitored and revised periodically. This ensures the individual or organization is protected against changing loss exposures.