Regardless of the size of your organization or the industry in which you operate, good and accepted practice requires that there is someone accountable for risk management and that you have internal risk management controls in place i.e. a risk management policy or plan to address You risk issues that are relevant to your business.
Risk management concepts are applied in all businesses and industries, including banking and investments, education, healthcare, law, and manufacturing to name a few. Each industry has its own specific approach and perspective to risk management. However, there are generally accepted risk management concepts that can be applied to all companies and industries. This includes (1) identifying the potential risks; (2) risk assessment to determine the likelihood, frequency and severity of risks; (3) prioritization of risks; (4) development of structures and internal controls for risk mitigation; and (5) because risks cannot be eliminated, insurance against risks. Gathering information about these concepts is key to developing any risk mitigation structure and strategy.
Identification of Risks
As mentioned above, every industry has its own unique set of risks. For example, in the healthcare industry, in addition to concerns about patient care, areas of risk may include accuracy, compliance, and patient privacy. Research should be conducted to identify the types of risk concerns that are most common in your industry. In this regard, there is likely to be important information publicly available that addresses risk management issues pervasive in your organization or industry. In addition to external research, internal group discussion will be crucial to identify risk concerns.
There are also risk concerns that apply to all businesses and industries. These include, but are not limited to, security risks to the company and its employees; information technology risks; personnel risks such as discrimination and harassment; and risks of document storage and retention.
Once risks have been identified, those risks must be assessed, which will inform you of important considerations, including the likelihood and frequency of the risk event; the severity of the risk event (even if the risk of that event is not frequent); and the possible consequences of the risk event. The assessment also informs you whether the potential risk warrants an internal control and the priority of the risk within your risk structure.
A few examples here may be instructive. For example, an accounting risk manager recognizes that, depending on the complexity of an organization, there may be risk concerns of material misstatement in the audit process. Treating the severity can be more difficult but is just as important. It is foreseeable that a single event, although rare, can result in significant loss and even disaster for a company. For example, in construction, due to the nature of the work, a hazardous event could result in significant injury or death.
The risk assessment must also address the possible consequences of a risk event, including the impact these consequences will have on your business. Is the consequence of a risk event reputational or financial? Does the consequence rule out further work in a business area? In order to properly assess all of the foregoing, it may be necessary to consider applicable laws, regulations, industry standards and best practices.
As a final point about the assessment, a thorough assessment will almost certainly influence the development of mitigation strategies.
prioritization of risk
Once the assessment of the risks associated with your business is complete, the risks should be prioritized. Risks should be prioritized by frequency, severity, and consequence, with each factor being appropriately weighted based on the organization or industry. Prioritization provides an overview of all risks and focuses on the risks that pose the greatest threats to your company.
Structure and internal controls to mitigate risk
Every business organization, regardless of size, should have a person with designated risk management responsibility and internal risk management controls.
In relation to a designated risk manager function, the size of an organization and the risks associated with the business determine the size of the risk management function. It’s not uncommon for large companies to have extensive risk management teams. Other companies hire an outside provider to provide risk management services. Smaller organizations or professional organizations such as law and accounting firms may address the risk management function in-house.
Internal control documents and risk management policies vary widely from company to company and from industry to industry. However, there are specific sections/topics that should be included in any risk management policy. These include but are not limited to:
- A section that sets out purposes and goals
- A section that identifies the organization’s risk management functions, including the designated risk management personnel and the roles and responsibilities of all individuals entrusted with risk management functions. In terms of roles and responsibilities, it is important to convey in the policy and the training related to the policy that it is the responsibility of everyone in the organization to help mitigate risk.
- Sections outlining the procedures and strategies developed to mitigate the specific risks identified and assessed through the information gathering process described above.
Because risk can only be mitigated, not eliminated, risk management considerations must also include insurance against risk. However, the risk management process helps identify the types and amounts of insurance needed to ensure the continued profitability and success of your business. In addition, participation in the risk management process, designation of risk management personnel and responsibilities, and adoption of written internal controls and risk mitigation procedures may result in a reduction in insurance premiums.
Kevin J. English is a risk management partner at Phillips Lytle and leads the firm’s insurance coverage practice team.