Risk Management Defined

Evaluation and Quantification

The evaluation and quantification of the impact of potential losses on the business, should always account for both direct and indirect, immediate and long term costs.

Whilst the evaluation process will be different for each organisation it should where possible include statistical evidence based on previous experience and incidents. These statistics should be sourced from both within the business, and where possible, from other similar industry groups in Australia and internationally.

Where relevant data is included from any appropriate previous insurance coverage, this should be organized carefully to account for anomalies and differences in policy limit, deductibles and extent of cover.

Certain losses (such as liability or workers compensation incidents) may take some time to be finalized due to court actions, or delays in determining the final extent of personal injuries. The original estimate calculated for the total cost is often revised on several occasions when more accurate information is provided.

The Risk Matrix is a handy took to enable management to obtain a “snapshot” of key risks, and prioritize activities and/or capital expenditure. There are a number of variations of this tool used by risk managers and risk management consultants, but all essentially aim to identify and document the likely frequency of risk against the likely severity or risk.

The following is an example of how the risk matrix can be used:

Corporations that own or operate hazardous operations need to place even greater emphasis on quantifying all areas of cost. They need to conduct a careful assessment of the risk – benefit attributes of all facilities, and eliminate unwarranted risks.

A grave example is the devastating effects of the leakage of Methyl Isocyanate gas at the Union Carbide plant in Bhopal, India on 3 December 1984. Such an assessment by Union Carbide would have shown that their Bhopal pesticide plant contributed less than half of one percent to company profits, but represented a life threatening risk to the company and the city of Bhopal.

Apart from massive loss of life and litigation, this single loss incident triggered sanction and protest against the conglomerate around the world which had a devastating impact on the business. At the time of the accident in 1984, Union Carbide had sales revenues of $9.5 billion, net income of $323 million, and total assets of $10.5 billion. Three years later, the sales revenue had fallen to $6 billion, assets had shrunk to about $6.5 billion, and shareholders equity fell from $4.9 billion to under $1 billion. This drastic reduction in size occurred without a single penny being paid in compensation to victims of the disaster.

Avoiding, Reducing and Controlling Risk Exposures

The next step in the risk management process is the balancing of key corporate objectives (like profitability and expense control), against safety, and the avoidance, reduction and control of losses.

There are masses of texts, courses and specialists available for consultation in the risk management arena. This section is not a technical reference, but intended only to summarize a number of the key areas to be considered in this stage of the process.

Much of the information and resources necessary to reduce and manage risks will already exist in many areas of an organisation. Often an organisation’s management will have their own view regarding the principal issues of loss control for their business.

The use of an external specialist however adds a vital dimension to the process by being able to provide an objective and independent assessment of the costs, benefits and critical priorities. Risk management consultants and loss control engineers can also provide valuable insight to similar problems experienced by other organisations locally and internationally.

Their expertise should provide a detailed analysis of the sources of risk, methods to reduce hazards, systems for the early detection of losses, minimization of the effects of those losses and maximization of the potential salvage.

The most effective risk management consultant will act as a project manager or co-ordinator, utilising your own resources as much as possible, and eventually making your organisation self sufficient in as many risk management aspects as possible. This role should alter over time from change agent to facilitator and ultimately external auditor of the in-house risk management processes.

For simplicity the key issues in risk management can be categorized into 3 broad areas:

1. Management procedures
2. Human resources procedures/strategies
3. Operational procedures/controls

1) Management Procedures

One of the most simplistic approaches in this category is the total avoidance of risk.

A risk might easily be removed by not proceeding with a project, eliminating a particular process, changing the manner in which a task is performed, outsourcing the task to an external party, or contractually transferring the liability or obligation.

Example of this approach could include:

•  The closure of a hazardous plant;
•  Transferring internal investment activities to outside fund managers;
•  Out sourcing product design to a consultant;
•  Creating additional capacity from an alternate plant/supplier to reduce reliance on a single site or supply point.

Obviously in each case the costs need to be balanced against the benefits, with consideration of the potential immediate and long term costs of continuing the activity. Technically total cost of insurance risks “TCOIR” each program must be measured.

For any organisation to meet it’s key objectives risk must be controlled however, the majority of risks are unlikely to be able to be transferred or eliminated in their entirety. For these remaining risks, management procedures play a fundamental role.

The following are some of the critical issues to be reviewed in the management procedures category.

Contingency Planning or Disaster Recovery Planning – how will the organisation respond to a major incident and its flow on effects?

•  Are there formal contingency plans in place, with clearly defined duties and responsibilities to recommence the interrupted activities as soon as possible, and protect the legal and economic interest effect by the loss.
•  What advance arrangements are in place for utilizing alternate production sites or spare capacity accumulated stocks, use of “hot” computer sites, expediting of raw materials or alternate product from overseas suppliers (or competitors).
•  Reciprocal agreements with another organisation can often be an effective approach but needs to be rigorously evaluated, particularly the volumes required and timing of spare capacity;.
•  Action plans and responsibility for salvaging the property and/or interests of the company following a major loss.
•  Plans in place to handle public relations, communications with the media and retain integrity of brand and company reputation (including specific strategies for key stake holders, customers, creditors and legislators).
•  Action plans and specific responsibility for the handling of serious injury or death of employee’s contractors and/or third parties.
•  Allocated responsibility for accumulating adequate records of loss expenditure information to achieve a more effective insurance claims settlement.
•  Integrated business continuity planning which will ensure continued business recovery after a disaster recovery plan has been activated.

It is important to note that contingency planning should be an ongoing process of Identification and analysis of the impacts that a serious incident would have on an organisation. A senior executive must have responsibility for designing, testing and updating the pre-planned responses to incidents, with the aid of minimizing the impact to the organisation. An external risk management consultant can provide practical advice and guidance on identifying the critical assets and key vulnerabilities, drawing on the experience of many other business and industries. If this seems to be an elaborate process for an organisation that is not involved in any hazardous processes, you only need to consider recent history, and the impact on thousands of “low key” businesses from massive hail storms or the shut down of gas or electricity suppliers.

Review of Contractural Obligations – what procedures are in place for automatic review of all contracts allowing predetermined authority levels with particular emphasis on:

•  Drafting and/or review of contracts from appropriate legal counsel;
•  Indemnification and hold harmless provisions which create or increase risk exposures (and the negotiation of similar clauses where appropriate to mitigate your own exposures through contract): responsibility for property damage and third party injury, and the possible impact on risk management and insurance programmes:
•  Effective transfer of liabilities where other parties have responsibilities (e.g the presence of a joint tenant or sub tenant may increase fire or liability exposures due to the nature of their operations. The lease agreement should be drafted to provide indemnity to the organisation and/or an appropriate hold harmless arrangement included);
•  Contractual or liquidated damages:
•  Ongoing update and audit to ensure compliance with trade practices, corporate governance and other legislation.

Accountability – rather than rely on absorption of risks within a corporate centre, line managers should be force to recognize the impact on their own operations of loss incidents.

Wherever possible, accountability for the total cost of losses should be driven down to all profit or cost centres, and preferably, individual site managers.

If site managers can see the effect of loss control measure (or inactivity) on their own measurable results, the risk management culture has a far greater chance of being accepted throughout any organisation.

Workers compensation and motor vehicle insurance are two examples where the total cost of losses can quite easily be allocated to individual sites based on direct expenses incurred. By controlling losses, the site manager reduces costs, and increases the profitability or effectiveness of the location.

Acquisition and Mergers – when acquiring a business, management will in most circumstances, prudently attempt to leave all significant liability with the seller. The due diligence process will by necessity be quite detailed, but there are a number of specific areas which are often overlooked. That could still impact heavily on any acquisition.

Areas often overlooked, but important to reviews include:

•  Dependency on all major customers and/or suppliers of raw materials, to assess contingencies which may impact on the eventual profitability of the acquisition.
•  Workers compensation loss history to provide an insight into the occupational health and safety management practices of the acquired company
•  A review of all claims will not only highlight the culture of precious management towards occupational health and safely, it will also show the potential for hidden increases in subsequent years workers compensation premiums. (This is particularly important for those states where past loss years are heavily factored into the renewal premium).
•  Superannuation funds to determine not only ongoing financial adequacy and commitments, but compliance with appropriate current legislation (and potential exposure to new trustees):
•  Current insurance protection of the acquired business, past loss history, and more importantly, previous limits and levels of cover. This is critical for at least the last 10 years to ensure there are no hidden exposures that only become known in future years.

An example of this is where an acquired company has only previously carried a low limit of public liability insurance. A past claim incident that is seemingly insignificant (or even unreported), may at some later stage result in a substantial settlement, which is well above the policy limit. The new owners are therefore left with a considerable uninsured and unbudgeted exposure.

A careful review of both limits and claims history needs to be undertaken. The exposure then needs to be either transferred to the previous owners as part of the sale, or addressed under the purchases insurance and risk management arrangements.

2) Human Resource Policies/Strategies

The root cause of many accidents can be traced to basic human errors in the shape of negligent acts, operator errors or even incorrect management decisions. Avoiding, eliminating or reducing losses in the human resources category depends heavily upon recruitment policies, education and training and the overall organisational culture.

Hiring appropriately skilled employees who are trained and motivated to perform effectively, yet exercise a vigilant approach to safety is a basic step in the process. Critical issues to be examined include:

Workplace Health and Safety

•  Documented systems and processes
•  Evidence of the consulting process – tool box meetings
•  Effective induction of all new employees
•  Effectiveness of safety committees, use of loss statistics to prevent future incidents;
•  Standard work method statement
•  Procedures for handling of hazardous material (eg toxins, caustics and acids and pressurised vessels;
•  Site safety rules. Contractor rules/induction
•  Proper use of lifting devices, machine guarding, protective clothing, emergency lock out/shut down devices:
•  Purchase and commissions hazard identification
•  Design of work areas and work patterns to reduce strains and accomplish tasks more effectively;
•  Quality of working environment with consideration to light, ventilation, dust vapours, noise levels. Confined spaces, accessibility of stairs and exits, adequate signage;
•  Stress management
•  Scheduling of adequate breaks or rotation of duties;
•  Personal protective equipment
•  Reinforcement of safety policies. First aid facilities available. Medical records book. Register of toxic chemicals. Safety displays;
•  Adequate training on an ongoing basis;
•  Use of regular inspections to detect potential hazards and non-compliance with safety procedures; adequacy of incident recording, reporting systems (how much information is actually being captured) and formal accident investigation.
•  Test and tagging of all tools
•  Fire, bomb and work evacuation and training emergency procedures
•  Fraud
•  Procedures for reference checking and investigation of previous employment.
•  Separation of duties and enforcement of annual leave to reduce opportunities and increase potential for detection;
•  Inventory management, controls for receipt and dispatch of materials;
•  Access to accounts, signatories required for cheques and other negotiable;
•  Access to computer systems, source codes etc;
•  Frequency and depth of internal and external audits, and independence of this function from operational management.
•  Random audit processes
•  Manpower
•  Formalized succession planning and recruitment contingency plans;
•  Pre-travel planning so that wherever possible, groups of key executives do not travel on the same mode of transport (consider the impact of an entire board of directors and senior management lost in plane disaster);
•  Executive health evaluations.

3) Operational Procedures/Control

The final category comprises the more tangible tools of loss control. These are principally improvement to operational controls which can reduce a potential loss or mitigate the impact of actual losses on the business.

Security

•  Physical security protection measure such as alarms, perimeter fencing. Cameras. Locking devices
•  Physical protection to staff
•  Use of security officers or patrols
•  Safeguarding of cash and valuables on premises, offsite and in transit. Security of key records. Procedures and preparedness against threats to personnel from assault. Armed holdup, kidnap

Fire Protection

•  Maintenance and impairment programs
•  Trained fire teams and/or updated fire alarm procedures.
•  Coverage area and density of existing fire protection installations
•  Design, approval and installation of sprinkler installations, thermal or smoke detectors, hydrants, hose reels, extinguishers, fire alarms or other fire suppression equipment.
•  Adequacy of water supplies
•  Construction and separation of walls premises between production processes to prevent the spread or fire from one section of a factory to another.

Housekeeping and Maintenance

•  Access to fire protection equipment and emergency exits
•  Welding procedures (use of hot work permits and strictly controlled environments)
•  Electrical “hot spot” testing and review of potential power circuit overload exposures
•  Maintenance and inspection of pressure vessels, compressors and the like smoking controls
•  Flammable liquid/dangerous goods storage and usage

Computer Risks

•  Maintenance programmes
•  Restricted access to hardware and software applications
•  Back up procedures and secured off site storage
•  Password maintenance
•  Data encryption
•  Software access/virus detection and monitoring devices
•  An effective anti virus and corporate data usage policy

Public Liability Hazards

•  Visitor access and monitoring, visitor record books. Inclusion in evacuation procedures
•  Floor surface conditions, cleaning and maintenance routines
•  Contractor controls-access, supervision, contractual; indemnification. Adequacy and proof of insurances
•  Products Liability/Product Recall Hazards
•  Register to trace origins, of raw materials and component parts
•  Review of contract supply conditions
•  Defect analysis and quality control
•  HAZOP (hazard & operational studies)
•  Adequacy of product labelling (contents and usage warnings)
•  Detailed record keeping of products, processes, quality assurance checks and incidents
•  Recall contingency plans (including communication with the media and general public) and written procedures for faulty products. Plans cannot be too generic, and should adequately address the differences between a small batch and a nationwide recall, plus local logistics versus an international recall and differing legal and cultural environments
•  Security controls appropriate to malicious product tamper exposures.

Environmental

•  Implementation of a well structured environmental management system is essential to ensure compliance with environmental standards and to comprehensively address
•  Waste labelling and segregation, storage and handling
•  Discharge license compliance
•  Contractual obligations and controls under contracts with third party storage, transit and disposal organisations
•  Land, air, water and noise emissions monitoring
•  Site contamination and pre-acquisition audits

Property in Transit

•  Selection and monitoring of carriers, including conditions of carriage, adequacy of packaging to reduce damage/vibration exposures
•  Palletisation/unitization, containerization
•  Use of marks and international handling symbols
•  Method of transportation, type and suitability
•  Loading, stowage, securing and discharge controls

Motor

•  Driver selection, history checks and adequate training
•  Vehicle inspection and maintenance, vehicle security
•  Where appropriate, defensive drive and driver attitude training
•  Detailed capture of operating costs and accident data for analysis and accountability

Engineering

•  Certification of plant and equipment in compliance with legislative standards
•  Preventative maintenance schedules versus merely breakdown response
•  Identification of critical plant items and adequacy of spare parts, or alternate capacity.