The three golden E's in the risk management trilogy
Submitted by: Teresa SettasThe Risk Management Trilogy
Three Golden Es of Risk Mitigation
Opinion by Craig Kent, head of risk consulting at Aon South Africa.
From pyramids to mathematical equations, football formations, bridges and roofing structures, the strength of ‘triangulations’ is tried, tested and proven through time. The same principle applies in
risk management in implementing and maintaining effective, resilient and efficient risk mitigation solutions to the evolving exposures that threaten businesses.
Risk management pivots around three considerations about the business and the potential risks it could face. First, you need to know what risks – from the likely to the highly unlikely - can threaten the business, second you need to understand the various potential impacts/outcomes such an event can have (gather data to substantiate the quantum of loss), finally, you need to elect, implement and manage suitable risk mitigation strategies to best counter the particular exposures.
From inception, the risk management process is essentially a trilogy process that is repetitive in the formation of a triangulation of:
- Risk exposure identification – risk awareness.
- Risk exposure quantification – potential risk cost, inherent exposure.
- Risk exposure mitigation – risk treatment to lead to residual risk exposure.
Risk identification:
The permutations and options for the process are vast, with these three salient classes of risk being the most prevalent:
- Pure/tangible (for example property loss)
- Latent/hidden (reputational/brand/market share/keyman)
- Financial – Upside or downside (Forex/shares) or plain damage or non-damage business interruption losses.
The tools and process to identify the risk can vary both on a macro and micro level, by department/division or an entire operation or business. For example, fire is likely to be a tangible risk to a particular site, whereas forex fluctuations can impact all operations of a group of companies. The tools used to identify different risks also differ, while both can have characters of one or all three of the different classes of risk.
Exposure quantification:
It is invariably driven by the same principle as that of risk identification, save that the inherent risk exposure value can be made up of both tangible and latent values (Insurable and uninsurable costs). The hidden/latent and uninsurable costs are not that easily quantified. It gets tricky from a priority and treatment perspective, as we base a suitable action on the inherent risk, which serves to inform the treatment and or extent thereof, based on the ‘Three T’s’:
- Tolerate – based on the estimated quantum of potential exposure, we can ‘live with the event’ – often characterised by frequent exposure/low value at risk.
- Treat – apply viable cost-efficient risk mitigation and reduction strategies by removing the risk or reducing the frequency and the value, or both.
- Transfer – pass the risk to someone else by addressing it through a combination of treating and transfer, for example buying insurance to cover the exposure.
Risk Exposure Mitigation:
Once the risks are identified and you have quantified the inherent exposure value, you can make an informed decision on the preferred risk mitigation strategies to deploy:
- Self-retention of the exposure, with varying degrees of risk prevention or reduction strategies.
- Risk transfer (insurance) strategy - coupled with expected degrees of risk prevention and reduction.
- Get rid of the risk, which is easier said than done.
Risk Mitigation doesn’t end here. While these three risk mitigation tools, alone or in combination, are the mechanisms to mitigate all the risks of the business, these tools are only sustainable where we seek to constantly manage the treatment thereof. To achieve the best efficiency for the management of each risk, you need to look at the Three Es of treatment, namely:
- Engineer the solution in part or whole.
- Educate on the risk treatment solution.
- Enforce the application to maintain the engineering and education of the solution.
While many assume that engineering can only be applied to tangible risks, let’s explore some examples and link in the education and enforcement thereof:
Example 1: Sprinkler systems are useful to avoid the human element for detection and control of fire – which makes it a tangible solution that is essential for the risk carrier where risk values and legal compliance dictate. However, without education, the engineered solution's effectiveness can be compromised. Sprinkler systems are designed based on many dynamics, ranging from fire commodity to fire load and are even affected by roof heights and slopes. If these are in any way changed or compromised, so too is the effectiveness of the sprinkler system – hence the absolute need for continual education/training, self-inspections, checklists and maintenance. In turn, it leads to the enforcement of the treatment, by way of strict maintenance and third-party inspection regimes. |
Example 2: Protocols for consistent and reliable financial reporting centres around the implementation of International Financial Reporting Standards (IFRS) and individuals who have completed a Chartered Accountant degree in education, which lays the foundation for a combination of internal and external audit mechanisms for enforcement. |
Example 3: Antivirus software or password protection is not a tangible solution, but if an employee does not follow protocol, then the process and or engineered software can be compromised and the risk met in full force. Thus, both continual education and enforcement are required to realise the value of the mitigation strategy. |
Example 4: Buying insurance as a mitigation strategy serves to transfer the risk. But if you don’t observe and maintain the terms of the contract with the risk carrier, a claim can be repudiated or the risk can become uninsurable, which for high catastrophe risks could be debilitating for any organisation. In this scenario the insurance product is the engine, the training of the Insured the education, and escalating rates, repudiations, punitive deductibles and so on serve as the enforcement. |
It is interesting to note that in all four examples, a failure of any one of the three E’s, can lead to a failure of the risk mitigation strategy and in turn, the predicted residual risk that was anticipated based on the mitigation plan, is far greater. There are many other examples which can be cited where the same principles apply, to make sure the treatment is:
- Equitable/viable to the Inherent value at risk - don’t spend R1 to protect R1.
- The cost to mitigate is viable to achieve.
- The resultant residual value of the risk is sustainable.
There is little point in spending R1mil on the treatment of a R5mil potential loss exposure unless there is a legal requirement, of course. Similarly, there is little point in spending R1mil on treatment to protect an R100mil exposure. If the rules for the application of the three E’s treatment are broken, then you may have wasted R1mil and still have a potential R100mil loss exposure.
In conclusion, it stands to reason that if we do not follow the various trilogies continually, it will not be possible to argue that an effective and efficient risk management program is in place. One of the biggest failures is the seemingly cheaper’ ‘DIY’ approach, rather than consulting a professional risk manager and investing in the process, to ultimately effectively and efficiently manage the organisation's risks.
“Having regular, thorough risk assessments of your business is a good exercise to identify any possible red flags that need to be addressed before they have negative impacts on the business’ risk transfer requirements. It will also direct a business that has already fallen into a state of distress, on how to best address the existing concerns and identify potential other risks, that can be addressed to efficiently get the business back on track.
A professional broker and their risk advisors will be able to provide your organisation with aligned services and solutions that businesses may need to identify and address any gaps in their risk management program, mediate a solution and provide the clarity and confidence to make better decisions when it comes to the risks that your business is faced with. Get good risk management practices in early and strive to improve continually.
About Aon
Aon plc (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Our colleagues provide our clients in over 120 countries and sovereignties with advice and solutions that give them the clarity and confidence to make better decisions to protect and grow their business.
Follow Aon on LinkedIn, Twitter,Facebook and Instagram. Stay up-to-date by visiting the Aon Newsroomand sign up for News Alerts here.
Please let me know if you need anything further.