3 Common Pitfalls Companies Make in Assessing Their Total Cost of Risk
Black swans are unforeseen risks that challenge most organizations’ planning, but that shouldn’t discourage risk managers from attempting to gain a more robust understanding of how potential threats can affect their organization and pinpoint effective ways to manage those situations.
For companies that plan wisely and have a risk management program that can flex and adapt as new risks impact the organization, the rewards can be significant. Organizations that prioritize building out mature risk management programs that snap into place in times of crisis tend to outperform those that don’t.
Better risk management starts with understanding an organization’s total cost of risk, which includes the total amount of risk retention costs, risk transfer premiums, and administration costs to assess, mitigate, and manage all aspects of risk. Calculating the total cost of risk can be a challenging exercise for any company. If you can avoid three common pitfalls, you’ll be off to a solid start.
Ensuring your Risk Management Program Aligns with Corporate Strategy
What are your top five risks as an organization today? Now think through that list and compare the risks to your strategic objectives. Do your top risks align to your organization's long-term goals? If not, it may be time to take a broader look at how your risk management program fits into your overall strategy.
Many organizations view risk management in a silo separate from strategy, and because of this, expose themselves to oversights for critical pieces of their business and operational ecosystem, such as supply chain. Risk management should map to the organization's broader strategy. The way that risk is identified, prioritized and quantified ties back to the impact each risk can have on an organization and the overarching strategic objectives.
Connecting risk management to strategy changes the focus of an organization. A risk management practice centered on the organization’s broader strategy will approach opportunities and challenges in a systematic way. It will consider the most significant risks that have the potential to impact an organization's long-term objectives rather than focus on temporary setbacks. This robust approach to risk management can't happen without consistent assessments of an organization’s risk appetite throughout time.
Supply chain management, for instance, is often an overlooked part of risk assessment. Many organizations reliant on global vendors were likely disrupted by the COVID-19 pandemic. Meanwhile, companies that developed contingency plans to source from local suppliers in the event of a trade slowdown were less likely to be harmed.
Inconsistent Risk Assessments Across the Organization
Often organizations do not spend the time needed to truly understand their risk profile and appetite, and as a result inefficiently spend the resources dedicated to protecting the organization. Organizations should have broad oversight into all of the risk within their operations, as well as how it is being addressed.
Many organizations have pockets within that have a firm handle on risk processes and protection, but that may not translate to other segments of the company. Compartmentalizing the way an organization approaches risk management can be detrimental.
Regular assessments are crucial to managing an organization's entire risk portfolio. These exercises can help enterprises understand which risk management practices are effective and which could be improved upon. Assessment should be embedded in everyday operations, so managers and senior executives can prioritize what threats are urgent based on the organization's risk appetite, which should be based on overall strategic goals.
Companies can gain more insight into their operations by having different parts of the organization use the same assessment. For instance, risk managers can see how the legal, finance, and operations functions would approach the same potential threat. The baseline across the organization makes it easier to see areas that need to be addressed.
Whether you take a top-down or bottom-up approach, the goal is to use the assessment data from various sources to quantify an organization's total cost of risk. With that data, you can create an enterprise risk management playbook that can support an organization for whatever strategic objectives it sets.
Remember that assessments aren't something to be done once and forgotten. The evolving nature of risk means that robust programs are continuously collecting data and improving their risk mitigation techniques, which can help recognize emerging risks before they become threats.
Superficial Scenario Planning
It's easy to say that a crisis couldn't have been avoided, but in many cases, there could have been a plan in place to help address the situation. Accurately assessing your total cost of risk requires a deep, systematic approach to scenario planning.
Scenario planning should identify, assess and quantify the impact of major losses, such as potential damage resulting from natural disasters, data breaches and legal liabilities. The scenarios should help organizations review current policies and identify coverage gaps.
Identifying the most critical risks and quantifying those financial impacts is the key to strong scenario planning. Scenarios should use claims and risk data from insurers to price out how environmental damage or a significant business interruption or a cyberattack can generate losses for the organization. Scenario planning should then guide the alignment of internal processes to financial capacity when deciding whether or not to take on risk.
Push your risk professionals across the organization to go beyond the obvious threats and the recent past. For example, after the global financial crisis, many organizations re-evaluated their credit risk exposure. Following the pandemic, companies will invest in strategies to take special care with their supply chains and safety practices. Developing a response to those scenarios should be just the beginning of your planning.
Better scenario planning leads to better decision making at the business unit and board levels. Accurate scenarios can motivate business unit managers to take more responsibility for the individual risks such scenarios present to the enterprise and then help those managers develop a strategic view of their operations. Scenario planning also helps contain costs by matching coverage to an organization's actual risk exposure.
Common pitfalls can be avoided with a risk management framework that connects to an organization's overall strategy and includes both frequent risk assessments and more thoughtful scenario planning.