1. Meaning
2. Objectives of risk management
• Pre-loss objectives
• Post-loss objectives
3. Steps in the risk management process
4. Benefits of risk management
5. Personal Risk Management
6. IT risk management process
19 October 2021
Risk management
Risk management (RM) is a process that identifies loss exposures
faced by an organization and selects the most appropriate techniques
for treating such exposures. Risk managers are extremely important
to the financial success of business firms in today’s economy and
they are paid relatively high salaries. Because the term risk is
ambiguous and has different meanings, risk managers typically use
the term loss exposure to identify potential losses.
19 October 2021
Meaning
Pre-loss objectives
1. Economy - the firm should prepare for potential losses in the most
economical way. This preparation involves an analysis of the cost of safety
programs, insurance premiums paid, and the costs associated with different
techniques for handling losses.
2. Reduction of anxiety - certain loss exposures can cause greater worry and
fear for the risk manager and key executives. e.g.: the treat of a catastrophic
lawsuit because of a defective product can cause greater anxiety than a small
loss from a minor fare.
3. Meeting legal obligations e.g.: government regulations may require a firm to
install safety devices to protect workers from harm, to dispose of hazardous
waste materials properly, and to label consumer products appropriately.
Workers compensation benefits must also be paid to injured workers. The firm
must see that these legal obligations are met.
19 October 2021
Objectives of risk management
Post-loss objectives
1. Survival of the firm - means that after a loss occurs, the firm can resume at
least partial operations within some reasonable time period.
2. Continued operations - for some firms, the ability to operate after a loss is
extremely important. e.g.: a public utility firm must continue to provide
service. Banks, dairies, bakeries, and other competitive firms must continue to
operate after a loss. Otherwise, business will be lost to competitors.
3. Stability of earnings - earnings per share can be maintained if the firm
continues to operate. However, a firm may incur substantial additional
expenses to achieve this goal (such as operating at another location), and
perfect earnings stability may be difficult to attain.
19 October 2021
Objectives of risk management
Post-loss objectives
4. Continued growth - a company can grow by developing new products and
markets or by acquiring or merging with other companies. The risk manager
must therefore consider the effect that a loss will have on the firm’s ability to
grow.
5. Social responsibility - minimize the effects that a loss will have on other
persons and on society. A severe loss can adversely affect employees,
suppliers, customers, investors, creditors, and the community in general.
e.g.: a severe loss that shuts down a plant in a small town for an extended
period can cause considerable economic distress in the local area.
19 October 2021
Objectives of risk management
A. Identify loss exposures.
↓
B. Measure and analyze the loss exposures.
↓
C. Select the appropriate combination of techniques for treating the loss
exposures:
1. Risk control
Avoidance Duplication
Loss prevention Separation
Loss reduction Diversification
2. Risk financing
Retention
Non-insurance transfers
Insurance
↓
D. Implement and monitor the risk management program.
19 October 2021
Steps in the risk management process
This step involves an exhaustive review of all potential losses. Important loss exposures
include the following:
1. Property loss exposures
• Building, plant, and other structures
• Furniture, equipment, supplies
• Computers, computer software, and data
• Inventory
• Accounts receivable, valuable papers, and records
• Company vehicles, planes, boats, and mobile equipment
2. Liability loss exposures
• Defective products
• Environmental pollution (land, water, air, noise)
• Sexual harassment of employees, employment discrimination, wrongful
termination, and failure to promote
• Premises and general liability loss exposures
• Liability arising from company vehicles
• Misuse of the Internet and e-mail transmissions
• Directors’ and officers’ liability suits
• Cyber liability (e.g., hackers gaining access to customer data)
19 October 2021
A. Identify Loss Exposures
3. Business income loss exposures
• Loss of income from a covered loss
• Continuing expenses after a loss
• Extra expenses
• Contingent business income losses
4. Human resources loss exposures
• Death or disability of key employees
• Retirement and unemployment exposures
• Job-related injuries or disease experienced by workers
5. Crime loss exposures
• Holdups, robberies, and burglaries
• Employee theft and dishonesty
• Fraud and embezzlement
• Internet and computer crime exposures
• Theft of intellectual property
19 October 2021
A. Identify Loss Exposures
6. Employee benefit loss exposures
• Failure to comply with government regulations
• Violation of fiduciary responsibilities
• Group life, health, and retirement plan exposures
• Failure to pay promised benefits
7. Foreign loss exposures
• Acts of terrorism
• Plants, business property, inventory
• Foreign currency and exchange rate risks
• Kidnapping of key personnel
• Political risks, such as expropriation of property
8. Intangible property loss exposures
• Damage to the company’s public image
• Loss of goodwill and market reputation
• Loss or damage to intellectual property
9. Failure to comply with government laws and regulations
19 October 2021
A. Identify Loss Exposures
A risk manager can use several sources of information to identify the preceding
loss exposures:
• Risk analysis questionnaires and checklists require the risk manager to answer
numerous questions that identify major and minor loss exposures.
• Physical inspection of company plants and operations can identify major loss
exposures.
• Flowcharts that show the flow of production and delivery can reveal
production and other bottlenecks as well as other areas where a loss can have
severe financial consequences for the firm.
• Analysis of Financial statements can identify the major assets that must be
protected, loss of income exposures, key customers and suppliers, and other
important exposures.
• Historical loss data can be invaluable in identifying major loss exposures.
19 October 2021
A. Identify Loss Exposures
Risk managers must keep abreast of industry trends and market changes that can
create new loss exposures and cause concern. Major risk management issues
include rising workers compensation costs, effects of mergers and consolidations
by insurers and brokers, increasing litigation costs, financing risk through the
capital markets, data breaches and hackers gaining access to customer information,
supply-chain security, and climate change. Protection of company assets and
personnel against acts of terrorism is another important issue.
19 October 2021
A. Identify Loss Exposures
It is important to measure and quantify the loss exposures in order to manage them
properly. This step requires an estimation of the frequency and severity of loss.
• Loss frequency refers to the probable number of losses that may occur during
some given time period.
• Loss severity refers to the probable size of the losses that may occur.
Once the risk manager estimates the frequency and severity of loss for each type
of loss exposure, the various loss exposures can be ranked according to their
relative importance.
• e.g.: a loss exposure with the potential for bankrupting the firm is much more
important in a risk management program than an exposure with a small loss
potential.
19 October 2021
B. Measure and Analyze the Loss Exposures
In addition, the relative frequency and severity of each loss exposure must be
estimated so that the risk manager can select the most appropriate technique, or
combination of techniques, for handling each exposure.
• e.g.: if certain losses occur regularly and are fairly predictable, they can be
budgeted out of a firm’s income and treated as a normal operating expense. If
the annual loss experience of a certain type of exposure fluctuates widely,
however, an entirely different approach is required.
Although the risk manager must consider both loss frequency and loss severity,
severity is more important because a single catastrophic loss could destroy the
firm. Therefore, the risk manager must also consider all losses that can result from
a single event. Both the maximum possible loss and probable maximum loss must
be estimated.
19 October 2021
B. Measure and Analyze the Loss Exposures
• The maximum possible loss is the worst loss that could happen to the firm
during its lifetime.
• The probable maximum loss is the worst loss that is likely to happen.
• e.g.: if a plant is totally destroyed by a flood, the risk manager estimates that
replacement cost, debris removal, demolition costs, and other costs will total
$50 million. Thus, the maximum possible loss is $50 million. The risk manager
also estimates that a flood causing more than $40 million of damage to the
plant is so unlikely that such a flood would not occur more than once in 100
years. The risk manager may choose to ignore events that occur so
infrequently. Thus, for this risk manager, the probable maximum loss is $40
million.
19 October 2021
B. Measure and Analyze the Loss Exposures
Catastrophic losses are difficult to predict because they occur infrequently.
However, their potential impact on the firm must be given high priority.
In contrast, certain losses, such as physical damage losses to vehicles, occur with
greater frequency, are usually relatively small, and can be predicted with greater
accuracy. More information about risk measurement in the 5th week.
19 October 2021
B. Measure and Analyze the Loss Exposures
1. Qualitative risk analysis is appropriate for the situation when it is difficult to
gather enough data to quantify the risks such that this technique is followed
when an organization has small time, less budget, and lack of expertise to do
the formal mathematical analysis. You may not always have the necessary
historical data to work out probability and cost estimates on IT-related risks,
since they can change very quickly. It can be displayed visually with traffic
light grid or similar method.
Risk assessment matrix:
19 October 2021
B. Measure and Analyze the Loss Exposures
Risk factor Impact Costs Overall risk
Legacy Win9x clients
Untrained staff
No anti-virus sofware
You can use your judgement to decide if the probability of occurrence is:
• low - unlikely to occur or impact your business - would lose up to half an hour
of production
• medium - possible to occur and impact - would cause complete shutdown for at
least 3 days
• high - likely to occur and impact your business significantly - would cause
irrevocable loss to the business
2. Quantitative risk analysis is a more formal approach followed after
qualitative risk analysis. It assigns a money value to risk. Its formal
techniques are probability distributions, decision trees, and simulations.
19 October 2021
B. Measure and Analyze the Loss Exposures
In an example of server failure it would involve looking at:
• the asset value - the cost of a server or the revenue it generates
• the frequency of risk occurrence - how often does the server crash
• the probability of associated loss - the estimated loss incurred each time it
crashed
From these values, you can work out several key calculations:
• single loss expectancy (SLE) - costs you would incur if the incident occurs
once
• annual rate of occurrence (ARO) - how many times a year you can expect this
risk to occur
• annual loss expectancy (ALE) - the total risk value over the course of a year,
ALE = ARO x SLE
19 October 2021
B. Measure and Analyze the Loss Exposures
Techniques for managing risk can be classified broadly as either risk
control or risk financing. Risk managers typically use a combination of
techniques for treating each loss exposure.
1. Risk control refers to techniques that reduce the frequency or severity
of losses.
2. Risk financing refers to techniques that provide for the funding of
losses.
More information about techniques of risk management in the 7th week.
19 October 2021
C. Select the Appropriate Combination of Techniques for Treating the Loss Exposures
1. a RM policy statement
• effective risk management program
• outlines the RM objectives of the firm, as well as company policy with respect
to treatment of loss exposures
• educates top-level executives in regard to the RM process
• establishes the importance, role, and authority of the risk manager
• provides standards for judging the risk manager’s performance
2. RM manual
• useful tool for training managers, supervisors, and new employees who will be
participating in the RM program
• writing the manual also forces the risk manager to state precisely his or her
responsibilities, objectives, available techniques, and the responsibilities of
other parties
• includes a list of insurance policies, agent and broker contact information, who
to contact when a loss occurs, emergency contact numbers, and other relevant
information
19 October 2021
D. Implement and monitor the RM program
Cooperation with other departments Other functional departments within the firm
are extremely important in identifying loss exposures, methods for treating these
exposures, and ways to administer the RM program. With the RM department they
can cooperate in the RM process in the following ways:
1. Accounting
• internal accounting controls can reduce employee fraud and theft of
cash
• can provide information on the tax treatment of risk finance
alternatives and the availability of funds to pay for retained losses
19 October 2021
D. Implement and monitor the RM program
2. Finance
• information can be provided showing the effect that losses will have
on the firm’s balance sheet and profit and loss statement
3. Marketing
• accurate packaging and product-use information can prevent lawsuits
• safe distribution procedures can prevent accidents
4. Operations
• quality control can prevent the production of defective goods and
lawsuits
• effective safety programs in the plant can reduce injuries and accidents
5. Human resources
• employee benefit programs, retirement programs, safety programs, and
the company’s hiring, promotion, and dismissal policies
19 October 2021
D. Implement and monitor the RM program
Periodic review and evaluation
• Determine whether the objectives are being attained or if corrective actions are
needed.
• In particular, RM costs, safety programs, and loss-prevention programs must be
carefully monitored.
• Loss records must also be examined to detect any changes in frequency and
severity.
• Retention and transfer decisions must also be reviewed to determine if these
techniques are being properly used.
• The risk manager must determine whether the firm’s overall RM policies are
being carried out, and whether the risk manager is receiving cooperation from
other departments.
19 October 2021
D. Implement and monitor the RM program
An effective RM program yields substantial benefits to the firm or organization.
Major benefits include the following:
• A formal RM program enables a firm to attain its pre-loss and post-loss
objectives more easily.
• The cost of risk is reduced, which may increase the company’s profits. The cost
of risk is a RM tool that measures the costs associated with treating the
organization’s loss exposures. These costs include insurance premiums paid,
retained losses, loss control expenditures, outside RM services, financial
guarantees, internal administrative costs, and taxes, fees, and other relevant
expenses.
19 October 2021
Benefits of risk management
• Because the adverse financial impact of pure loss exposures is reduced, a firm
may be able to implement an enterprise RM program (More information in the
8th week.) that treats both pure and speculative loss exposures.
• Society also benefits since both direct and indirect (consequential) losses are
reduced. As a result, pain and suffering are reduced.
19 October 2021
Benefits of risk management
• refers to the identification and analysis of pure risks faced by an individual or
family, and to the selection and implementation of the most appropriate
technique(s) for treating such risks
• considers other methods for handling risk in addition to insurance
Steps in Personal Risk Management:
1. Identify Loss Exposures
Serious financial losses can result from the flowing:
a) Personal loss exposures
• Loss of earned income to the family because of the premature
death of the family head
• Insufficient income and financial assets during retirement
• Catastrophic medical bills and the loss of earnings during an
extended period of disability
• Loss of earned income from unemployment
• Identity theft
19 October 2021
Personal Risk Management
b) Property loss exposures
• Direct physical damage to a home and personal property because of
fire, lightning, windstorm, flood, earthquake, or other causes
• Indirect losses resulting from a direct physical damage loss, including
extra expenses, moving to another apartment or home during the
period of reconstruction, loss of rents, and loss of use of the building
or property
• Theft of valuable personal property, including money and securities,
jewelry and furs, paintings and fine art, cameras, computer equipment,
coin and stamp collections, and antiques
• Direct physical damage losses to cars, motorcycles, and other vehicles
from a collision and other-than-collision losses
• Theft of cars, motorcycles, or other vehicles
• Theft or damage to watercraft
19 October 2021
Steps in Personal Risk Management
c) Liability loss exposures
• Legal liability arising out of personal acts that cause bodily injury or
property damage to others
• Legal liability arising out of libel, slander, defamation of character, and
similar exposures
• Legal liability arising out of the negligent operation of a car,
motorcycle, boat, or recreational vehicle
• Legal liability arising out of business or professional activities
• Payment of attorney fees and other legal defense costs
19 October 2021
Steps in Personal Risk Management
2. Analyze the Loss Exposures
• The frequency and severity of potential losses should be estimated so
that the appropriate techniques can be used to deal with the exposure.
• e.g.: the chance that your home will be destroyed by a fire, tornado, or
hurricane is relatively small, but the severity of the loss can be
catastrophic. Such losses should be insured because of their
catastrophic potential. On the other hand, if loss frequency is high, but
loss severity is low, such losses should not be insured (such as minor
scratches and dents to your car). Other techniques such as retention are
more appropriate for handling these types of small losses.
• e.g.: minor physical damage losses to your car can be retained by
purchasing collision insurance with a deductible.
19 October 2021
Steps in Personal Risk Management
3. Select Appropriate Techniques for Treating the Loss Exposures
a) Avoidance
• e.g.: you can avoid liability for dog bites by not owning a dog.
You can avoid the loss from the sale of a home in a depressed real
estate market by renting instead of buying.
b) Risk control
• reduce the frequency or severity of loss
• e.g.: you can reduce the chance of an auto accident by driving
within the speed limit, taking a safe driving course, and driving
defensively. Car theft can be prevented by locking the car,
removing the keys from the ignition, and installing anti-theft
devices.
• reduce the severity of a loss
• e.g.: wearing a helmet reduces the severity of a head injury in a
motorcycle accident. Wearing a seat belt reduces the severity of an
injury in an auto accident. Having a fire extinguisher on the
premises can reduce the severity of a fire.
19 October 2021
Steps in Personal Risk Management
c) Retention
• means that you retain part or all of a loss
• active risk retention means you are aware of the risk and plan to retain
part or all of it
• e.g.: you can retain small collision losses to your car by buying an auto
insurance policy with a deductible for collision losses. Likewise, you
can retain part of a loss to your home or to personal property by
buying a homeowners policy with a deductible.
• Risk can also be retained passively because of ignorance, indifference,
or laziness. This practice can be dangerous if the retained risk could
result in a catastrophic loss.
• e.g.: many people are not insured against the risk of long-term
disability, even though the adverse financial consequences from a
long-term permanent disability generally are more severe than the
financial consequences of premature death. Thus, people who are not
insured against this risk are using risk retention in a potentially
dangerous manner.
19 October 2021
Steps in Personal Risk Management
d) Noninsurance transfers
• methods other than insurance by which a pure risk is transferred to a
party other than an insurer
• e.g.: the risk of damage to rental property can be transferred to the
tenant by requiring a damage deposit and by inserting a provision in
the lease holding the tenant responsible for damages. Likewise, the
risk of a defective television can be transferred to the retailer by
purchasing an extended-warranty contract that makes the retailer
responsible for labor and repairs after the warranty expires.
e) Insurance
• Common purchases include life insurance, health insurance,
homeowners insurance, auto insurance, and a personal umbrella
liability policy.
19 October 2021
Steps in Personal Risk Management
4. Implement and Monitor the Program Periodically
• At least every 2 to 3 years, you should determine whether all major
loss exposures are adequately covered. You should also review your
program at major events in your life, such as a divorce, birth of a child,
purchase of a home, change of jobs, or death of a spouse or family
member.
19 October 2021
Steps in Personal Risk Management
Managing various types of IT risks begins with identifying:
• the type of threats affecting your business
• the assets that may be at risks
• the ways of securing your IT systems
In business, IT risk management entails a process of identifying, monitoring and
managing potential information security or technology risks with the goal of
mitigating or minimising their negative impact.
Examples of potential IT risks include security breaches, data loss or theft, cyber
attacks, system failures and natural disasters.
19 October 2021
How to manage IT risks?
1. Identify risks - determine the nature of risks and how they relate to your
business.
2. Assess risks - determine how serious each risk is to your business and
prioritise them.
3. Mitigate risks - put in place preventive measures to reduce the likelihood of
the risk occurring and limit its impact.
4. Develop incident response - set out plans for managing a problem and
recovering your operations.
5. Develop contingency plans - ensure that your business can continue to run
after an incident or a crisis.
6. Review processes and procedures - continue to assess threats and manage new
risks.
19 October 2021
IT risk management process
Thank you for your attention!
19 October 2021