Risk Management and Mitigation

Objective: Understand risk management considerations as well as mitigation through insurance, proper security procedures, and contingency management strategies.

Key Concepts

Goal: What are the most important precepts and prescriptions for an organization to consider regarding risk management and mitigation?

Risk Management Considerations

Protect or Enhance Value

Definitions

• Risk is “the “effect of uncertainty on objectives” (ISO, 2009; ISO 2015)
• “Risk management is a systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, acting on and communicating risk issues.” (Heinz-Peter, 2010)

Risk management consists of organizational activities to identify, direct and control risk. Risk management can enhance value and help it achieve outcomes or protect it from untoward events or conditions. Categories of risk include (The Institute of Risk Management, 2002; DCU Risk & Compliance Office, 2015):

1. Financial,
2. Operational,
3. Reputational/ Knowledge Management
4. Governance and Compliance,
5. Strategic.

As an example, in terms of reputation risk, the damage to a brand and reputation may be to the short or long term. Its effect can be in multiple spheres from revenue and expenses to perception such as ranking among the competition, revenue, employee morale, community support, overall rating, and public perception. It can affect relationships and oversight including agreements with partners and government regulation. Examples would include the recent events at United Airlines, Wells Fargo, and British Petroleum).

Inadequate risk management can impact the entire organization, customers, potential customers, or the broader public. Engaging in risk management ensures the organization achieves maximal benefit. The intent is to minimize adverse or unanticipated effects.

Address Uncertainty

The goal of risk management is addressing uncertainty in a stepwise, logical, consistent, and comprehensive fashion (The University of Adelaide, 2005; WorkSafe ACT, 2012). Here is an example step-wise strategy:

Step 1: Establish the context: Identify the objectives and internal and external parameters that represent potential types of risks. Identify those on a daily operational level as well as longer-term strategic concerns including those associated with new activities.

Step 2: Describe the specific risks in detail. Identify

1. Negative factors that affect achievement of objectives. How will they impact the objectives – will they lead to prevention, degradation, or delay?
2. Positive factors that might create, enhance, or accelerate success.
3. The impact of doing nothing and potentially missing an opportunity.
4. The source of the risk and the likely cause.
5. The potential consequences and impact on the internal aspects of the enterprise.
6. The potential consequences and impact on components that are external to the organization.
7. The relationship of the risk to other events and thus its predictability as well as potential impact.
8. The likelihood of the occurrence of the risk in time, place, or activity
9. The predictability of the risk and the potential for a repeat of the risk.
10. The ability to control the risk or influence it
11. What personnel or departments have authority to control the risk. Who will coordinate if there are more than one?

Step 3: Understand the risk: Outline the strengths and weaknesses of existing sources available to mitigate the risk.

Step 4: Evaluate the risk: Determine if the risk is acceptable or not. If the risk is not acceptable decide on the need for actions to mitigate the risk by changing behavior or accepting the risk.

Step 5: Treat the risk: If management decides to take action, apply effort to mitigate the cause of the risk.

Step 6: Monitor risk response effectiveness (or performance).

Risk Management Mitigation (Step 5 above)

Responses to risk include (Crane et al, 2013; The Chartered Institute of Management Accountants, 2007):

1. Acceptance: Hope the risk doesn't happen or calculate that if it does, it will be more straightforward to deal with it after it happens.
2. Avoidance: Stop activities that potentially lead to risk. This approach is not an option in most cases since the action is typically essential to accomplish an objective.
3. Reduction: Mitigate the risk via an internal action. Outline the management processes to address the risk including:
   1. Decrease the likelihood of the risk occurring such as by emphasizing prevention, quality assurance, closer management, or a change in the business process
   2. Minimize exposure to the risk or potentially isolate the source of the risk from other activities to minimize consequences
   3. Contingency planning. Create a “what if” scenario.
4. Share or transfer risk: Engage external resources such as insurance to address risk. This strategy moves the responsibility to an organization outside the enterprise using a contract, insurance, or partnership/joint venture. Note that this strategy can, in fact, introduce additional risk if the intended transfer, transfers the risk to an organization that suffers from its own risk or cannot assume the risk and eventually returns it to the original organization.

Insurance

Risk financing such as an insurance program mitigates the financial consequences of risk. Some losses or may be uninsurable and thus may have a broader impact (e.g., the consequences of allegations related to Uber’s leadership). Types of insurance for business include

1. Professional liability or errors and omissions (E&O) insurance. Protects against negligence claims. Such insurance does not cover fraud or criminal acts.
2. Property insurance. Covers items owned by the company (e.g., equipment, inventory, and furniture) and the office if the company owns the office. Note that some risks are not typically covered including floods and earthquakes; they require separate insurance coverage.
3. Workers’ compensation insurance. Required to cover medical treatment, disability, and death benefits if the employee is injured or dies because of work performed as a part of the enterprise.
4. Unemployment insurance. Required insurance to provide benefits to employees who have sufficient work in the recent past to qualify.
5. Home-based business insurance. Your homeowner’s insurance may not cover your business loss if you work from home.
6. Product liability insurance. Essential insurance in case your product causes damage to a customer or as a result of its normal use.
7. Vehicle insurance. Similar to personal car insurance; however the total coverage may need to be higher depending on the assets of the company that are at risk. Personal insurance usually covers vehicles that the employee uses as a part of work except for when the vehicle is used for delivery.
8. Business interruption insurance. Compensates company in case of an acute event that limits the productivity of the company
9. Key man and Director’s insurance. Key man insurance compensates the company if an officer is injured and cannot work. The payout is to the company to cover its need to replace the value provided by the officer. Director’s insurance covers the board of directors in case they are sued based on an action of the company. A member of the Board of Directors may insist that she or he is covered by director’s insurance.

Security Procedures

Security provides protection via a separation or control between the asset at risk and the threat (the agent that will be responsible for the risk. The asset can be harmed, changed, or destroyed. A control can be physical or non-physical, including electronic controls and documented processes.

Conceptually there are three types of security controls:

• preventative,
• detective, and
• responsive.

For example, a security mechanism

• prevents alteration by the threat to the asset (e.g., a locked door),
• detects that a compromise occurred or a compromise is happening (e.g., a monitoring camera that detects motion and sends an alert) or
• responds to a compromise while it’s happening or after it has been discovered (e.g., sounds an alarm or locks a door to prevent further compromise).

Similarly, virus detection software can stop the installation of dangerous software, detect that software is trying to something it is not supposed to do (e.g., change key operating system file) or respond to a virus by renaming the file and put it into a special “quarantine” folder.

Contingency Management Strategies

A contingency strategy manages exposure to an infrequent event that is unpredictable in its timing or severity (Protiviti, 2006). A marketing contingency plan will identify a change if sales disappoint due to market changes in desire, a new entrant or perception of poor product quality. Similar contingencies could be in place for higher than expected usage or purchase. In the case of Pokemon Go, the software game had frequent crashes because the designer of the software required much network traffic to play the game. And there were not enough resources to handle the increasingly frequent requests as the game grew quickly.

Similarly with new iPhone sales seem to grow higher and higher. Apple has learned to develop contingencies if it cannot build new equipment fast enough. Not only do they avoid annoying customers but they gain the bragging rights based on the rapid and enormous sales value that occurs soon after the launch of the new iPhone.

Interrogate and Extend Concepts

Goal: Propose and answer clarifying questions about the topics to consider and challenge the resources, ideas, and concepts.

Q & A #1

1. Q: In my company how do I make sure that an employee who works with the finances doesn’t steal from me?
2. A: From a security perspective of risk management you can prevent theft by having careful hiring practices, clear policies and expectations and a dual role model such that large transactions require effort by 2 people. Detection can be done by having credit cards and bank accounts sent out warning emails when large transactions occur, say > $5000. One can also have a monthly review of finances on an unpredictable day of the month. Finally, one can set up one's accounts such that a very large transaction request will shut down access to the bank account until a phone call is made from a corporate officer.

Q & A #2 (Devil’s Advocate)

Q: Accounting for all risks is a waste of time. Wouldn’t it be more efficient to just deal with all risks on a contingency basis?

A: For some risks, yes. That the purpose of interrogating the risks and understanding them. Some risks are so minor or so infrequent and unpredictable that it makes little sense to prepare for an eventuality that may never happen, for which no preparation is possible, or where the negative outcome is minor in impact.

In contrast, if you had a fire in your office not only could it destroy your office and lead to significant downtime, but it may eliminate some records that are absolutely essential. Further, if your office includes a server which has your electronic files, you may lose far more than a bunch of papers. Even though a fire may be a relatively uncommon event if it did occur it could potentially destroy the viability of the entire company.

In contrast, it is relatively simple to make sure that server files are copied off-site on a routine basis. Paper-based records can be scanned and stored in such a system so that even if the papers are destroyed there is an electronic copy available. Finally, there is the risk to staff which is incalculable. Simple mechanisms such as safety procedures, fire detectors, and fire extinguishers are inexpensive controls which can prevent, detect, and mitigate such risks.

Supplement Concepts

Goal: Supply current, quality web links to supplementary material that support, illustrate, elaborate/expound on, typify, and challenge a concept, piece of content, or idea.

Discussion of Supplementary Material

1. The Wells Fargo Scandal is a Failure in Risk Management
   1. Why we chose the supplementary material: Not all risks are to materials; reputation risks can be the most expensive
   2. What is important about it: Wells Fargo set up a compensation system the increased the risk of fraudulent activity. It did not have systems in place to detect or halt such activity.
   3. What part(s) of the Learning Module it supplements: Security Procedures
   4. What the key takeaways are: Through corporate choices, one can actually introduce a novel security risk.
2. Volkswagen Side-Steps Enterprise Risk Management
   1. Why we chose the supplementary material: An example of a risk internal to the company
   2. What is important about it: We often see “teaching to the test” as acceptable, but any support for gaming the system opens up the company to the risk of internal fraud
   3. What part(s) of the Learning Module it supplements: The need to avoid some risks at all costs.
   4. What the key takeaways are: Fraud can inflict enormous damage on a brand. Scrupulous honesty is essential to avoid this risk.
3. GM's risk management failures provide lessons for other firms
   1. Why we chose the supplementary material: To highlight the importance of monitoring the risk management system
   2. What is important about it: GM had a system, they just ignored it
   3. What part(s) of the Learning Module it supplements: The final step in the risk assessment process when one assesses if the system is functioning adequately
   4. What the key takeaways are: There is no sense in creating a risk mitigation system if you aren’t going to take action when a problem is identified.
4. How Did BP's Risk Management Lead to Failure?
   1. Why we chose the supplementary material: To highlight the importance risk management to an enterprise and to management
   2. What is important about it: Errors due to an inadequate risk management system are inevitable and can lead to failure of the company
   3. What part(s) of the Learning Module it supplements: The role of management is creating, supporting and evaluating a risk management system.
   4. What the key takeaways are: Ignoring risks is not an option. The steps can seem distracting and time-consuming but skipping necessary risk management assessment and mitigation can have an enormous impact.

References

• ISO 31000:2009, Risk Management – Principles and guidelines (2009). Geneva: International Standards Organization, 2009.
• ISO 31000 Risk Management: A Practical Guide for SMEs (2015). Geneva: International Standards Organization, 2015 [Note: SME: Small and Medium-sized Enterprises]
• Risk Management: Procedures, Methods And Experiences, Heinz-Peter Berg, Bundesamt Für Strahlenschutz, Salzgitter, Germany, (vol.1) 2010, June.
• IRM: A Risk Management Standard: The Institute of Risk Management, 2002, London
• Introduction to Risk Management (Theory & Practice), DCU Risk & Compliance Office, Dublin City University, November 2015
• The University of Adelaide Risk Management Framework. Legal and Risk Branch, Division of Services and Resources, The University of Adelaide, SA, 2005 Australia.
• 6 Steps to Risk Management. WSACT HB 0002 - WorkSafe ACT 2012.
• Laurence Crane, Gene Gantz, Steve Isaacs, Doug Jose, Rod Sharp. Introduction to Risk Management. Understanding Agriculture Risk: Production, Marketing, Financial, Legal, Human Resources. USDA. Extension Risk Management Education and Risk Management Agency. 2013.
• Introduction to Managing Risk. Topic Gateway series no. 28. The Chartered Institute of Management Accountants, London, 2007
• Guide to Enterprise Risk Management. Frequently Asked Questions. Protiviti. January 2006