Risk, in insurance terms, is the possibility of a loss or other adverse event that has the potential to interfere with an organization’s ability to fulfill its mandate, and for which an insurance claim may be submitted.
Insurance is a valuable risk-financing tool. Few organizations have the reserves or funds necessary to take on the risk themselves and pay the total costs following a loss. Purchasing insurance, however, is not risk management. A thorough and thoughtful risk management plan is the commitment to prevent harm. Risk management also addresses many risks that are not insurable, including brand integrity, potential loss of tax exempt status for volunteer groups, public goodwill and continuing donor support.
An organization should have a risk management strategy because:
Managing risk is good business sense. It is one of the most important things you can do to maintain the viability of your organization. An effective risk management strategy provides the opportunity for better pricing on your insurance premiums, saves you out-of-pocket costs like deductibles and ensures a safe and stable environment for your employees/volunteers and customers. An effective risk management program also helps you to understand and be prepared for the risks you face before losses occur. That preparation can mean the difference between an organization that thrives and one that fails.
No matter how you choose to manage your risk and reduce or eliminate potential losses, it is important to document the steps you take. A risk management plan without proof is of no use to an insurer.
The basic steps of the risk management process are:
Every activity of an organization poses a risk. Before an organization can control its risks and decide what to do (if anything), it must identify the risks.
Some risks are generic and inherent to many organizations – for example, the possibility of a visitor slipping on a wet floor, an employee/volunteer embezzling the organization’s funds, or a former employee or client alleging violation of his rights.
Other risks are unique to your organization and based upon the services you provide. If it can happen in your organization, you should list it during this step of the risk management process.
• List your business’ objectives (key practices that must be in place so the business will not fail), activities, assets and key stakeholders. Then determine the associated risks.
• You can also consult other sources to get a picture of your risk, including:
You may feel overwhelmed after completing the first step of looking at your exposure. Assessing the probability of each risk becoming reality (frequency) and estimating its possible effect and cost to the organization (severity) are the solutions.
For example, if you have a home-based business and most of your interaction with customers is over the phone or via e-mail, you would probably have a lower chance of many or expensive claims. (You can still have losses; consider the courier who is delivering business papers to your home and trips and falls on your sidewalk.) This would be in contrast to a bus company that transports senior citizens to special events. There is a greater chance of incurring a higher number of claims – you are driving on busy roads – and claims that are more severe – seniors can be of more fragile health.
Of the exposures identified in step 1, determine:
Select and implement the appropriate risk management techniques. There are ways to manage an organization’s risks. Select the techniques that work the best for your organization. The five major risk management techniques are:
The first part of this step is to create the risk management plan. You are going to address in real, practical terms how you are going to make the option you choose work for your organization. Maybe this will involve creating a risk management committee.
An important part of the plan is to ensure that there is buy-in from senior management, staff, customers, volunteers and other stakeholders. This may involve a campaign that isn’t as much about training as it is about letting them know that changes are going to happen.
Ensure that staff and others are trained and informed about the plan. Not only do they need to understand the policies and procedures resulting from your risk review, they must understand that they have a broader role to play. They should be risk sensitive and understand that everyone in the organization suffers the consequences of the increased cost of risk.
Employees/volunteers should understand how to complete the appropriate forms and reports. They should also be updated on accident and claims frequency and cost.
In this day and age, change is the only constant. The dynamic nature of your organization requires that your risks and risk management plan be reviewed at least once a year.
First, you should evaluate the plan to determine if it is working. You should also look at whether your risks changed during the course of the year, and if changes to the plan are required. Changes in your operation must be reviewed to ensure that the risk management program continues to be relevant, comprehensive and effective. In the annual review of your operation, you may find that you are overinsured (e.g., if you have discontinued a service) and can drop the additional coverage. If your operation has expanded, you can see where you may require additional coverage to ensure that you and your organization are fully protected.
Keep accurate records of how the plan has changed and the results of the annual reviews. It shows your insurer that you are committed to risk management and have a history of implementing thoughtful and adaptive plans.
Thank you to the Insurance Bureau of Canada for this information.