Once the risk management policies have been defined, it is necessary to determine a number of underlying procedures to support them. These guide the actions of the risk manager in ensuring that a company has taken sufficient steps to ensure that risks are kept at a minimum. The procedures follow a logical sequence of exploring the extent of risk issues, finding ways to mitigate those risk internally, and then using insurance to cover any risks that cannot otherwise be reduced. In more detail, the procedures are:
1. Locate risk areas. Determine all hazards to which the company is subject by performing a complete review of all properties and operations. This should include a review of not only the physical plant but also of contractual obligations, leasehold requirements, and government regulations. The review can be completed with insurable hazard checklists that are provided by most insurance companies, with the aid of a consultant, or by reviewing historical loss data provided by the company’s current insurance firm. However, the person conducting this review must guard against the FUD Principle (Fear, Uncertainty, and Doubt) that is cheerfully practiced by all insurance companies. That is, they tend to hone in on every conceivable risk and amplify the chance of its occurrence, so that a company will purchase lots of unnecessary insurance. The best way to avoid this problem is to employ an extremely experienced risk manager who knows which potential risks can be safely ignored. The following areas, at a minimum, should be reviewed:
- Buildings and equipment. The risk manager should list the type of construction, location, and hazards to which each item is exposed. Each structure and major piece of equipment should be listed separately. The current condition of each item should be determined and its replacement cost evaluated.
- Business interruption. The risk manager should determine the amount of lost profits and continuing expenses resulting from a business shutdown as the result of a specific hazard.
- Liabilities to other parties. The risk manager should determine the risk of loss or damage to other parties by reason of company products, services, operations, or the acts of employees. This analysis should include a review of all contracts, sales orders, purchase orders, leases, and applicable laws to determine what commitments have been undertaken and what exposures exist.
- Other assets. The risk manager should review cash, inventory, and accounts receivable to determine the possible exposure to losses by fire, flood, theft, or other hazards.
2. Determine the risk reduction method. Match each risk area with a method for dealing with it. The possible options for each risk area include avoidance, reduction of the hazard, retaining the hazard (i.e., self insurance), or transferring the risk to an insurance company. Note that only the last option in this list includes the purchase of insurance, for there are many procedures that a company can implement to reduce a risk without resorting to insurance. The selection of a best option is based on a cost-benefit analysis that offsets the cost of each hazard against the cost of avoiding it, factoring in the probability of the hazard’s occurrence. The general categories of risk reduction are:
- Duplicate. A company can retain multiple copies of records to guard against the destruction of critical information. In addition, key systems such as local area networks, telephone systems, and voice mail storage can be replicated at off-site locations to avoid a shutdown caused by damage to the primary site. For example, airlines maintain elaborate backup systems for their seat reservation databases.
- Prevent. A company can institute programs to reduce the likelihood and severity of losses. For example, some companies invite the Occupational Safety and Health Administration (OSHA) to inspect their premises and report on unsafe conditions; the companies then correct the issues to reduce their risk of loss. If a company requires employees to wear hardhats in construction areas, then a falling brick may still cause an accident, but the hardhat will reduce the incident’s severity. Examples of prevention techniques include improving lighting, installing protective devices on machinery, and enforcing safety rules.
- Segregate. A company can split up key assets such as inventory and distribute it to multiple locations (e.g., warehouses). For example, the military maintains alternate command centers in case of war.
3. Implement internal changes to reduce risks. Once the types of risk avoidance have been determined, it is time to implement them. This usually involves new procedures or installations, such as fire suppression systems in the computer processing facility, or altered cash tracking procedures that will discourage an employee from stealing money. Changes to procedures can be a lengthy process, for it includes working with the staff of each functional area to create a new procedure that is acceptable to all users, as well as following up with periodic audits to ensure that the procedures are still being followed.
4. Select a broker. Every company will require some insurance, unless it takes the hazardous approach of self-insuring virtually every risk. It is necessary to select a broker who can assist the company in procuring the best possible insurance. The right broker can be of great help in this process, not just in picking the least expensive insurance, but also in selecting the correct types of coverage, determining the financial strength of insurers, post-loss service, and in its general knowledge of the company’s business and of the types of risk that are most likely to occur in that environment. Unfortunately, many companies look for new brokers every few years on the principle that a long-term broker will eventually raise prices and gouge the company. In reality, a long-term relationship should be encouraged, since the broker will gain a greater knowledge of the company’s risks as problems occur and claims are received, giving it a valuable insight into company operations that a new broker does not have.
5. Determine the types of insurance to be purchased. Once the broker has been selected, the risk manager can show the preliminary results of the insurance review to the broker, and they can then mutually determine the types of insurance that are needed to supplement the actions already taken internally to mitigate risk. The types of insurance include the following:
- Boiler and machinery. Covers damage to the boilers and machinery, as well as payments for injuries caused by the equipment. Providers of this insurance also review the company’s equipment and issue a report recommending safety improvements.
- Business interruption. Allows a company to pay for its continuing expenses and in some cases will pay for all or part of its anticipated profits.
- Commercial property. The minimum “basic form” of this insurance covers losses from fires, explosions, wind storms, hail, vandalism, and other perils. The “broad form,” which is an expanded version, covers everything in the basic form plus damage from falling objects, the weight of snow, water damage, and some causes of building collapse. Optional coverage includes an inflation escalator clause, replacement of destroyed structures at the actual replacement cost, and coverage of finished goods at their selling price (instead of at their cost).
- Comprehensive auto liability. This coverage is usually mandatory and requires a minimum level of coverage for bodily injury and property damage.
- Comprehensive crime. Covers property theft, robbery, safe and premises burglary, and employee dishonesty; in the case of employee dishonesty, the company purchases a fidelity bond, which can cover either a named individual, a specific position, or all employees. Some policies will also cover ransom payments.
- Directors and officers. Provides liability coverage to corporate managers for actions taken while acting as an officer or director of the corporation.
- General liability. Covers claims involving accidents on company premises, as well as by its products, services, agents, or contractors. An umbrella policy usually applies to liability insurance and provides extra coverage after the primary coverage is exhausted. An umbrella policy has few exclusions.
- Group life, health, and disability. There are several types of life insurance; split-dollar life insurance covers an employee and its cost is split between the company and the employee, key person insurance covers the financial loss to the company in case an employee dies, and a cross-purchase plan allows the co-owners of a business to buy out the share of an owner who dies. Health insurance typically covers the areas of hospital, medical, surgical, and dental expenses. Disability insurance provides income to an individual who cannot work due to an injury or illness. The disability insurance category is subdivided into short-term disability (payments made while recovering one’s health following an injury or illness) and long-term disability (continuing payments with no anticipation of a return to work).
- Inland marine. Covers company property that is being transported. Examples of covered items include trade show displays and finished goods being shipped.
- Ocean marine and air cargo. Covers the transporting vehicle (including loss of income due to loss of the vehicle), liability claims against the vehicle’s owner or operator, and the cargo.
- Workers’ compensation. Provides medical and disability coverage to workers who are injured while performing duties related to their jobs. The insurance is mandatory, the employer pays all costs, and no legal recourse is permitted against the employer. There are wide variations in each state’s coverage of workers’ compensation, including levels of compensation, types of occupations that are not considered, and the allowability of negligence lawsuits.
These steps allow a risk manager to determine the types and potential severity of a company’s risks, as well as how to reduce those risks, either through internal changes or by purchasing various types of insurance coverage.