Having worked in the insurance industry for many years and many major carriers as an underwriter  – I have heard the word risk about as many times as one can imagine.  But no matter what the coverage in the property and casualty world there is a common risk evaluation process that can be applied. This process can certainly be incorporated into more broad enterprise risk management functions in corporations. In taking the Chartered Property and Casualty Underwriter (CPCU designation) tests there was invariably a question related to implementing the risk evaluation process.

RISK MANAGEMENT PROCESS
This is a good thing for the test taker if one can quickly scribe out the basic process as follows:

1. Identify the Risk:  The risks that any Fortune 1000 company are exposed are many and varying so this is a very broad category.  Hence the risks are usually grouped in line of coverage – property, liability, fidelity and such.  Some risks are common to all – fire, theft and your everyday on premise slip and fall.  Others are quite unique such as contaminants causing a total product recall.  But the key is identifying the risk.
2. Quantify the Risk:  Once identified the risk needs to be quantified.  In the insurance industry risks (losses) are gauged in terms of frequency and severity.  Frequency is simply the expected number of occurrences (of each loss) and severity is the size of each loss.  It’s clear that low frequency low severity is the bottom of the continuum moving to high frequency high loss being the absolute avoidance.  For example, most liability lines are low frequency high loss (the above cited product recall) while auto coverage is high frequency and low loss (fender benders).  The key is to know where in the continuum the risk lies in terms of frequency and severity.
3. Present the Risk Management Options:  The analytical heavy lifting now being done – it is time to begin the management end of the process.  There are three fundamental methods to deal with these risks:
   1. Avoid the Risk:  This is the safest method but difficult for business decisions.  A company my want to offer a certain high risk medical procedure but unable to get Medical Malpractice.  Building condos without considering hurricane or earthquake coverage – Ohio may be a better place to start.  This is the fundamental risk versus return (high premium) scenario.
   2. Retain the Risk:  Take 100% of the risk (loss) and be able to support it financially (more on this in a bit).
   3. Transfer the Risk:  This is to move a portion or all of the risk to a third party – mainly insurance companies.  In most cases – companies are will to retain a portion of the risk in the form of a deductible ( known as an SIR – Self Insured Retention) to lessen the premium cost of the coverage.  Think of your own auto insurance deductible what you are will to fund (perhaps  $500) in the event of a large repair  bill to your vehicle.
4. Select the Risk Management Options:  Given the three scenarios above a company must select the best option to manage the risk.  Two considerations come to the fore in this decision:

A.  Financial Considerations:  This is all about what the company can financially justify given the loss projections and the three scenarios given above on risk management.  Most decisions by companies are bases on how much SIR they can maintain given any one exposure and based again on frequency and severity.

B. Non-Financial Consideration:  These revolve around factors such as the economy, regulation, industry specific pressures and the like.  Back to the example of the Medical Malpractice exodus by many carriers – the legal environment caused the coverage to blow up like a colossal  supernova – the deductibles were irrelevant at that point.

5.  Monitor the Risk:  This is the last but perhaps one of the lesser managed aspects of the risk management process.  Once through the process it is easy to move ahead with other business.   But as cited – environmental, regulatory, economic and company internal considerations may change the above considerations drastically and hence monitoring the process should be part of the overall enterprise risk management function.

SUMMARY
So in summary, while this is a risk management process derived from the insurance industry it certainly has parallel practicality to any aspect of reviewing and making decision on a organizations’ enterprise risk management process . Identify, Quantify, Present, Select and Monitor can be applied to many different risk scenarios and at the very least present a template for evaluating the risks.