The construction industry is full of unending challenges, requiring high energy and constant problem solving.  The company owner is like a juggler with 50 balls up in the air (potential problems); if any drop (actual problem) it could cause all the rest to drop as well (total problem i.e. business failure).

The large amount of potential problems, combined with low industry margins,  is undoubtedly a major reason the construction industry has one of the highest failure rates (right up there with restaurants).   Unlike companies in most industries, though, contractors usually don’t fail because of poor products or service.

Why Contractors Fail

Sure there are some cases, but in general, contractors don’t fail because of poor construction.  Most contractors build a decent building.  After all, they have to follow rigid design specifications and plans and have to undergo inspections.  So if they don’t fail because of poor building practices, then why do contractors fail?

In simple terms, it is because of poor business practices.  Many construction companies are started by project managers without specific schooling in running a business.  They know how to run a job, but haven’t been taught to run a construction company. To compound matters, there isn’t really much formal education offered in running a construction company.  Frankly, there should be a college major for it.

Finding the Root Causes of Failure

Every company has a bunch of business practices, and if those business practices are properly in place, the company will maximize its ability to make a profit.  All those business practices (or things you need in place) are called risk factors.  That is the heart of Enterprise Risk Management…

Every process, practice, system, procedure, or activity that takes place in a company must be working perfectly to maximize profitability. Obviously, this sort of perfection is impossible, but it is (or should be) a goal for every company.

So, I started on a quest to uncover the root causes of business failure. I began by identifying all of the major contributing causes for loss based upon my years of experience and sought out publications and other professionals who could serve as resources for further adding to the list.

I knew that all causes of loss could be fixed by putting a business practice or control in place and that if those controls or practices weren’t in place, it could cause a business to fail.  Conversely, having all the necessary controls and practices in place would provide a business with the greatest ability to generate profits (to maximize profitability).

With a greater understanding of how controls impacted profitability, it became clear that the effectiveness of existing controls at a company had to be assessed to determine the degree the company was at risk of failure. This is, in fact, what the Enterprise Risk Management process does and what risk management was intended to be long ago.

Reactive Management

Just like financial advice is sought after a portfolio has shrunk or a financial dilemma has occurred, and business analysts are brought in after a company has lost money, I spent my early days as a consultant patching up systems or procedures in construction firms that were disheveled. In fact, a large amount of my time was spent on complete turn-arounds.

Proactive Management

Enterprise Risk Management identifies potential causes for loss well in advance so they can be addressed before harm occurs.  This is a large shift from the thinking of fixing problems once they occur.  That is the beauty of ERM.  It prevents problems by recognizing weaknesses while they can still be corrected.  That said, most contractors continue to unknowingly risk profits by failing to inspect systems and controls that could cause future problems.

I encourage any contractor interested in preventing problems rather than patching them to consider adopting an ERM process and the philosophy of enterprise-wide risk management.  It’s a sure way to strengthen business fundamentals and maximize potential profit.

Today I met an individual who asked what I did for a living. I was somewhat distracted and mumbled the word “risk management.” As I regained my focus this gentleman said “Oh, you’re a risk manager. I’ve had trouble with my Workers’ Compensation…” and he began to talk about insurance.

This was a prime example of the perception surrounding the terms “risk management” and “risk manager,” and how they’ve been equated solely to insurance coverage and insurance professionals in the past.   I’ve witnessed this misrepresentation of the terms so many times that I felt not just inspired, but a public obligation, to write this article and help clear the confusion with the terminology that began long ago.

PASSING THE SMELL TEST

In the early 1960’s, two professors, Robert Mehr and Bob Hedges, developed the concept of Enterprise Risk Management. These two could easily be called the Godfathers of Risk Management. They published the first text to fully address the subject of business risk, “Risk Management in the Business Enterprise.”  The book introduced how risk management of an entire business could maximize efficiency, which would result in greater productivity. The basic premise was that all business risks should be managed, not simply those that could be “insured.”

Suffice it to say that over time, the term “risk management” began to take on a more limited meaning, referring just to insurable risks (for a slightly more elaborate outline see history of enterprise risk management). Now, some 45 years later, many large public firms are finally returning to the original roots of risk management. The Risk Managers of these firms manage the risk exposures of the entire business, not just those risks that are insurable. Mehr and Hedges would be very happy about this if they were here with us today. And, I might add, this helps put my mind at ease as well.

You see, having been heavily involved in construction for much of my lifetime and having witnessed many different construction business failures, it became evident to me that the causes for each failure all boiled down to risk. However, it never seemed to make sense that insurance brokers and agents called themselves risk managers, especially since they only provided a form of management that addressed insurable risk. It just never sat right with me. First of all, they really didn’t address anywhere close to all of the business risks that exist. Second, out of all the business failures I had witnessed, none were the result of having too little insurance or poor loss control procedures. When I finally came to understand how risk management evolved over the years it was somewhat of an awakening.

THE ENTERPRISE RISK MANAGEMENT PROCESS

Robert Mehr and Bob Hedges came up with the steps for the risk management process, and the basic form is still in practice to this day:

• Risk Identification (Identify all the risk factors; all the possible causes for loss in a typical company)
• Risk Analysis (Analyze the risk; assess and measure the potential for loss in the company to be examined)
• Risk Response (Determine what to do; either assume, transfer or reduce the risk)
• Risk Control (Implement internal controls to reduce or transfer the risk)
• Risk Monitoring (Select a method for monitoring results and put it in practice)

As originally intended, risk management would encompass management of the entire business enterprise; hence, the field became known as Enterprise Risk Management (ERM for short). ERM requires examination of all risks that an organization faces and applies directly to four distinct types of risk: Operational Risk, Financial Risk, Strategic Risk, and Hazard Risk.

For the most part, only hazard risks are insurable.  Thus, insurance brokers should have called themselves hazard risk managers instead of just “risk managers”.  Now, with the reemergence of ERM, traditional insurance-based “risk managers” are being pushed into a wider arena of risk management, one that incorporates all other areas of business risk, many new forms of risk analysis, and a wider array of risk control mechanisms.

The primary challenge of expanding risk management across the enterprise is that, because it involves so many different aspects of an organization’s operations, traditional insurance-based risk managers (who focus only on hazard risk) are simply not qualified as enterprise risk managers. They simply don’t have the experience or expertise necessary to have a firm grasp of all aspects of a business, and there are already signs they are losing their hold on the “risk manager” title. In fact, the fastest growing position in the business world today is that of Chief Risk Officer (CRO). As ERM continues to filter down from public companies to smaller and smaller private companies, you can expect a CRO type individual to become part of every management team. After all, the adoption rate of the ERM process has already reached 40% in public firms.

In order for risk managers to evolve from insurance minded professionals to ones who understand the risks of an entire business enterprise, they will have to learn the language and the approach of each business area, either alone or as a team. If they are to act as a team, the team leader will need to have a basic understanding of all the steps involved in the entire process of risk management and the methodology used in each business area. Clearly, traditional risk managers will need to obtain additional skills to be involved with enterprise risk management.

TYPES OF RISK MANAGERS

There is no doubt Enterprise Risk Management is making its way from large public firms to firms in the private arena. It is being dictated by credit providers of large public firms as a result of Sarbanes-Oxley and, given the current credit environment, may soon be expected of private firms too. It may not be long until ERM becomes an expected and necessary way for all companies to operate.

Since risk management has expanded to cover risk across the entire enterprise, one of the largest challenges has been finding individuals capable of understanding and managing such risk. Since insurance agents or brokers who only provide insurance advice to their clients do not fit the bill, corporate decision makers only have a couple options:

1. Salaried employees who can learn to manage a wider scope of risk for their company than traditional risk managers (often chief financial officers or treasurers); and
2. Independent consultants who provide comprehensive Enterprise Risk Management services.

Individuals who perform at this level are called CRO’s. They are in very high demand today and typically are drawing salaries even higher than the CFO. As time progresses, I expect that there will be a lot of CRO’s working on a consultancy basis since smaller firms won’t be able to find, much less afford individuals qualified to identify, assess, and control all of the risks in a business enterprise. Obviously, such individuals must be very specialized in a particular industry to serve their clients well.

To choose the best type of risk manager for their companies, corporate decision makers must now consider the potential increase in profits that the adoption of the Enterprise Risk Management process can bring. For those early adopters, employing an experienced professional in Enterprise Risk Management is the key to real benefit. If that person is a consultant, he can be used as the de facto enterprise risk manager who can be relied upon to retrain traditional risk managers already on staff so they can gain the full knowledge of how to control risk across the enterprise. As time will tell, the true risk manager will not be the traditional insurance professional who addresses Hazard risk, but will be the individual who can address Operational, Financial, and Strategic risk as well. That is how risk management is evolving and what is expected of a risk manager in many companies today.

Thus, will the real risk manager, please stand up!

By:  David F. Druml, ERM Specialist a My Risk Control, LLC

Excerpts from “Journal of Risk Management of Korea Volume 12, Number 1” D’Arcy, Stephen P., Professor of Finance, University of Illinois at Urbana-Champaign, May 30, 2001

This weeks Case ‘n Point (and first ever) reveals the painful truth about being too relaxed with risk control. The lesson of our story illustrates how Enterprise Risk Management is shadowed by its own success. As always, the names of those involved have been changed.

The Risk Victim
Xcavator Inc has been in operation for just under a decade. Its strong reputation places it on top of local GCs’ calling lists when excavation and grading work is needed. Unfortunately, management is a bit closed-minded to installing risk control procedures.  Xcavator Inc has been lucky during its last few years of growth and has grown a little cavalier, mostly due to effects of the success paradox. But all games of Russian Roulette must come to an end.

The Risk Impact
While grading for a public works project, Xcavator Inc hired a third-party to off haul dirt from the construction site. The expense for off hauling dirt wasn’t part of the original contract, but Xcavator received a verbal change order from the public agency’s construction manager to incur the extra cost.

The bill for off hauling came to $20,000 and Xcavator Inc added the additional expense to its next invoice. But the public angency rejected the extra cost, stating that it hadn’t approved the change order. Xcavator Inc tried to produce a valid change request, but since the order was verbal, none could be produced. And to compound matters, the construction manager who had given that verbal order was no longer with the agency.

The Lesson
Faced to absorb the $20,000 expense, Xcavator Inc management set out to lay blame. Ultimately, the superintendent had blame for ordering the hauling company to begin work. With proper controls, there should have been at least two responsible parties: the superintendent making a request and the project manager approving the request.  Lack of a written change request should have been a red flag for one or the other responsible parties. This weakness would have been uncovered by the MyRiskControl system during a review of the Contract Non-compliance risk factor.

This story helps illustrate how Enterprise Risk Management shadows its own success. Xcavator Inc learned a hard lesson. Whether it begins to get serious about installing risk controls has yet to be seen. But even if it does, the reward for installing controls after a disaster is greatly reduced. However, if the controls were in place from day 1, we would never know the value Enterprise Risk Management can have.