This was a prime example of the perception surrounding the terms “risk management” and “risk manager,” and how they’ve been equated solely to insurance coverage and insurance professionals in the past.   I’ve witnessed this misrepresentation of the terms so many times that I felt not just inspired, but a public obligation, to write this article and help clear the confusion with the terminology that began long ago.

PASSING THE SMELL TEST

In the early 1960’s, two professors, Robert Mehr and Bob Hedges, developed the concept of Enterprise Risk Management. These two could easily be called the Godfathers of Risk Management. They published the first text to fully address the subject of business risk, “Risk Management in the Business Enterprise.”  The book introduced how risk management of an entire business could maximize efficiency, which would result in greater productivity. The basic premise was that all business risks should be managed, not simply those that could be “insured.”

Suffice it to say that over time, the term “risk management” began to take on a more limited meaning, referring just to insurable risks (for a slightly more elaborate outline see history of enterprise risk management). Now, some 45 years later, many large public firms are finally returning to the original roots of risk management. The Risk Managers of these firms manage the risk exposures of the entire business, not just those risks that are insurable. Mehr and Hedges would be very happy about this if they were here with us today. And, I might add, this helps put my mind at ease as well.

You see, having been heavily involved in construction for much of my lifetime and having witnessed many different construction business failures, it became evident to me that the causes for each failure all boiled down to risk. However, it never seemed to make sense that insurance brokers and agents called themselves risk managers, especially since they only provided a form of management that addressed insurable risk. It just never sat right with me. First of all, they really didn’t address anywhere close to all of the business risks that exist. Second, out of all the business failures I had witnessed, none were the result of having too little insurance or poor loss control procedures. When I finally came to understand how risk management evolved over the years it was somewhat of an awakening.

THE ENTERPRISE RISK MANAGEMENT PROCESS

Robert Mehr and Bob Hedges came up with the steps for the risk management process, and the basic form is still in practice to this day:

• Risk Identification (Identify all the risk factors; all the possible causes for loss in a typical company)
• Risk Analysis (Analyze the risk; assess and measure the potential for loss in the company to be examined)
• Risk Response (Determine what to do; either assume, transfer or reduce the risk)
• Risk Control (Implement internal controls to reduce or transfer the risk)
• Risk Monitoring (Select a method for monitoring results and put it in practice)

As originally intended, risk management would encompass management of the entire business enterprise; hence, the field became known as Enterprise Risk Management (ERM for short). ERM requires examination of all risks that an organization faces and applies directly to four distinct types of risk: Operational Risk, Financial Risk, Strategic Risk, and Hazard Risk.

For the most part, only hazard risks are insurable.  Thus, insurance brokers should have called themselves hazard risk managers instead of just “risk managers”.  Now, with the reemergence of ERM, traditional insurance-based “risk managers” are being pushed into a wider arena of risk management, one that incorporates all other areas of business risk, many new forms of risk analysis, and a wider array of risk control mechanisms.

The primary challenge of expanding risk management across the enterprise is that, because it involves so many different aspects of an organization’s operations, traditional insurance-based risk managers (who focus only on hazard risk) are simply not qualified as enterprise risk managers. They simply don’t have the experience or expertise necessary to have a firm grasp of all aspects of a business, and there are already signs they are losing their hold on the “risk manager” title. In fact, the fastest growing position in the business world today is that of Chief Risk Officer (CRO). As ERM continues to filter down from public companies to smaller and smaller private companies, you can expect a CRO type individual to become part of every management team. After all, the adoption rate of the ERM process has already reached 40% in public firms.

In order for risk managers to evolve from insurance minded professionals to ones who understand the risks of an entire business enterprise, they will have to learn the language and the approach of each business area, either alone or as a team. If they are to act as a team, the team leader will need to have a basic understanding of all the steps involved in the entire process of risk management and the methodology used in each business area. Clearly, traditional risk managers will need to obtain additional skills to be involved with enterprise risk management.

TYPES OF RISK MANAGERS

There is no doubt Enterprise Risk Management is making its way from large public firms to firms in the private arena. It is being dictated by credit providers of large public firms as a result of Sarbanes-Oxley and, given the current credit environment, may soon be expected of private firms too. It may not be long until ERM becomes an expected and necessary way for all companies to operate.

Since risk management has expanded to cover risk across the entire enterprise, one of the largest challenges has been finding individuals capable of understanding and managing such risk. Since insurance agents or brokers who only provide insurance advice to their clients do not fit the bill, corporate decision makers only have a couple options:

1. Salaried employees who can learn to manage a wider scope of risk for their company than traditional risk managers (often chief financial officers or treasurers); and
2. Independent consultants who provide comprehensive Enterprise Risk Management services.

Individuals who perform at this level are called CRO’s. They are in very high demand today and typically are drawing salaries even higher than the CFO. As time progresses, I expect that there will be a lot of CRO’s working on a consultancy basis since smaller firms won’t be able to find, much less afford individuals qualified to identify, assess, and control all of the risks in a business enterprise. Obviously, such individuals must be very specialized in a particular industry to serve their clients well.

To choose the best type of risk manager for their companies, corporate decision makers must now consider the potential increase in profits that the adoption of the Enterprise Risk Management process can bring. For those early adopters, employing an experienced professional in Enterprise Risk Management is the key to real benefit. If that person is a consultant, he can be used as the de facto enterprise risk manager who can be relied upon to retrain traditional risk managers already on staff so they can gain the full knowledge of how to control risk across the enterprise. As time will tell, the true risk manager will not be the traditional insurance professional who addresses Hazard risk, but will be the individual who can address Operational, Financial, and Strategic risk as well. That is how risk management is evolving and what is expected of a risk manager in many companies today.

Thus, will the real risk manager, please stand up!

By:  David F. Druml, ERM Specialist a My Risk Control, LLC

Excerpts from “Journal of Risk Management of Korea Volume 12, Number 1” D’Arcy, Stephen P., Professor of Finance, University of Illinois at Urbana-Champaign, May 30, 2001

With respect to business, a risk factor is defined as an activity, practice or condition that can cause financial harm. Risk factors vary by industry.  For example, smoking is a risk factor in the medical world, specifically related to the health of an individual. It does not apply to a construction business. Likewise, failing to have a job cost system in place is a risk factor related to a construction business, but certainly is not a risk to an individual. Risk factors are also different across businesses. A risk factor related to overstocking perishables in a restaurant due to poor inventory control does not apply to construction. Poor humidity control is a risk factor in a flower shop but not in a restaurant.

As you can imagine, there are many different types of risk factors and for the most part they are specific to an industry.  Some risk factors are really important because the harm they can cause is great.  Other risk factors are of lesser importance because the harm they can cause is not so great, thus having a smaller impact. To actually determine the impact a risk factor can have (its importance), takes years of case study. But suffice it to say, importance varies.

What also varies is a contractor’s perception of the importance of various risk factors. Interestingly, the risk factors that a contractor usually thinks are important are the ones which it has experienced. While those the contractor thinks are unimportant are the ones it has yet to experience, and some of those can actually be very important.

Focus on Expertise

Now a case in point:

The particular contractor I mentioned at the beginning of this article was a General Contractor (the word “was” is telling). One of the risk factors he determined was of no consequence is taking on new types of work without prior experience. Another was estimating without historical data. In the months to come, this contractor decided that it could make more money by doing the rough carpentry work (framing) of buildings by itself rather than using subcontractors.

In California, there are separate companies that do framing and that is all they do. It is very competitive and the cost is simply driven on how fast carpenters can put lumber in place. This GC proceeded to bid three large school projects. Now it had done schools before, but never the framing. I personally advised against the approach indicating that the estimating staff did not have experience bidding framing work, that the estimating staff did not have any historical information on hand to rely upon, that the personnel were not in place to do the framing, and that the company had no prior experience doing the work. Well, this particular contractor looked at themselves as a risk taker. Indeed they were. The net result was as follows:

1. The contractor couldn’t man the jobs with experienced tradesmen.
2. The tradesmen they did hire ended up quitting because the quality of the work was so awful.
3. The agency made them do the work over because it was so shabby.
4. The union ended up picketing the sites because the GC was taking on framing work as a non-union contractor
5. The estimating department did not anticipate the rising cost of lumber because they were not connected into the framing world and did not know that dramatic increases were coming; thus they paid much more for lumber than budgeted
6. The estimated amount of labor hours was insufficient.
7. On one of the three jobs they had to ask another framer to step in to do the work because they could not put together the resources; the framer charged much more than what the GC had in its original bid.
8. All of the jobs were severely delayed resulting in liquidated damages and preventing one of the schools from opening on time for the fall classes enraging parents against the Agency.
9. The contractors money was held by each Agency for damages.
10. The contractor could not meet financial obligations.
11. The General Contractor finished the jobs, then dissolved and did not pay the subs and suppliers and did not have financial resources to go back to do punch list items or repairs.
12. The bonding company stepped in to pay subs and suppliers left hanging and to complete punch list and repair work.
13. The contractor went out of business. Game over.

This particular GC was in business for over seven years and had been quite successful. However,  GCs work on very tight margins. The contractor could ill afford to lose large money on the framing, but they did, and it cost them their business. That was all based upon risk factors that the contractor did not consider of importance.

Contract Review

Let’s look at another case in point:

A contractor performed steady work in a niche market and historically made good money, however it didn’t have a contract review procedure in place. In fact, this contractor had signed a contract without having reviewed it completely and was unaware of the insurance requirements. One of the requirements was for $5MM of pollution coverage, but the contractor only had $1MM in place. The contract was for repair of 450 balconies on a 40-story apartment complex. It had done this type of work on large structures before, but never for a building that did not have air conditioning.

During the summer months it became unusually hot while work was underway and many of the 450 residents had to keep their windows open because of the stifling heat, even while the contractor was chipping and grinding out the old concrete that needed repair. Concrete dust invariably drifted into some of the apartments. Simultaneously, the owner had given notice of eviction to a lawyer. To get back at the owner, he banded a bunch of the residents of the apartments together convincing them of great rewards, and proceeded to file a lawsuit against the owner for allowing cancer causing silica dust to harm the health of all of the residents. Since a lot of the residents were old, having little funds, and had little to do with their time, they had nothing to do but listen to an evicted attorney. Once the thought of cancer causing dust was put in their minds, even the invisible bothered them.

During that time, one of the residents who had chronic respiratory problems was hospitalized even though work was not being performed at the time near her apartment. This just fueled the claim that all the residents were being exposed to a major health hazard, even though open windows were being covered with a filter cloth. Unfortunately, the court approved the suit as a class action with all 450 residents represented. The owner in turn tendered the suit to the contractor only to find out that the contractor did not have $5MM of pollution coverage in place as called for in the contract. The contractor had no choice but to reject the tender and the owner began to pick up the attorney’s fees to defend itself.

Well, since the owner’s counsel was sure that they would ultimately recover the attorney’s fees from the insurance carrier, they showed up at every meeting and at every appearance with a fleet of staff attorneys, no less than four each time. The attorney’s fees for the owner went through the roof. Since the owner did not know if its own insurance carrier would even cover the fees or whether the contractor’s insurance carrier would eventually be forced to do so, the owner began to withhold large sums of money from the contractor’s payments. As a result, the contractor’s cash flow was severely impacted. The attorney’s fees grew to over five hundred thousand dollars and it surely looked as if the $1MM coverage limit would be exceeded. With little other options, the Contractor began making plans for a new company.

During this time, another risk factor came into play, one that contractors often pay little attention to, namely, computer backup. The contractor had a backup system in place for its server, but it wasn’t being checked. Well, the server went down. No problem, call the computer guy it fixed., right? Well, it wasn’t that simple, the hard drive had crashed. No problem, get another drive up and running and use the backup to restore it. Big problem, there wasn’t a procedure in place to check that backups were running properly and a backup had not run properly for almost a year.

The computer consultant tried to retrieve the data to no avail. Now the contractor has several problems going: (1) not getting paid on its largest job making the contractor go deep into its line like it never had before thus causing the bank to become so concerned as to request current financials, (2) unwillingness to bid additional bonded work because the owner did not want to be personally liable for bonded jobs if the company was to fail, (3) inability to provide work-in-progress reports or financial information to the bank or surety therein casting doubt (4) making the staff turn over to a completely manual process having lost all of its historical data and unable to resurrect current financial information, (5) and countless sleepless nights. Could it get worse? No, it got better.

After a month of down time Intel was able to recover the data, the contractor was able to produce financials, the accounting staff was able to get caught up, the class action lawsuit was dismissed after the owner’s attorneys had built up close to $750K of fees, the contractor’s carrier picked up the tab only causing the contractor to lose the $25K deductible, and the contractor did not have to start a new company, nor go broke. But what did it cost him?

Well, historically, this contractor made $250K in profit year after year. At the close of the fiscal year containing all of the problems, the company recorded only $24K in profit and opted to make up for the business lost during all of the distractions by taking on a big job in a different type of work. The jury is still out.

Moral of the Story

So, the contractor experienced the simultaneous consequence of uncontrolled risk related to two risk factors, one important one: review of contracts, and one not so important: computer backup. You can see how the consequence of two risks working together can cause havoc. Not being able to produce financials when both the bank and bonding company want to see them during tenuous times could have turned disastrous. But that is how risk works. The overall consequence of risk in a business is rarely the result of one uncontrolled risk, but instead, normally multiple uncontrolled risks working together. Sometimes the overall consequence may be caused by risk related to just a couple important risk factors, or maybe a lot of not so important risk factors, or maybe a mix of important and not so important risk factors. Any combination is possible and any combination can be a knock out punch. The graph below explains how.

We’ve established how risk factors vary in importance, and we’ve established that the overall consequence of risk in a business is almost always the result of the risk associated with multiple risk factors. We’ve established how contractors rarely recognize the ones that can and will hurt them, and we’ve established that even though a risk factor may seem of little importance it will usually work in conjunction with others to cause an overall consequence. In other words, we’ve established that even though a risk factor might only cause a small amount of financial harm when uncontrolled, all such risk factors do matter.

So the real question becomes: How do we lower the potential consequence of risk related to a multitude of risk factors in order to prevent loss or potential failure? The Answer: Adopt an Enterprise Risk Management (ERM) method of running your business. The ERM process identifies risks factors that might otherwise be unknown, establishes a way to assess the level of risk with respect to each risk factor, and determines what kind of controls need to be put in place to minimize risk and the potential consequences.

For a thorough understanding of ERM visit the about risk section of MyRiskControl’s home page. Take the available tours to learn how MyRiskControl helps a contractor implement practices, systems or procedures to control risk and then monitor risk on an ongoing basis. There is no question that implementing ERM in your company requires a change in philosophy, a change in thinking, and a call to action. But with ERM, you don’t have to do all the work yourself, it gets spread to the staff, and MyRiskControl makes that easy. It is the only total enterprise-wide solution to identify, assess, analyze, control and monitor construction risk. And remember, just because you choose to ignore risk, risk won’t ignore you.