An Enterprise Risk Management Provider

About Risk

The MyRiskControl Difference

What options are available for controlling risk in my Company?
Until now, companies had three choices for implementing risk controls:
1. Hire a risk management firm to provide risk management services to the company. Risk management firms provide consultants to identify and assess risk, make recommendations to clients about handling risk exposures, and implement risk controls. Risk management firms are often highly specialized in targeted industries and targeted areas of risk.
2. Hire an internal Risk Manager as an employee of the company. A Risk Manager is responsible to identify risks, develop an action plan, engage other employees in the process and implement risk controls in the company. Risk controls are installed by implementing business practices or changes. Most often the resources for implementation are derived from scratch or purchased after conducting research.
3. Ignore risk exposures
MyRiskControl allows companies to reduce the cost of risk control implementation by spreading a risk control culture throughout the organization. In this way, various responsible parties can be given control over the risk in their area of expertise. In the construction industry, the following risk categories and responsible parties comprise the Enterprise Risk Management (ERM) function:

We Make
Contractors
More Profitable
Start Now with a
FREE Business Analysis
Perform a Business Analysis - Receive Your Custom Report
Improve Your Operations

Strategic Risk

Business Approach (CEO/President): Effective planning ensures an organization is headed in the right direction. Implementing sound business policies and practices drives company profitability and make its future more secure.

Operational Risk

Sales Methodology (Sales Manager): Using prudent sales strategies and techniques is the key to developing beneficial customer relationships and a desirable reputation. Lacking either can lead to costly relationships and great difficulty achieving profitable work.

Bid Process (Chief Estimator): While it’s true that money is made or lost in the field, there must be enough money to start with. Utilizing consistent decision-making processes and techniques to win and launch new projects is a key to dependable job profitability.

Accounting Procedures (Accounting Manager): Financial statements drive critical decision making. Strict accounting procedures can ensure that job cost and other financial reports are accurate and reliable. Decisions based on inaccurate financial data are a key cause of business failure.

Construction Management (Construction Manager): Money is the lifeblood of an organization. Having strong controls in place can greatly increase job profitability and decrease the cost of purchases immediately improving cash flow.

Helping Contractors
Grow and Profit
Stay Informed,
Stay Ahead
Signup for the Contractor NEWSLETTER

First Name:

Email:

Information Transfer (IT Director): Intelligently applied technology enhances productivity and efficiency. Having systems in place that leverage IT to improve communication and securely move data ensures the organization will have fast, consistent, and efficient access to information.

Financial Risk

Credit Status (CFO/Controller): Creditors and guarantors have a high expectation for specific behavior to maintain positive relationships with them. Failing to meet expectations can cause irreparable harm to a company reliant upon outside parties for support.

Hazard Risk

Insurance Coverage (CFO/Controller): Unanticipated events often lead to monetary loss when not properly insured against. Following sound practices and procedures to secure the needed insurance coverage avoids potential liability and provides financial protection at a minimal cost.

Safety Practices (Safety Manager): Accidents lead to a poor safety record, higher insurance costs, and lost bid opportunities. Effective safety plans, programs and practices are trademarks of an organization that cares about the well-being of both its personnel and others, and therein reaps the benefits.

The MyRiskControl system gives each of these individuals the tools they need to assess risk, obtain recommendations and resources, implement risk controls, and monitor progress.

Steps in the Enterprise Risk Management Process

Enterprise risk management seeks to maximize shareholder value in a company. It is a relatively new term used to include all the areas of risk that were previously fragmented. Risk was lumped into four domains: hazard, financial, operational, and strategic. Although these domains are still applicable to risk management discussions and developments, each came about when a particular discipline realized they could capitalize on a domain of risk. One example being the insurance industry. Hazard risk was a good framework to sell the many insurable risks for which they already provided coverage. By combining all four domains, enterprise risk management offers streamlined solutions across all domains and acknowledges that risk is not domain independent. It was not until enterprise risk management gathered the four domains that it became the continuous process that makes it so effective. The process is as follows:
1. Risk Identification
2. Risk Analysis (Risk Analysis, Quantification, Interpretation, Report)
3. Risk Response
4. Risk Control
5. Risk Monitoring
Risk Identification

Risk Identification is the detection and recognition of risk factors. A risk factor is an event or condition that, if encountered, causes financial harm. It is best for risk factors to be in the simplest unit of risk possible. An example will help illustrate this point. Let us look at the management team. What possible risk could be present? Our first concern would be the risk of a changing management team. If we take a moment to think, we can see that there are two smaller units of risk: the sudden loss of a key-person and finding a replacement for a key-person. We’ve now identified two risk factors. The smaller portions allow a company to implement clear and concise action plans for each. It also ensures that no detail is hidden or missed. The sudden loss of a key-person may be addressed through insurance coverage while the replacement of a key-person requires advanced succession planning. Each solution is very different. If we had not separated the two risk factors, we might have tri ed to apply one solution. Only one risk factor would have been solved, while the other would be unchecked.

Enterprise risk management is a continuous process that forces us to revisit each step. A good enterprise risk manager will acknowledge that new risk may arise or risk factors were not fully identified.

Risk Analysis

Risk Analysis begins by taking a single risk factor. Analysis will take subjective information and convert it to a quantitative score. To quantify risk, one must determine the possible financial impact and the likelihood of occurrence. A third piece of information, the current conditions within a company, can be gained through an assessment. These three pieces of information calculate a score that not only allows a company the ability to benchmark across the construction industry, but also an ordered list of risk factors based on importance to a specific company.

When risk analysis is revisited, the most common variable to re-examine is the current conditions within a company. If risk control has been successful, current conditions will have improved and the score for a risk factor is improved. Possible financial impact and the likelihood of occurrence strive to be universals. They are not exempt from re-examination; however, they are less likely to change.

Risk Response

Risk Response is unique to each company. It is a structured action plan to address the risk factors. It selects which risk factors to deal with, the individuals who will address each factor, and the goal to be accomplished for each factor. Depending on the size of a company, risk response will determine the resources available. Smaller contractors may have less labor hours to dedicate while larger firms could hire a new individual. The same consideration is made for financial resources. It is easy to see how this step is revisited each time an adjustment is made to the entire enterprise risk management process.

Risk Control

Risk Control implements a solution that will ultimately reduce or transfer risk. Solutions have many different needs. Some solutions require a new document or form that will be used in daily operations. Others require lengthy business plans outlining corporate change or hours of research used towards making a decision. If there is more than one solution, weigh the cost on available resources to choose the best fit for the company. Do not overlook the value of outside help. Each company has only one set of experience, while construction specialists will have examined and helped many companies. The goal is preventative risk control, not reactive risk control. Revisit risk control when a solution is not effectively working or to improve operations by setting a higher goal.

Risk Monitoring

Risk Monitoring is vital to realizing actual gains from the entire enterprise risk management process. Although simple, ensuring that solutions from risk controls are being incorporated and accepted will provide the most return. It is too easy to be complacent with an implemented solution only to have it shortly forgotten. Without monitoring, enterprise risk management will be viewed as an expense that only has a residual “feel good” mentality.

History of Enterprise Risk Management

1. History of Enterprise Risk Management

Enterprise Risk Management is a relatively new term that is quickly becoming viewed as the ultimate approach to risk management. Consultants are advertising their ability to perform enterprise risk management. Seminars devoted to this topic are being conducted to explain the process, provide examples of applications and discuss advances in the field. Papers on enterprise risk management are beginning to appear in journals and books on the topic are starting to be published. Some universities are even starting to offer courses titled enterprise risk management. It appears that a new field of risk management is opening up, one requiring new and specialized expertise, one that will make other forms of risk management incomplete and less attractive.

2. Definition of Enterprise Risk Management

Enterprise risk management is, in essence, the latest name for an overall risk management approach to business risks. Precursors to this term include corporate risk management, business risk management, holistic risk management, and integrated risk management. Although each of these terms has a slightly different focus, in part fostered by the risk elements that were of primary concern to organizations when each term first emerged, the general concepts are quite similar. Enterprise risk management is defined as:
"The process by which organizations in all industries assess, control, exploit, finance and monitor risks from all sources for the purpose of increasing the organization's short and long term value to its stakeholders."
The types of risk subject to enterprise risk management are enumerated as hazard, financial, operational and strategic. Hazard risks are those risks that have traditionally been addressed by insurers, including fire, theft, windstorm, liability, business interruption, pollution, health and pensions. Financial risks cover potential losses due to changes in financial markets, including interest rates, foreign exchange rates, commodity prices, liquidity risks and credit risk. Operational risks cover a wide variety of situations, including customer satisfaction, product development, product failure, trademark protection, corporate leadership, information technology, management fraud and information risk. Strategic risks include such factors as competition, customer preferences, technological innovation and regulatory or political impediments. Although there can be disagreement over which category would apply to a specific instance, the primary point is that enterprise risk management considers all types of risk an organization faces.

A common thread of enterprise risk management is that the overall risks of the organization are managed in aggregate, rather than independently. The level of decision making under enterprise risk management is also shifted, from the insurance risk manager to the chief executive officer, or board of directors, who would be willing to address all forms of risk.

Basically, though, enterprise risk management simply represents a return to the original roots of risk management, a field that was first developed in the 1950s by a group of innovative insurance professors. The first risk management text, presciently titled Risk Management and the Business Enterprise, was published in 1963, after six years of development, by Robert I. Mehr and Bob Hedges. As initially introduced in this text, the objective of risk management is, "to maximize the productive efficiency of the enterprise.” The basic premise of this text was that risks should be managed in a comprehensive manner, and not simply insured. But how did we get so far away from this premise?

3. Historical Development

Risk management has been practiced for thousands of years. One can imagine a proto-risk manager burning a fire at night to keep wild animals away thereby reducing the risk of attack. Very early on, lenders learned to reduce the risk of loan defaults by limiting the amount loaned to any one individual and by restricting loans to those considered most likely to repay them. Individuals and firms learned to manage the risk of fire through the choice of building materials and safety practices, or after the introduction of fire insurance in 1667, by shifting it to an insurer. However, it wasn't until the 1960s that the field was formally named, principles developed and guidelines established. Robert Mehr and Bob Hedges, widely acclaimed as the fathers of risk management, enumerated the following steps for the risk management process:
- Identifying loss exposures
- Measuring loss exposures
- Evaluating the different methods for handling risk
  - Risk assumption
  - Risk transfer
  - Risk reduction
- Selecting a method
- Monitoring results
Initially, the risk management process focused on what has been termed "pure risks.” Pure risks are those in which there is either a loss or no loss. Either something bad happens, or it doesn't. A typical example of a pure risk is ownership of a house. Your house may burn down, be hit by an earthquake or be infested by insects. If none of these, or other, unfavorable developments occur, then you are in the no loss position. This is no better than where you started, but no worse either.

Pure risks were the initial focus of traditional risk management for several reasons. First, the field of risk management was developed by individuals who taught or worked in the insurance field, so the focus was on risks that insurers would be willing to write. In fact, some risk managers job duties have historically been limited to buying insurance, an unfortunate limitation since many other options are readily available and should be explored. Another reason for the focus on pure risks is that in many cases hazards represented the most serious short term threats to the financial position of an organization at the time this field was founded. A fire could quickly put a firm out of business. Efforts to reduce the likelihood of a fire occurring, or to minimize the damage a fire would cause, or to establish a contingency plan to keep the business going in the event of a fire, or to purchase an insurance policy to compensate the owners for the damages caused by a fire, were easily seen to be beneficial to the firm. Finally, there were simply not a lot of reasons or options for dealing with other types of risks.

Given the primary risks facing businesses were hazard risks, the initial focus of risk management was on these types of risks. Risks were quantified, the evaluation of different methods of dealing with risk was advanced and standardized, and an extensive terminology for managing risk was developed. Such terms as maximum possible loss (the largest loss that could occur) and maximum probable loss (the largest loss that is likely to occur) were introduced to help define risk exposure. Probability and statistical analysis were used to estimate the range of likely losses and the effect of adopting steps to mitigate these risks.

Risk managers did their job quite effectively. Firms almost universally handled their hazard risk in an appropriate manner. When they didn't, such as the MGM Grand Hotel that found it was not adequately insured for liability coverage after a major fire, new methods of handling risk, in this case retroactive insurance, were developed (Smith and Witt, 1985). Rarely did companies face financial ruin as a result of failure to manage their hazard risks effectively.

Beginning in the 1970s, financial risk became an important source of uncertainty for firms and, shortly thereafter, tools for handling financial risk were developed. These new tools allowed financial risks to be managed in a similar fashion to the ways that pure risks had been managed for decades. Volatility in foreign exchange rates, prices and interest rates caused financial risk to become an important concern for institutions.

Although financial risk had become a major concern for institutions by the early 1980s, organizations did not begin to apply the standard risk management tools and techniques to this area. The reason for this failure was because risk managers had built a wall around their specialty, called pure risk, within which they operated. When a new risk area emerged, they did not expand to incorporate it into their domain. To do so would have required learning about financial instruments and moving away from the type of risks commonly covered by insurance. This would have been a bold move, but one that the innovative thinkers who developed risk management would have espoused. This failure was costly to organizations, and to the risk management field. With the emergence of enterprise risk management, traditional risk managers will be pushed into a wider arena of risk analysis, one that incorporates all other forms of risk analysis. Thus, the refusal to expand into other areas of risk does not prevent risk managers from having to learn about other forms of risk management, it has simply delayed it by a number of decades.

The basic rule of risk taking, whether it is hazard risk, financial risk, or any other form of risk, is that if you do not fully understand a risk, you do not engage in it. The same holds true for applying risk management. This basic rule, unfortunately, is violated by risk managers consistently with promises of impressive savings or returns. Regrettably, many individuals as well as corporations have fallen into this trap.

4. The Skills Required for Enterprise Risk Management

In assessing the potential losses an organization could experience, many items not covered under hazard risk must be considered. For example, the company could suffer a significant loss if the chief executive officer were to step down and an adequate replacement could not be found, or the reputation of one of the company's key products could be tarnished by a serious loss (Firestone tires, for example), causing the company to incur significant monetary losses. If the firm is found liable for underpaying taxes by losing a tax dispute, the required payment could be extremely large. A labor dispute could severely impact a firm's operations. A failed merger could have repercussions that put the firm into a worse financial position than it was in before the negotiations commenced.

Since enterprise risk management involves so many different aspects of an organization's operations, it does not allow traditional risk managers to remain focused only on hazard risk. The primary challenge is to examine all risks that an organization faces, and not just focus on those that are insurable. In order for risk managers to be effective, each will have to understand the risks, the language and the approach of each business area, either alone or as a team. If as a team, the team leader will need to have a basic understanding of all the steps involved in the entire process and the methodology used in each business area.

To gain an appreciation of how a wider set of risks may impact an organization simply consider how flawed decisions based on incorrect, untimely, incomplete, or unreliable accounting information can impact an organization, or how corporate decision making can cause the inefficient or ineffective use of resources, or how fraudulent transactions or non compliance with relevant laws and regulations can cause financial loss and exposure. It is most probably impossible and actually not desirable to address all risks because the cost would be unjustifiable and extraordinary, but when management fails to address those that can cause irreparable damage, it is grossly mistaken. Therefore, identifying risks that pose the greatest consequences if not addressed should be accomplished and ways of transferring or reducing the risk should be sought, or accepted if the cost is unjustified. Clearly, traditional risk managers will need to obtain additional skills to be involved with enterprise risk management.

5. The Steps of Enterprise Risk Management

Enterprise risk management actually represents a return to the roots of risk management. However, gaining the ability to quantify exposures with a far less sophisticated approach than can be used for most hazard and financial risks presents new challenges. Although consideration of operational and strategic risk is important, the lack of data and the difficulty in predicting the likelihood of a loss or the financial impact if a loss were to occur make it hard to quantify many risks a firm faces. That in itself is the challenge that enterprise risk management provides. Nevertheless, the basic approach of identifying, measuring, evaluating, controlling and monitoring risk remains the same. The steps of enterprise risk management are quite familiar to traditional risk managers. Most commonly they are:
- Risk Identification - Identify risk on an enterprise basis
- Risk Analysis – Measure and report risk exposure
- Risk Response - Formulate strategies to limit risk
- Risk Control - Implement strategies
- Risk Monitoring - Monitor results
- And repeat…
Except for minor changes in wording, the steps of enterprise risk management are the same as those first enumerated by Mehr and Hedges in 1963. Enterprise risk management is risk management applied to the entire organization. The basic approach, the goals and the focus of enterprise risk management are the same as those that have worked so effectively for traditional risk managers since the field was first developed.

6. Conclusion

Enterprise Risk Management is not truly a new form of risk management; it is simply recognition that risk management means total risk management, not some subset of risks. It is important to understand that the process of addressing risks is not stagnant. Business risks increase and change as the operational environment changes. New technologies, fierce competition, decentralized accountability, external scrutiny, and cost reductions all present new risks and continually challenge solutions already implemented. The new focus on the concept of enterprise risk management provides an opportunity for risk managers to apply their well established and successful approaches to risk on a broader and more vital scale than previously. This is an excellent opportunity to advance the science of risk management.

7. References

AbouRizk, Simaan. "Risk and Uncertainty in Construction," presented February 21, 2003.
(URL: http://www.construction.ualberta.ca/papers.shtml)

D’Arcy, Stephen P. and Brogan, John C. (2001). "Enterprise Risk Management." Journal of Risk Management of Korea, 12(1), pp. 207-228
(URL: http://www.casact.org/education/oncourses/erm-lecture1.pdf)

Duff, Michael A. and Reid, David R. "Operational Risk Management: A Holistic Approach." CFMA Building Profits, September-October 2001, pp. 20-30.
(URL: http://global.marsh.com/documents/operationalRisk.pdf)

Enterprise Risk Management Committee of Casualty Actuarial Society. "Overview of Enterprise Risk Management." Casualty Actuarial Society, Summer 2003, pp. 99-163.
(URL: http://www.casact.org/pubs/forum/03sforum/03sf099.pdf)

Heil, Karl. "Risk Management. " Encyclopedia of Management.
(URL: http://www.referenceforbusiness.com/management/Pr-Sa/Risk-Management.html)

The DGR System

The scoring system used by MyRiskControl is licensed from Druml Group, Inc., a firm with over fifteen years of experience measuring risk within construction companies. The patent pending Druml GRoup Risk Analysis System presents a standard for assessing and analyzing forward looking risk in a business enterprise. MyRiskControl uses the DGR ("digger") System as part of its comprehensive approach to deploying ERM within companies. The "digger" score ranges from 300 to 800, with viable construction risks usually scoring no less than 500 and having a mean risk of 725. To simply identify the overall risk present within a construction company, the "digger" system uses a color coded means to rate a construction company as follows:

Red "digger" Rating - DGR score 300 up to 525: Contractors in this range can expect to receive resistance from banks and sureties to extend credit. The companies may find it difficult to fund ongoing work and meet debt obligations. A complete restructuring may be in order and outside assistance is almost assuredly required to control risk.

Blue "digger" Rating - DGR score 525 up to 675: Contractors in this range can expect to find it difficult to convince banks and sureties to extend credit, however not impossible. Companies may encounter pressure to prepare business plans, produce routine financial information, establish a WIP process and institute job cost controls. Meeting these requirements may seem burdensome, however management must embrace these improvement measures to decrease risk and maximize profitability. The contractor will be expected to reduce reliance on a line of credit over time. Credit from vendors and suppliers will be limited and potentially cut off due to late payments.

Silver "digger" Rating - DGR score 625 up to 775: Contractors in this category can expect to produce more accurate financial information and prevent Work in Progress reports from exhibiting profit fade. In general, banks and sureties will welcome business with such companies but expect performance results to align with their expectations. Sales volume will likely be on the rise and the contractor will be expected to maintain controls in place as revenue increases. Performance of projects will be more closely scrutinized by those granting credit, particularly sureties. Vendor, supplier and subcontractor relationships will be healthy and well maintained.

Gold "digger" Rating - DGR score 775 up to 800: Contractors in this category will be sought after by banks and sureties. The contractors will typically be flush with cash, performing a large amount of volume, and controls will be well established. Jobs incurring a loss will be infrequent and generally unexpected. Banks and Sureties will negotiate on rates and terms, possibly waiving personal guarantees. The companies will exhibit consistent profitability on jobs and obtain the most attractive discounts from vendors and suppliers. Subcontractors will seek to do business with the entity. Failure risk is low if the contractor does not deviate from specialties or resident geography.