In the Driver’s Seat

By starting the insurance purchasing exercise with a comprehensive analysis of a company’s risk profile, the risk manager — not the insurance market — controls the agenda and the outcome of the risk management process.

This approach is significantly different from past processes: in this new approach, risk management is viewed from an entirely different perspective. In the more traditional processes, companies hire brokers to provide advice on insurance coverage and placement. The brokers then provide the insurers with a submission containing exposure data, loss data and a description of the company’s operations. In the new approach, the company’s insurance purchasing decision is made, if at all, only after a complete and comprehensive analysis of the company’s exposures. The exposures to risk are identified, analyzed, quantified and matched to the company’s risk appetite.

The goal is to understand how the future strategic plans of the company will change their risk profile. Often companies begin the process by asking the questions: “How much is the insurance going to cost?” and “What deductibles can I afford?” Typically, insurance brokers will ask: “What insurance do you purchase?” and “When are your anniversary dates?”

Instead, the question should be asked: “What are the risks to the business enterprise that can adversely impact the balance sheet or the overall financial position and the company’s ability to operate?”

Insurance may be the most expedient way to manage risk. However, it is often the least effective way to manage the impact of risk. That said, insurance should be treated as contingent capital, working for the company to maximize the use of capital, if needed. And, if not needed for this purpose, insurance programs should be structured to minimize the impact of the cost to maintain or access this capital. Additionally, the broker should work with the risk manager to maximize the use of risk minimization tools and techniques, to measure the impact of these non-insurance tools and reassess the risk profile before discussing and measuring the impact of insurance.

HOW IT CAN BE DONE

Analysis Measure the impact of risk management decisions and plans, and compare this to the effect and impact on the company’s balance sheet (including the P&L statements of its divisions and locations). In order to do this, analyze:

• how the risk exposures fit into the understanding and perceptions of management;

• if there is a risk management policy in force, and if it is still embracing the company’s goals and objectives; • how the exposures have been identified and quantified in the past;

• how the risks are managed at present; and

• how future plans will affect the company’s risk profile.

Risk Management Process A risk management process is like any other business process: it’s a process of establishing goals and objectives, and identifying, analyzing, evaluating and treating risks in a structured way. The more a company does to identify and measure risk, the more successful it will be when it comes to managing risk. Following a structured process will improve the company’s confidence that it has enhanced its identification and quantification of risks. In addition to this confidence,

the company will have the knowledge to construct or refine its risk management program. As an added benefit, the process is supportive and complementary to an enterprise risk management [ERM] program.

In establishing this process, conduct a series of risk analytics and risk measurements that, when complete, position the company and its risk management program into the “best-in-class” status. The process may thus include:

• risk assessment, impact analysis and risk mapping;

• retained risk analysis and loss forecasting;

• workers’ compensation process analysis;

• high severity-low frequency modelling;

• comprehensive cost of risk analysis;

• D&O risk modelling; and a

• claim portfolio diagnostic analysis.

Tools are available commercially to aid with the process. One example of such a tool is called RAPID (the Willis Risk Assessment Probability and Impact Diagnostic), which uses a process that identifies, assesses and objectively prioritizes risks on an accelerated basis. It is designed to provide an efficient, effective understanding of the issues that may affect the successful outcome of a situation.

RAPID includes a self-assessment workshop designed to mine the knowledge of experts within energy companies about the risks they face. The purpose of the workshop is to identify organizational risks that could prevent the achievement of strategic objectives. The workshop also explores the nature and extent of these threats over a specified time period.

ARTICULATING RISKS

Although a great number of risks may be identified through the assessment, only those perceived to be of the greatest significance

are compiled in the company’s risk register. The register includes descriptive aspects of the most significant risks, such as triggers, consequences and the likelihood and impact of risk events. Of particular importance in describing each risk is the articulation of the company’s underlying vulnerabilities that either support or exacerbate each risk. Once all risks have been assessed in this manner, companies are able to connect and address the most significant risk drivers within the organization.

The process incorporates the following concepts:

Workshop-Based The principal element of data processing occurs in a facilitated workshop that appears to participants to be fluid and dynamic, but actually operates within a very structured framework.

Cross-Functional Teams Workshop participants are identified through collaborative discussion between the broker and the client project sponsor. The workshop team is comprised of individuals with different functional roles. By bringing together different business perspectives (perhaps for the first time) to focus on risks of the organization, we are able to generate a much deeper understanding of risks, including underlying causes often not readily apparent.

Consensus-Driven All data captured in the process is consensus- driven. The elimination of voting ensures the process output is based on the most reliable information possible — specifically, collective expert knowledge from within the organization. (Depending on the nature of risk being assessed, sometimes the involvement of external experts is suggested as well.)

Controls and Risk Mitigation For each risk scenario the workshop addresses, due consideration is given to controls and their effectiveness, as well as whether there are opportunities for cost-effective improvement. Risk aspects are discussed and defined according to the common risk language unique to the client — language that continues to evolve throughout the assessment process.

THE BENEFITS

Put simply, this methodology will help to maximize opportunities to lower program premiums, obtain optimum program terms and conditions, and develop tools and information necessary to support decisions. It is intended to help develop a rationalized approach that will satisfy a company’s board of directors and the requirements of corporate governance rulings.

Recently, this approach has generated total cost of risk savings in the range of 30-50% for some energy companies.