Risk is the potential for loss or injury to occur. The essence of good business decisions is the balancing of risks and potential gains. In fact, all decisions and their actions involve some amount of risk. The future is not certain. Harmful things can happen to us even when we do nothing. The same concerns regarding risk applies to business. It is not possible for managers to protect against all threats and their resultant losses, however there are things that managers can do to lessen the chances of being the victim of unfortunate events. Often times, we don't want to think about the negative side of life. It’s important to consider these things and take action to protect ourselves and our business.
Risk management is the process of understanding and anticipating risks, prioritizing risks, choosing appropriate risk management tools, taking steps to reduce its impact on the business and the people within it, and finally periodically repeating this process to keep the process updated. The two kinds of risk are pure risk such as an earthquake or tornado and speculative risk that has the potential for profit. The field of business dealing with this area is called risk management. A company could be exposed to four kinds of losses: a) loss of property through theft or destruction of tangible or intangible assets; b) loss of income due to an accidental event that reduces revenue or increases expenses; c) legal liability to others such as employees or customers; and d) loss of key employee services through death or injury. The way to deal with risk is to anticipate and have a plan to deal with it. To deal with it, steps can be taken to minimize its impact on the business.
1. Identify potential threats. Make a list of as many potential losses you can think of. Assign estimates of probabilities of these things happening. Answer the question: what damage would they cause if they did happen?
2. Assess and prioritize potential threats. To prioritize, have a look at the potential damages that could be caused and the probabilities of these things happening.
3. Select risk management tools. Have a written plan of action for each of the bad things that may happen. Can you do anything to help prevent them from happening in the first place? Can the chance of these things happening be reduced? Do you and your employees know what to do and who to call in the event that something does happen? Do you have insurance coverage?
4. Evaluate the results of your strategies. Review these risk management processes, strategies and plans and ask yourself if they provide adequate protection.
5. Revise and renew those strategies. Make changes to these processes, strategies and plans as needed.
Risk analysis is a method of identifying threats and threat agents and predicting the possible damage that could be caused for the purpose of deciding if and what type of safeguards should be implemented. A cost/benefit approach is used in risk analysis. For example, it is not worth spending more money to protect an asset than the asset is worth. First, it is necessary to identify assets and assess how much they are worth. Next, identify the potential loss for each risk. Third, perform a threat analysis. Forth, derive the overall loss potential per risk. Fifth,
chose measures to counteract the risk. Sixth, reduce, assign or accept the risk.
Risk Management Tools
The four methods of handling risk are risk avoidance, risk assumption, risk reduction and risk transfer. Risk avoidance can be achieved by not doing something. For example, many large companies avoid doing business in countries they deem to be of higher risk than others. Risk assumption is the process of acknowledging the risk and accepting responsibility for it. Self-insurance is one way to do this. It can be achieved by setting up a fund to cover the losses. Risk reduction acknowledges that the risk cannot be completely avoided, but that actions can be taken to reduce the probability of loss occurring and to reduce the amount of the loss should damage occur. Putting the right safeguard in place can reduce the probability that a threat will exploit any vulnerabilities. An example of these actions are having employee safety training programs and installing safety equipment such as alarm and sprinkler systems in case of fire. Another example would be having a security guard and an electronic security system in your store to reduce the chances that your store will be the victim of theft.
Transferring the Risk to an Insurance Company
Taking out insurance is the most common way of dealing with risk. In certain situations, having an insurance policy will be required by law. The insurance company will establish a premium that the business will pay to provide the necessary coverage contracted at a calculated probability of the event occurring plus a margin for profit and administrative expenses.
Not all risks are insurable and some are only available at very high premiums to the point that some organizations prefer to self-insure. To be insured the risk must not be the result of the actions of the insured, the loss must be calculable and the cost of insuring feasible, others must face the same risk, the peril must be unlikely to affect everyone at the same time and the potential loss must be significant to the insured.
Actuaries calculate the likelihood of the risks involved occurring and the underwriters decide what risks to underwrite or insure and what terms or fees to charge. Generally both roles focus on the rule of large numbers. For example, assume that the likelihood of the event occurring is 1 per 100 per year and the possible loss is $25,000. As a result each insured will need to pay $25,000 divided by 100 plus a percentage for the administrative costs and a margin for profit or error.
Sources of Insurance
Insurance is available from governments such as pension plans that we are all covered for if we work, some health insurance, unemployment plus a few other risks depending upon what jurisdiction you live in. Private insurance companies can be either a stock company owned by its shareholders or a Mutual Company, owned by its policyholders.
Loss of property insurance usually covers loss due to theft or physical damage or destruction from accidents or natural events like earthquakes or floods. Losses due to dishonesty and nonperformance can be covered by fidelity and surety bonds respectively. Should a business' operations be interrupted as a result of such things as fires it may be covered by business-interruption insurance. Liability insurance is probably the most commonly talked about form of insurance as it helps cover claims under product-liability clauses as well as accidents on the business' premises among others. Professionals such as doctors use malpractice insurance while lawyers and accountants frequently carry another form of insurance to cover lawsuits from dissatisfied clients called errors and omissions insurance. Key-person insurance can be purchased to insure the firm from the loss of a key executive or technical person's expertise. Other forms of insurance can be acquired for benefits for employees such as life, disability, dental and health insurance.
Threat A threat is any potential danger to an asset.
Threat Agent A threat agent is anyone or anything that gives rise to a threat.
Vulnerability A vulnerability characterizes the absence or weakness of a safeguard that could be exploited by a treat.
Risk A risk is the loss potential, or probability that a threat will exploit a vulnerability. It is the likelihood of a threat agent taking advantage of a vulnerability.
Exposure An exposure is an instance of being exposed to losses from a threat agent. A vulnerability can cause an organization to be exposed to possible damages.
Safeguard A safeguard is something that lowers potential risk. A safeguard may even eliminate a vulnerability.
Risk Analysis Definitions
Exposure Factor (EF) Percentage of asset loss caused by an identified threat
Single Loss Expectance (SLE) Asset Value X Exposure Factor
Annualized Rate of Occurrence (ARO) Estimated frequency a threat will occur within a year
Annualized Loss Expectancy (ALE) Single Loss Expectancy X Annualized Rate of Occurrence