Managing Risk: A Guide For Your Business Client, Part 2 Of 4

A policy statement expresses goals, directions, attitudes, and structure. It does not discuss procedures. Procedure specifies how policy is to be carried out.

This distinction is important because risk managers sometimes oppose a written statement of policy in the belief that it will restrict their discretionary latitude. The opposite is true. A well-planned statement of policy delineates their field of operations (necessarily a broad one) and gives them the authority they need. It should greatly enhance their ability to obtain the necessary cooperation from other departments.

Few public agencies have a written policy statement, generally because the subject has not been brought to their attention or they haven't thought through the possible benefits. But a written policy statement, if prepared properly, can be of great value for these reasons:

• Committing goals and directions to writing clarifies them for everyone.
• It focuses attention on fundamentals, bringing out ideas that otherwise might not be expressed.
• It forces administrators and department heads to think about the subject, not only developing ideas but developing an appreciation of risk-management needs.
• It specifies clearly where responsibility and authority lie, opening up lines of communication and forestalling duplicate efforts.

Policy statements should state:

1. What risk management encompasses (insurance, loss prevention, claims adjusting, risk identification, and so on) and its importance to the entity.
2. The place of risk management in the organization's structure.
3. The scope of authority and responsibility not only for the risk manager but for everyone whose work encompasses some risk-management activity. It clarifies the status of:

• Insurance purchasing
• Broker or agent selection
• Safety responsibility
• Fire protection design
• Claims administration
• Lines of communication

4. The extent to which the organization is willing to accept risk without insurance. This 'tolerable loss limit' is valuable in two ways. First, it indicates how large deductibles may be and what properties or risks may be deliberately uninsured. Second, it indicates the point at which management believes financial dislocations would result, indicating the need for insurance.
5. Methods by which funded reserves may be utilized.
6. Policy regarding in-house vs. contract services, such as for watchmen, claims adjusters, loss prevention specialists, and so forth.
7. Policy regarding certain risks, such as the number of executives allowed to fly in one airplane.
8. Insurance bidding or marketing policy, such as a limit on bidding no more than once every six years.
9. The extent to which federal disaster relief will or won't be relied upon.

The risk manager normally prepares the first draft, after consulting with all parties involved, because he or she is the one most intimately acquainted with the details. The risk manager then submits it to principal administrators, who may recommend changes or additions. When all persons concerned have given it their full consideration and approval, it's ready for promulgation by the board or chief executive officer.

The first step in risk management is to know what your risks are. Obvious as that may sound, it's not at all easy to put into practice.

The first step is to assign responsibility. Someone must be identified as the risk manager in addition to his or her normal title. In carrying out the function, a risk manager without much experience will need outside assistance-possibly a consultant, but more commonly an insurance agent or broker.

The goals of risk identification are:

• Determine what types of losses (fire, earthquake, flood, computer impairment, loss of records, and so on) are significant.
• Assign an approximate value to their potential magnitude. This will indicate the minimum amount of insurance needed and whether the risk is small enough to be handled without insurance.

The risk manager (and advisers, if any) will employ a number of techniques:

The first and far most important step is to gain a thorough understanding of the organization and all its activities. The annual budget may help in this, because it not only details all activities but gives an idea of their relative importance.

Discussions are necessary with all who have activities relating to risk. This may include:

1. The chief administrative officer, for an overview of the activities and a clear view of what's most important
2. The chief financial officer, for details on cash flow, reserves, location of money or securities, and extent to which loss might be assumed without financial pain
3. For large firms, the engineer or public works director, for data on physical values, construction projects, construction contracts, and loss-prevention projects (design and maintenance)
4. The accountant, for information on cost allocations and more financial detail
5. Legal representatives, for information on contracts (hold harmless provisions and insurance requirements) as well as background on claims status and administration
6. Personnel representatives, for labor aspects (a union contract may have a provision regarding Workers Compensation in relation to other benefits, for example) and safety organization
7. The purchasing agent, to determine what contract terms exist for passing on or assuming liability for damage arising out of purchased products
8. Any medical personnel, nurses or doctors, for details of their activities that could lead to malpractice suits (Also, you'll want to know whether they carry their own Malpractice insurance.)

There's no substitute for walking through the physical plant. Things will appear that never show on paper, but it's important to know what to look for. Specialists in safety, fire protection, security, and boiler protection all see different things. Risk managers need to see them all. Obviously, they can't see the detail apparent to the specialist, but they can have a general understanding of all fields to put them in perspective.

For complex operations-say, a water-treatment plant-you may want to prepare a flow chart of the process. This is simply a diagram of what comes into the plant, internal flow, and what comes out of the plant as finished product. The object is to spot any bottlenecks and see what's important and whether loss of a single machine, building, or product could disrupt the entire operation.

A chart showing inflow of goods by truck, rail, or air can be prepared to show where a risk of loss lies. An arrow showing shipments in by truck can indicate by some mark where title to the goods passes. At that point, risk managers know that they, rather than the shipper, have the risk of loss.

Examination of property, liability, and Workers Compensation loss reports can provide clues as to what's happening. And safety people can say whether what has happened can still happen. Analysis over time can be most helpful in assessing current risks.

To keep up with the organization's activities, the risk manager should read many internal forms regularly. Examples are:

• Agenda and minutes of meetings of the board or supervisory body
• Contracts and leases
• Union agreements, which may have safety or Workers Compensation provisions
• Annual budget

A common aid to risk identification is a checklist of things to look for. Many are available, some as complex as a book-sized manual available from the Risk and Insurance Management Society. The most practical approach is to look at a few lists (available from insurance sources) and adapt them to your own situation.

The revenue statement and balance sheet can help identify assets. Although the figures shown are not suitable for insurance purposes, they can indicate amounts in their order of magnitude. For example, negotiable securities might show as an asset to remind risk managers that they may need some kind of protection or even insurance.

A firm needs limits as high as can be purchased, but there comes a point of diminishing returns. The prudent approach is to buy limits, which are about the same as those of comparable entities. Factors which bear on the decision are:

• How frequent are claims?
• How litigious is the community?
• What are comparable organizations doing?

No one knows what liability limit should appear on a policy. It needs to be only as high as the largest judgment that could be assessed against the organization. But who knows what that could be?

Don't overlook the need for intensive risk-identification procedures. It's easy to assume that everything is known and under control-but what you don't know can hurt you. Periodic monitoring, using all the tools mentioned above, is essential.