A CASE FOR RISK FIRST - INSURANCE SECOND
By: Mike Kelly, Partner AHT & Joe Gleason, Director of Risk Management, AHT
We’ve all heard the catchy insurance commercials about investing a few minutes of time and saving bundles of money. While fun to watch, this approach only strengthens the perception that insurance is merely a commodity. But, it isn’t just about TV commercials. Insurance brokers all too often pitch their strength as cost savings. From the insurance carriers’ perspective, they are almost entirely isolated from their clients. Having never met most clients, carriers receive an application, some claims data and financials annually. This information, coupled with a website, is all many carriers have to determine how risky an organization is, how much coverage they should offer and the total premium.
Such a process yields a result that people and organizations often dread and leaves their underwriter with an incomplete picture of the risk mitigation measures employed outside of those requested during the underwriting process. The client is likely engaging in a thoughtful risk management process and their underwriter is missing all of that pertinent information. There has to be a better way – right?
HERE’S AN IDEA: LET’S START WITH RISK
Organizations purchase insurance to transfer the financial impacts associated with risk. Some, if not all, organizations spend time, effort and energy daily on mitigating risk. The problem is the insurers rarely learn about the risk management work the client does and, when they do, it is all too often following an incident or claim.
A better approach: Build a relationship with underwriters and help them to understand everything the organization currently does proactively to manage risk.
Where does this start? Many organizations have a risk register or a risk map, however all too often, these are extremely complex, difficult to understand and often not kept up to date. We’ve found that aiming for simple and concise reporting is a more effective means to drive risk management and can be more easily kept up to date.
Our recommended process includes:
- Identifying key risk stakeholders in the organization to form a risk committee or working group
- It is important this is a cross-operational group.
- For many organizations, this may be based around the audit committee, a senior leadership team or other standing body.
- Consider individual interviews with key staff, including middle management and front-line staff.
- Scheduling a half day workshop with the specific intent of assessing 10 –12 top risks of the organization. Keep the number manageable to use the time effectively.
- Key elements of the workshop include:
- Identifying the risks, articulating the context, who or what could be harmed and other details.
- Rating the risks based on the likelihood of occurrence and potential impact of the risks. Doing so helps prioritize risk management: Those risks with significant impact will get more attention than lower impact events.
- Key elements of the workshop include:
- Reviewing what is already being done to mitigate each risk, including procurement of insurance for that risk and which of the risks require additional mitigation measures.
- The more cross-operational the risk committee, the more difficult it may be to agree – but the discussion and debate can be valuable.
- Consider having a third party facilitate this type of engagement. An independent perspective in the room can shake things up.
- Convening risk committee meetings on a regular basis (monthly or quarterly) over the next 12 months with two objectives:
- Identifying and rating additional top risks to build out a high-level organization risk register using the process outlined in the workshop. Keep overall number of risks manageable to avoid creating a seemingly unmanageable challenge. For many organizations, 20-30 top risks will be the sweet spot.
- Tracking progress on the risk mitigation of identified risks, including implementation of new measures, changes in plans and procedures, etc.Over time, and once the core risk register is built, the frequency of meeting can be reduced (though no less than twice annually). In addition to adding new risks and revisiting older ones, as time goes on, these meetings can use tabletop exercises, such as critical incident response for items like:
- Pandemic Response
- Cyber Incident
- Crisis Event
Benefits of this approach include:
- Stronger Internal Communication – After detailed conversation, the key risk stakeholders should understand each other’s areas of responsibility much more deeply. This process goes a long way towards breaking down silos and developing a common language around risk, risk management and its role in organizational operations.
- Improved Risk Profile – The organization has a quick and easy way to understand what its key risks are and what is being done about these risks. This allows for quick execution when new risks emerge or existing risks change.
- Better Insurance Outcomes – The time, effort and energy invested in risk identification and mitigation allows for the broker to tell a very compelling narrative to the underwriters about why the client is a best-in-class risk and has the necessary documentation to illustrate the investment. This process allows the organization to build a direct relationship with key insurers, which includes phone calls and the occasional face-to-face meeting.
Taking a risk-first approach helps insurance carriers understand your complete risk story and better position your organization with underwriters should an incident occur. Engaging the right internal team and working with your broker to establish those relationships is critical to managing your complete risk and insurance profile.