UNIT – 2 Risk Management

What is Risk Management?

Risk management encompasses the identification, analysis, and response to risk factors that
form part of the life of a business. Effective risk management means attempting to control, as
much as possible, future outcomes by acting proactively rather than reactively. Therefore,
effective risk management offers the potential to reduce both the possibility of a risk
occurring and its potential impact.

RISK MANAGEMENT STRUCTURES

Risk management structures are tailored to do more than just point out existing risks. A good
risk management structure should also calculate the uncertainties and predict their influence
on a business. Consequently, the result is a choice between accepting risks or rejecting them.
Acceptance or rejection of risks is dependent on the tolerance levels that a business has
already defined for itself.

If a business sets up risk management as a disciplined and continuous process for the purpose
of identifying and resolving risks, then the risk management structures can be used to support
other risk mitigation systems. They include planning, organization, cost control,
and budgeting. In such a case, the business will not usually experience many surprises,
because the focus is on proactive risk management.

Response to Risks

Response to risks usually takes one of the following forms:

  Avoidance: A business strives to eliminate a particular risk by getting rid of its cause.
 Mitigation: Decreasing the projected financial value associated with a risk by
lowering the possibility of the occurrence of the risk.
 Acceptance: In some cases, a business may be forced to accept a risk. This option is
possible if a business entity develops contingencies to mitigate the impact of the risk,
should it occur.

When creating contingencies, a business needs to engage in a problem-solving approach. The

result is a well-detailed plan that can be executed as soon as the need arises. Such a plan will
enable a business organization to handle barriers or blockage to its success because it can deal
with risks as soon as they arise.

IMPORTANCE OF RISK MANAGEMENT

Risk management is an important process because it empowers a business with the necessary
tools so that it can adequately identify and deal with potential risks. Once a risk has been
identified, it is then easy to mitigate it. In addition, risk management provides a business with
a basis upon which it can undertake sound decision-making.

For a business, assessment and management of risks is the best way to prepare for
eventualities that may come in the way of progress and growth. When a business evaluates its
plan for handling potential threats and then develops structures to address them, it improves
its odds of becoming a successful entity.

In addition, progressive risk management ensures risks of a high priority are dealt with as
aggressively as possible. Moreover, the management will have the necessary information that
they can use to make informed decisions and ensure that the business remains profitable.

RISK MANAGEMENT PROCESS

The risk management process is a framework for the actions that need to be taken. There are
five basic steps that are taken to manage risk; these steps are referred to as the risk
management process. It begins with identifying risks, goes on to analyze risks, then the risk is
prioritized, a solution is implemented, and finally, the risk is monitored. In manual systems,
each step involves a lot of documentation and administration.

Here Are The Five Essential Steps of A Risk Management Process

1. Identify the Risk

2. Analyze the Risk
3. Evaluate or Rank the Risk
4. Treat the Risk
5. Monitor and Review the Risk

Step 1: Identify the Risk

The initial step in the risk management process is to identify the risks that the business is
exposed to in its operating environment.

There are many different types of risks:

 Legal risks
 Environmental risks
 Market risks
 Regulatory risks etc.

It is important to identify as many of these risk factors as possible. In a manual environment,

these risks are noted down manually. If the organization has a risk management solution
employed all this information is inserted directly into the system.

The advantage of this approach is that these risks are now visible to every stakeholder in the
organization with access to the system. Instead of this vital information being locked away in
a report which has to be requested via email, anyone who wants to see which risks have been
identified can access the information in the risk management system.
Step 2: Analyze the Risk

Once a risk has been identified it needs to be analyzed. The scope of the risk must be
determined. It is also important to understand the link between the risk and different factors
within the organization. To determine the severity and seriousness of the risk it is necessary
to see how many business functions the risk affects. There are risks that can bring the whole
business to a standstill if actualized, while there are risks that will only be minor
inconveniences in the analysis.

In a manual risk management environment, this analysis must be done manually.When a risk
management solution is implemented one of the most important basic steps is to map risks to
different documents, policies, procedures, and business processes. This means that the system
will already have a mapped risk management framework that will evaluate risks and let you
know the far-reaching effects of each risk.

Step 3: Evaluate the Risk or Risk Assessment

Risks need to be ranked and prioritized. Most risk management solutions have different
categories of risks, depending on the severity of the risk. A risk that may cause some
inconvenience is rated lowly, risks that can result in catastrophic loss are rated the highest. It
is important to rank risks because it allows the organization to gain a holistic view of the risk
exposure of the whole organization. The business may be vulnerable to several low-level
risks, but it may not require upper management intervention. On the other hand, just one of
the highest-rated risks is enough to require immediate intervention.

There are two types of risk assessments: Qualitative Risk Assessment and Quantitative Risk
Assessment.

Qualitative Risk Assessment

Risk assessments are inherently qualitative – while we can derive metrics from the risks,
most risks are not quantifiable. For instance, the risk of climate change that many businesses
are now focusing on cannot be quantified as a whole, only different aspects of it can be
quantified. There needs to be a way to perform qualitative risk assessments while still
ensuring objectivity and standardization in the assessments throughout the enterprise.

Quantitative Risk Assessment

Finance related risks are best assessed through quantitative risk assessments. Such risk
assessments are so common in the financial sector because the sector primarily deals in
numbers – whether that number is the money, the metrics, the interest rates, or any other data
point that is critical for risk assessments in the financial sector. Quantitative risk assessments
are easier to automate than qualitative risk assessments and are generally considered more
objective.

Step 4: Treat the Risk

Every risk needs to be eliminated or contained as much as possible. This is done by

connecting with the experts of the field to which the risk belongs. In a manual environment,
this entails contacting each and every stakeholder and then setting up meetings so everyone
can talk and discuss the issues. The problem is that the discussion is broken into many
different email threads, across different documents and spreadsheets, and many different
phone calls. In a risk management solution, all the relevant stakeholders can be sent
notifications from within the system. The discussion regarding the risk and its possible
solution can take place from within the system. Upper management can also keep a close eye
on the solutions being suggested and the progress being made within the system. Instead of
everyone contacting each other to get updates, everyone can get updates directly from within
the risk management solution.
Step 5: Monitor and Review the Risk

Not all risks can be eliminated – some risks are always present. Market risks and
environmental risks are just two examples of risks that always need to be monitored. Under
manual systems monitoring happens through diligent employees. These professionals must
make sure that they keep a close watch on all risk factors. Under a digital environment, the
risk management system monitors the entire risk framework of the organization. If any factor
or risk changes, it is immediately visible to everyone. Computers are also much better at
continuously monitoring risks than people.

The following are some of the areas that business owners can focus on to help manage the
risks that arise from running a business.

1. Prioritize

The first step in creating a risk management plan should always be to prioritize risks and
threats. You can do so by using a somewhat universal scale based on each risk's likelihood of
happening:

 Very likely to occur

 Some chance of occurrence
  Small chance of occurrence
 Very little chance of occurrence

Of course, a risk that falls into the top category should take priority over the others, and a
plan to prevent, or at least mitigate, these risks should be put into place. However, there is a
catch. If a risk falls into a lower rung yet presents the potential for more financial damage,
then it should take priority.

2. Buy Insurance

Assess liabilities and legal regulations to determine what types of insurance will be required
for your business. This might include:

 Life insurance
 Disability insurance
 Professional insurance
 Completed operations insurance

Buying insurance allows you to transfer your risk to insurance companies for a small cost,
especially when compared to the potential cost of uncovered risk.

3. Limit Liability

If you’re a sole proprietor, limit your liability by changing to a corporation or limited

liability company (LLC). In this type of structure, the owner of the business is not held
personally liable for the company's debts or other liabilities.1

4. Implement a Quality Assurance Program

A good reputation is imperative if you want a sustainable business. Customer service is key
to success. Be sure to test your products and services in order to assure the highest quality.
By testing and analyzing what you’re offering, you will have an opportunity to make
necessary adjustments. Also, strongly consider taking it a step further by evaluating your
testing and analyzing methods.

5. Limit High-Risk Customers

If you’re just getting started, immediately implement a rule that customers with poor credit
must pay ahead of time, which will avoid complications down the road. In order to do this,
you must have a procedure to identify poor credit risks far in advance.

6. Control Growth

This has everything to do with employee training. If you’re selling products and/or services
and you set lofty goals for employees, they might be tempted to take unnecessary risks,
which can lead to a bad reputation for your company. Instead, train your employees to focus
on quality, not quantity. By doing so, you will avoid the risk of declining sales due to high-
pressure sales tactics that customers don’t appreciate.
On a related note, while innovation is a key to success, you don’t want to innovate too fast.
If your company is constantly relying on the next innovation for growth, then a hiccup is
inevitable because not all new products and services will be successful.

7. Appoint a Risk Management Team

If you want to save capital by not having to hire an outside firm, and there is time available,
you can appoint current employees to head a risk management team. However, this would
only be wise if someone within the team has experience in this area and can act as a leader.

Otherwise, paying for an outside risk management team will be a worthwhile investment.
They will be able to map out all the risks to your company based on your type of business
and set up strategies to implement immediately if any of those risks become a reality. This
should lead to the prevention, or mitigation, of those risks and threats.

RISK MANAGEMENT STRATEGY FOR INDIVIDUALS

RISK MANAGEMENT TECHNIQUES FOR TODAY’S CHALLENGES

1. RISK IDENTIFICATION: BOWTIE ANALYSIS

Risk identification is often one of the first risk management techniques implemented by
organizations. It involves identifying the potential sources of harm or loss that can affect an
organization’s objectives. These sources are called hazards. Some examples of hazards are
fire, flood, theft, virus, or human error.

Bowtie Analysis is a visual risk identification technique that helps organizations identify 1) Hazard
2) A Top Event
hazards, assess their potential threats or consequences, and determine preventive and 3) Threat
mitigating measures. A bowtie diagram consists of four elements: a hazard (the source of scenarios
potential impact), a top event (the loss of control over the hazard), threat scenarios (the 4) Consequence
causes of the top event), and consequence scenarios (the outcomes of the top event). scenarios

The diagram resembles a bowtie, with the top event in the center and the threat scenarios on
the left, and the consequence scenarios on the right. The diagram also shows the barriers (the
controls or actions) that prevent or reduce the likelihood of threat scenarios or consequence
scenarios.

Risk analysis like the Bowtie Analysis helps organizations visualize and understand the
causal relationships between hazards, events, scenarios, and barriers. It also helps identify
gaps or vulnerabilities in existing controls and prioritize areas for improvement.

2. Risk Assessment and Prioritization: Risk Heat Maps

Risk assessment involves analyzing and evaluating the identified risks based on their impact
and likelihood. The impact is the degree of harm or loss that a risk can cause to an
organization’s objectives. The likelihood is the probability or frequency of a risk occurring.
Risk assessment helps organizations determine which risks are more important or critical than
others.

Risk Heat Maps are graphical tools that help organizations visualize and prioritize risks based
on their impact and likelihood. A risk heat map consists of a matrix with impact on one axis
and likelihood on another. Each specific risk is plotted on the matrix according to its impact
and likelihood scores. The matrix is divided into different zones (such as low, medium, high,
or extreme) that indicate the level of risk.

Risk Heat Maps help organizations allocate resources and focus on critical risks that require
immediate attention or action. They also help communicate risks to stakeholders in a clear
and concise manner.

3. Risk Mitigation Strategies: Hierarchy of Controls

Risk mitigation is when organizations select and implement appropriate measures to reduce
or eliminate the impact or likelihood of risks. These measures are called controls. Some
examples of controls are alarms, locks, fire extinguishers, backup systems, or training.

Developed by The National Institute for Occupational Safety and Health (NIOSH), The
Hierarchy of Controls is a framework for risk mitigation that ranks different types of controls
according to their effectiveness in reducing or eliminating risks. The framework consists of
five levels of controls:

 Elimination: The most effective control that removes the hazard or source of risk
completely.
 Substitution: The second most effective control that replaces the hazard or source of
risk with a less hazardous or risky one.
 Engineering Controls: The third most effective control that isolates or separates
people from the hazard or source of risk through physical means.
 Administrative Controls: The fourth most effective control that changes the way
people work or behave to reduce exposure to the hazard or source of risk through
policies, procedures, training, or supervision.
 Personal Protective Equipment (PPE): The least effective control of the five listed that
protects people from the hazard or source of risk through wearing appropriate clothing
or equipment.

One of the widely-used risk management techniques, Hierarchy of Controls helps

organizations select the most effective and feasible control measures for each risk. It also
helps avoid relying solely on PPE as a primary means of protection.

4. Risk Transfer and Insurance: Contractual Risk Allocation

Risk management techniques such as risk transfer are another option for implementing into
your risk reduction efforts. It is when shifting some or all of the responsibility or liability for
a risk to another party takes place. This can be done through contractual agreements or
insurance policies. Some examples of risk transfer are outsourcing, subcontracting, leasing,
indemnification, or insurance.
Contractual Risk Allocation is a risk control technique for transferring risks to other parties
through contractual agreements. It involves using clauses that specify who is responsible for
bearing certain risks and liabilities arising from a contract. Some examples of contractual risk
allocation clauses are:

 Indemnification Clauses: Clauses that require one party to compensate another party
for any losses or damages incurred due to a breach of contract or negligence.
 Hold-Harmless Agreements: Clauses that require one party to waive any claims or
lawsuits against another party for any losses or damages arising from a contract.
 Limitation of Liability Provisions: Clauses that limit the amount or type of liability
that one party can impose on another party for any losses or damages arising from a
contract.

Contractual Risk Allocation helps organizations manage risks by shifting them to other
parties who are better able or willing to handle them. It also helps reduce potential disputes
and litigation costs.

Insurance is another form of risk transfer. It involves paying a premium to an insurance

company in exchange for coverage or compensation in case of a loss or damage caused by a
risk. Some examples of insurance are property insurance, liability insurance, business
interruption insurance, or cybersecurity insurance.

Insurance helps organizations protect themselves from financial losses and recover from
adverse events. It also helps share risks with other parties who face similar risks.

5. Crisis Management and Response Planning: Business Impact Analysis (BIA)

Crisis management and response planning involve preparing for and responding to
unexpected or disruptive events that can threaten an organization’s objectives, operations,
reputation, or stakeholders. These events are called crises. Some examples of crises are fire,
flood, earthquake, pandemic, cyberattack, or scandal.

Business Impact Analysis (BIA) is a technique for preparing for and responding to such
crises. It involves identifying critical business functions (the activities essential for delivering
products or services) and analyzing their dependencies (the resources or inputs required for
performing them). It also involves estimating the impact (the loss or disruption) that would
result from each function being unavailable for a certain period of time.

BIA helps organizations prioritize critical functions and develop effective response and
recovery plans. It also helps identify alternative solutions or contingency plans for
maintaining business continuity in case of a crisis.

6. Risk Monitoring and Early Warning Systems: Key Risk Indicators (KRIs)

Successful risk management techniques like risk monitoring use strategies such as early
warning systems to assist with your risk-mitigating efforts. They involve tracking and
measuring the performance and effectiveness of risk management activities and controls.
Additionally, they relate to detecting and reporting any changes or deviations in risk levels or
conditions. These changes or deviations are called risk events. Some examples of risk events
are new risks, increased risks, decreased risks, realized risks, or missed opportunities.
Key Risk Indicators (KRIs) are metrics that help organizations monitor and track risks in real
time. They are derived from data sources that reflect changes in risk levels or conditions.
They are also linked to predefined thresholds or targets that trigger alerts or actions when
exceeded or breached.

KRIs help organizations identify emerging risks and take proactive measures to mitigate them
before they escalate into crises. They also help measure the effectiveness of existing controls
and improve risk reporting and communication.

7. Risk Communication and Stakeholder Engagement: Risk Workshops

Risk communication and stakeholder engagement involve sharing and exchanging

information and opinions about risks with relevant parties. These parties are called
stakeholders. Some examples of stakeholders are employees, customers, suppliers, investors,
regulators, media, or the community.

Risk Workshops are interactive sessions that involve key stakeholders in risk management
processes. They facilitate open dialogue, brainstorming, and collective decision-making
among participants. They also foster collaboration, trust, and accountability among
stakeholders.

Risk Workshops help organizations identify stakeholder expectations, perspectives, concerns,

and needs regarding risks. They also help align stakeholder objectives, roles, responsibilities,
and actions in risk management.

8. Risk Culture and Awareness: Training and Education Programs

Finally, consider attributing resources in your risk management plan towards focusing on
your risk culture and awareness. A crucial aspect of risk management is fostering a positive
attitude and behavior toward it among all team members of an organization. Additionally, it’s
important to improve the knowledge and skills of employees in regard to risk management.

Training and Education Programs are initiatives that aim to enhance the knowledge, skills,
attitudes, and behaviors of employees regarding risk management. They include formal
courses, workshops, seminars, webinars, e-learning modules, case studies, simulations,
games, quizzes, newsletters, posters, videos, podcasts, etc.

Training and Education Programs help employees understand and actively contribute to risk
avoidance initiatives. They also help build a risk-aware culture that values transparency,
accountability, and learning from risks.

How do risk maps work and what are they used for?

In the enterprise, a risk map is often presented as a two-dimensional matrix. For example, the
likelihood a risk will occur is plotted on the x-axis, while the impact of the same risk is
plotted on the y-axis.
A risk matrix that includes natural disasters and human risk factors.

Identified risks that fall in the high-likelihood and high-severity section are typically risks
that demand attention. If the organization is dispersed geographically and certain risks are
associated with certain geographical areas, risks might be illustrated with a heat map, using
color to illustrate the levels of risk to which individual branch offices are exposed.
Organizations use risk heat maps to help identify the risks they are likely to encounter, see the
varying levels of concern attached to each risk and depict their risk priorities in an intuitive,
self-explanatory fashion.
Risk maps help enterprise executives and their teams understand where they need to prioritize
their risk mitigation resources.
In addition, the graphical representation of the potential impact and likelihood of each risk
also makes the importance of risk management more tangible to employees, particularly
those outside the executive ranks and the enterprise risk function who have no
special training in risk management.
In turn, this enables organizational leaders to enlist employees at all levels in discussions
about risk and risk mitigation requirements.

MAIN BENEFITS OF A RISK HEAT MAP

Risk maps enable the organizations to do the following:
1. see the organization's total risk environment at a high level, providing a big-
picture view;
2. ensure that risk mitigation priorities -- and resources -- are aligned to the most
significant risks;
 3. reduce insurance costs -- developing risk maps can help organizations
demonstrate a comprehensive, well-aligned risk management strategy to insurance
companies and gain more favorable premiums;
4. support collaboration between the organization's risk function and other functional
departments, which have greater visibility into risk due to the risk heat map;
5. encourage shared strategic decision-making on risk issues;
6. effectively focus on improving risk management and risk governance;
7. sharpen the enterprise's definition of its risk appetite and risk tolerance;
8. generate better integration of risk management activities across enterprise
functions; and
9. give teams throughout the enterprise a common language for discussing risk.

IMPORTANT TO USE A RISK HEAT MAP

Creating a risk map forces executives and their teams to identify the risks that could threaten
the organization and rank their possible impact and likelihood. The exercise can clarify
priorities for enterprise leaders and help them get ahead of issues before they threaten the
organization's operations.
Furthermore, as noted in the benefits section above, creating a risk map also facilitates
interdepartmental dialogues about an organization's inherent risks. It forces greater
collaboration between the risk function and other departments within an organization as they
must all work together to identify, prioritize and visualize risks. As such, a risk heat map can
help the company visualize how risks in one part of the organization can affect operations of
other business units across the enterprise.
A risk map also adds precision to an organization's risk assessment strategy and identifies
gaps in an organization's risk management processes.
KEY CONSIDERATIONS FOR CREATING A RISK HEAT MAP
Risk maps are most effective when organizations thoroughly consider the different categories
of risk they face and the various risks within each of those categories, as well as their
potential probabilities and possible impact on the enterprise.
Organizations should also keep the following other key considerations in mind as they
develop risk maps:
 the specific systems and information assets that could be impacted by certain
risks;
  the type of impact -- monetary, operational, reputational, etc. -- each risk could
have;
 whether there's an acceptable level of impact and, if so, how much of an impact is
tolerable for the organization;
 existing internal controls and any additional controls that could or will be
implemented; and
 the organization's risk tolerance and risk appetite.

How to create a risk map

Identification of inherent risks is the first critical step in creating a risk map.

Risks can be broadly categorized into strategic risk, compliance risk, operational risk,
financial risk, reputational risk and cybersecurity risk. However, organizations should aim to
chart their own lists by taking into consideration specific factors that might affect them
financially.

Once organizations have identified the risks, they should seek to understand what kind of
internal or external events drive those risks.
Next, organizations must evaluate those risks and estimate their potential frequency -- and
their potential impact -- as well as identify the control processes to offset them.

They then should rank risks based on that evaluation, prioritizing the management of those
risks identified as having the greatest potential for significant impact.

After they've gathered and evaluated the risk data, enterprise leaders need to decide on how
to visualize that information in ways that make the most sense for their unique needs.

Risk maps are typically square, but some are rectangular or circular. They're frequently
graphs built on an x-y axis, but some are divided into quadrants with the upper-right block
designating the most significant risks.

Many maps feature a red-yellow-green color code to indicate whether risks are significant-,
moderate- or low-level concerns, although some use varying shades of a singular color to
indicate levels of risk.

There are additional variations in presentation, such as the option to present the risk map as a
bar graph.

Organizations can use the completed risk map to facilitate discussions and decision-making.

However, they must recognize that risk maps are not static. In fact, it's critical that
organizations have a process for reviewing their risk maps regularly to ensure key risks are
being managed effectively. They should also have a process for revisiting and adjusting their
risk maps as threats evolve and vulnerabilities change.

What Is a Hierarchy of Controls? 5 Stages of Safety Controls

One method of managing occupational hazards, such as accidents, injuries and illnesses, is
through implementing the hierarchy of controls. Organizational leaders use this globally
recognized system in workplaces to manage hazards through five strategy tiers, from
elimination to prevention.

In this article, we define the hierarchy of controls and list the five stages of safety controls
that can be used to protect employees.

Key takeaways:The hierarchy of controls is used to keep employees safe from injury and
illness in the workplace.The five steps in the hierarchy of controls, from most effective to
least effective, are elimination, substitution, engineering controls, administrative controls and
personal protective equipment. The hierarchy of controls is especially vital in occupations
where employees come into regular contact with hazardous chemicals, vehicle-related
accidents and heavy machinery errors.

What is the hierarchy of controls?

The hierarchy of controls is a structural method for keeping employees safe from
occupational hazards. It’s widely promoted as the best way to control occupational hazards by
various worldwide safety organizations, including the National Institute for Occupational
Safety and Health (NIOSH).

The hierarchy details five methods of varying effectiveness for controlling occupational
hazards and emphasizes elimination or substitution of the hazardous object(s)
first:. Elimination: Physically remove the hazard(s)

Substitution: Replace the hazard(s)

Engineering controls: Isolate people from the hazard(s)

Administrative controls: Change the way people work

Personal protective equipment (PPE): Protect workers

Workplaces often combine all five methods of control to ensure thorough protection, even in
the event that a single, high-level control mechanism fails.
5 STAGES OF SAFETY CONTROLS

Five key stages of safety controls are included within the hierarchy of controls. These stages
are ranked by efficacy and are typically represented using an inverted triangle graph, which
lists the most to least effective stages.

You can think of the five stages as defense mechanisms that prevent employees from
interacting with or being impacted by occupational hazards:

1. Elimination

Elimination, or physically removing a hazard from a workplace, is the most effective stage of
the hierarchy of controls. When hazards are eliminated or removed from a work environment,
they no longer have the potential to negatively impact employees.

Though it’s conceptualized as the most effective stage, elimination is also typically the most
challenging to implement. Doing so can be costly and require major overhauls in preexisting
workplace processes.

Examples:

 Redesign a process to eliminate the use of hazardous equipment or product

 Perform tasks at ground level rather than working high above ground
 Store goods at lower heights so workers don’t have to climb tall heights and risk fall
injuries or fatalities

2. Substitution

Substitution, or replacing a hazardous item or activity with something less hazardous, is the
second-most effective stage of safety control. Substitution serves a similar purpose to
elimination, as it removes a hazard from the workplace or decreases the potential for the
hazard to negatively affect employees. If a workplace process is still in its design or
development phase, substitution can be an inexpensive and streamlined method for managing
a hazard.

Examples:

 Replace a caustic cleaning agent with a non-toxic alternative

 Substitute a solvent-based paint with water-based paint
 Use a non-silica abrasive material instead of sandblasting

3. Engineering controls

Engineering controls, or designing purposeful solutions that physically separate employees

from hazards, are the third-most effective stage of safety control. Many organizations favor
engineering controls to remove the hazard at the source, rather than after an employee comes
into contact with a hazard. It’s important to note that while engineering controls can
sometimes be costly to implement, they typically result in lower overall operating costs due
to the new safety features.
Examples:

 Place barriers around fans and other loud machinery

 Fence around dangerous high-voltage equipment
 Install guardrails at worksites that are high above ground

4. Administrative controls

Administrative controls, or changes to the way employees work and perform particular
processes, are the fourth-most effective stage of safety control. Administrative controls are
typically employed alongside other existing processes in which hazards are not totally
controlled.

Organizations sometimes favor administrative controls due to their low-cost nature, but such
initiatives are often somewhat ineffective and require significant effort on the part of affected
employees.

Examples:

 Limit the time a worker is exposed to a hazard

 Create written formalized operating procedures
 Install signs, labels and alarms

5. Personal protective equipment

PPE, physical equipment worn or used by employees while they perform their work, are the
fifth- or least-most effective stage of the hierarchy of controls.

Like administrative controls, PPE is typically used alongside preexisting processes that
haven't completely controlled the occupational hazard. Using PPE as a safety control is
typically very costly in the long term and can be somewhat ineffective if worn or used
improperly.

Examples:

 Eye and face protection (goggles and masks)

 Head protection (hard hats)
 Foot and leg protection (foundry shoes)
 Hand and arm protection (chemical-resistant gloves)
 Body protection (hazmat suits)
 Hearing protection (earplugs)

Importance of hierarchy of controls

The hierarchy of controls is especially vital in occupations where employees come into
regular contact with hazards like toxic chemicals, air pollutants, diseases and illnesses,
structural or vehicle-related accidents and heavy machinery errors.

The hierarchy of controls is an integral part of the NIOSH initiative prevention through
design (PtD), which aims to prevent or reduce occupational injuries and illnesses by
“designing out” hazards and risks. PtD employs the hierarchy of controls through these
methods:

 Eliminating occupational hazards and risks at the start or early on their life cycle
 Designing, redesigning or retrofitting workspaces, tools and procedures to protect
employees
 Including prevention methods within workflow design

BUSINESS IMPACT ANALYSIS (BIA)

A business impact analysis is one the most important elements of any emergency response
strategy. It helps organizations define the critical processes and operations that must be
recovered as quickly as possible if a disaster strikes. In a true emergency, it can be hard to
know where to start. The downtime resulting from a widespread utility outage or IT failure,
for example, can have far-reaching effects across many mission-critical business processes.
With a business impact analysis, you can gain clarity on how to prioritize your recovery
efforts to minimize the losses from a major business disruption.

In this blog post, we’ll explore what a business impact analysis is, why every organization
needs one, and how you can conduct this assessment to inform your disaster recovery,
business continuity, and emergency response plans.

BUSINESS IMPACT ANALYSIS (BIA)

A business impact analysis or business impact assessment (BIA) is a structured process that
organizations use to determine how critical various business activities and resources are to
continuing normal business operations.

The various organs of a business have different goals, dependencies, and resources that
determine how they function. A business impact analysis… well, analyzes these organs and
determines what happens to the rest of the business when one of them is disrupted or fails.

With these insights, businesses can develop business continuity and disaster recovery
strategies to limit potential losses.

BIA vs. RISK ASSESSMENT

While a risk or threat assessment determines the types of threats a business is most likely to
face, a BIA looks at the business consequences. For a BIA, the cause of the business
disruption is less important. It could be an accident, natural disaster, cyberattack, or
something else. A BIA only considers the business impact of the disruption, prioritizes
resources, and determines the best approach to disaster recovery.

Unlike a business threat assessment, BIAs are concerned with the results of disruptions rather
than the causes of those problems—though both processes are complementary to your
business continuity strategy and work well in tandem.
A BIA identifies the financial and operational impacts resulting from the disruption of
business functions and processes. Operational impact analysis may include:

 Lost or delayed revenue

 Increased expenses
 Regulatory fines and legal fees
 Contractual penalties
 Brand and reputational damage
 Customer churn or dissatisfaction
Of course, the business impact depends greatly on the duration and timing of the disruption.
A 30-second power outage will have less impact than a 24-hour IT outage. A fire in a remote
and partially empty warehouse will be less of an interruption than a fire in an active
manufacturing facility. For a retailer experiencing an ecommerce site outage, the impact is
obviously greater if it occurs during a big sale or seasonal event like Black Friday compared
to a slower period.

By analyzing different possible disruptions and their effect on critical business processes, a
business impact analysis prepares organizations to more readily handle any emergency. A
BIA is also a critical step in developing an effective business continuity plan (BCP).

How BIA Fits Into Business Continuity Planning

A BIA lays the foundation for your business continuity plan. It ensures your organization has
a clear plan of action and the resources required to recover from critical events efficiently and
with minimal disruption.

With the ability to recover quicker, organizations can reduce costs, optimize employee
productivity, and maintain customer trust. A business impact analysis gives business leaders
more confidence in their decisions when responding to critical events. It also enables
organizations to determine—well in advance of a crisis—what mitigation strategies and tools
they can utilize so they’re not left scrambling when disaster strikes.

From severe weather and natural disasters to cyberattacks and workplace accidents, all
businesses will experience a disruptive event sooner or later. To mitigate the bottom-line
impact of these threats, every business should perform a business impact analysis as part of
their business continuity and disaster recovery planning efforts.

KEY BUSINESS IMPACT ANALYSIS STEPS

There is no one-size-fits-all template for how to conduct a business impact analysis; every
company has unique methods and organizational structures. But there are some common
elements that should go into the creation of every BIA.

Here are four essential steps in any organization’s BIA process:

Step #1: Build your business impact analysis project team

Before conducting your business impact analysis, you’ll first need to assemble the project
team. A BIA team should include the following roles:

 Project Leader: Primary contact responsible for conducting a successful

business impact analysis.
 Executive Sponsor: Executive champion responsible for providing strategic
input and guidance.
 Business Process Owners: Representatives from different business units, such
as IT and Finance, who will provide insights into relevant business processes
and help implement BIA recommendations.
:
 Role: Project Leader
 Responsibilities: Provide overall project management responsibility, working with
business owners to deliver the business impact analysis.
 Role: Executive Sponsor
 Responsibilities: Provide strategic input, support problem resolution, and give
executive signoff on critical activities.
 Role: IT Leader
 Responsibilities: Analyze the IT applications and software systems to determine if
current IT disaster recovery (DR) arrangements enable recovery of these within
specific recovery time objectives (RTOs).
 Role: Legal
 Responsibilities: Consider regulatory requirements, contractual obligations, fines,
and legal liabilities that may come up during business disruptions.
 Role: Risk Management Leader
 Responsibilities: Determine the key business risks, define the risk threshold, and help
develop the impact parameters.
 Role: Finance
 Responsibilities: Supply financial data and advice on direct and indirect financial
impacts.
 Role: Operations Leader
 Responsibilities: Provide information on critical supply chain dependencies,
production-related activities, and operational impacts.
 Role: Human Resources Leader
 Responsibilities: Consider duty of care obligations, compliance, and employee health
and safety.
 Role: Facilities Leader
 Responsibilities: Supply information on facilities, utilities, alternative recovery work
locations, etc.
Step #2: Gather and evaluate business process information

With your all-star team assembled, it’s time to roll up your sleeves. As you begin to gather
information, send a BIA questionnaire to survey managers and others within the business.
You’ll also want to personally interview those with detailed knowledge of how the business
manufactures its products or provides its services. With these insights from business process
owners and key stakeholders, you’ll be able to understand the potential consequences better if
a particular business function or process is interrupted.

In your BIA interviews and surveys, you’ll want to capture information about various
business processes such as:

 Name of the process

 Where it is performed
 Inputs and outputs
 Resources and tools used
 Any process interdependencies
 Impact of disruptions (financial, operational, regulatory, etc.)
 How the timing and duration of a given disruption affects its impact
Once you have collected all of the information needed about each business process, the
impact analysis can begin. Consider these four questions:

 Which functions and processes are most important to business continuity?

 What resources (people and technology) does each process need?
 What is the recovery timeline for bringing each process back to normal
operation?
 What is the recovery point objective (RPO)? In other words, what is the
timeframe for when services/data need to be restored?
Step #3: Prepare a BIA report to aid business continuity and disaster recovery

Once the information gathering and analysis phase is complete, it’s time to prepare a business
impact analysis report. This report will allow you to communicate your findings and
recommendations to senior management, as well as guide the development of your business
continuity plan.

The BIA report should document the potential impacts resulting from the disruption of
business functions and processes. It will also provide the order of response priorities for
restoring normal business operations. Business processes with the greatest financial and
operational impacts should be restored first.

If there is a critical production process that needs to be up and running within 24 hours, but
your current resources can only get it operational within 48 hours, for example, be sure to
address it and outline resource requirements in the BIA report.

Step #4: Implement recommendations to address continuity vulnerabilities

Once your team has conducted the BIA and outlined disaster recovery strategies, the final
step is to implement the recommendations from the business impact analysis report. Buy-in
and support from your executive sponsor and business owners are critical to ensuring
recommendations are implemented across each of the critical business functions identified.

Also, be sure to regularly revisit your business impact analysis to update it as new processes
are implemented, the organization’s structure is reshuffled, or available resources change.
Your business isn’t static—and neither is a business impact analysis. With your organization
constantly growing and evolving, the BIA should be regularly reviewed and modified as
needed to ensure it’s still valid.

Adopting Mitigation Tools and Strategies

Once the BIA is complete, business continuity and disaster recovery leaders can use it to help
implement mitigation strategies and tools to reduce the impact of various threats. And one
such tool is a modern emergency communication solution.
During disruptive events, communication is a lifeline. Being able to relay information and
instructions to employees is critical to a fast, efficient emergency response. Emergency
communication systems with integrated threat intelligence allow businesses to more rapidly
identify threats, visualize the people and locations that are impacted, and facilitate an
organized response using multichannel communication—all from a single platform.

Threat intelligence capabilities allow you to recognize critical situations before they happen,
giving you the benefit of alerting and organizing your audience in advance. It provides the
organization with “always-on” monitoring to identify potentially disruptive incidents as
quickly as possible. This helps mitigate losses by improving readiness and accelerating
response times.

What is Business Analysis Impact (BIA)?

Business Impact Analysis (BIA) is the process of identifying and assessing the potential
impacts a disruption or incident could have on an organization. As a BIA professional, I
help organizations identify their most critical operations and business functions and place
plans and procedures to ensure these are maintained during and after a disruption.

As Business analysts, we use various techniques to understand the business operation

being interrupted and the potential impacts of that interruption. We then work with
stakeholders to develop strategies to address the risks. Common strategies to mitigate risk
include developing alternative sources of supplies or services, increasing capacity, or
developing contingency plans.

For example, a manufacturing company can create a business impact analysis template to
analyze how losing a key supplier would affect operations and revenue. By understanding
the risks and developing mitigation strategies, business analysts can help organizations
minimize the impact of an interruption and ensure the continuity of operations.

For a comprehensive understanding, let’s look at BIA with respect to other important
aspects of business.

1. BIA vs. Risk Assessment

Business Impact Analysis focuses on identifying critical operations and functions, while
Risk Assessment evaluates potential threats and vulnerabilities. BIA assesses impact,
emphasizing operational continuity, while Risk Assessment gauges the likelihood and
severity of risks. Both are integral for comprehensive risk management, offering distinct
perspectives for informed decision-making.

2. BIA vs. Business Continuity Planning

While Business Impact Analysis identifies critical operations and their dependencies,
Business Continuity Planning (BCP) develops strategies to ensure ongoing functionality
during disruptions. BIA informs BCP, providing insights into essential functions. BCP
then formulates plans to maintain operations, emphasizing preparedness and resilience.

3. BIA vs. Disaster Recovery Planning

Business Impact Analysis identifies critical functions, while Disaster Recovery Planning
(DRP) focuses on IT systems and data recovery. BIA assesses operational dependencies,
whereas DRP emphasizes technology restoration. Both collaborate to ensure holistic
preparedness, with BIA guiding the identification of critical functions for DRP
implementation

PURPOSE OF BUSINESS ANALYSIS IMPACT

The key purpose of business impact analysis is to help an organization determine the
potential effects of an interruption to critical business operations due to any negative
event. The purpose is to understand the potential impacts on the organization and develop
contingency plans to minimize those impacts.
Furthermore, BIA business impact analysis aims to predict exactly how a disruptive event
will play out and identify the possible consequences of different types of disruptions. This
information can then be used to develop plans for how the organization will respond if one
of those disruptions occurs.

IMPORTANCE OF BUSINESS IMPACT ANALYSIS

Businesses rely on various systems and processes to function properly. When one of these
components is disrupted, it can have a ripple effect throughout the organization. That is
why business impact analysis (BIA) is so important. Let us understand the importance of
business impact analysis in detail by considering some crucial business disruption
scenarios and their possible impact.

Business Disruption Scenarios

Here are some of the most common business disruption scenarios:

 Data Loss/Breach
 Data Recovery
 Power Outage
 Network Outage
 Natural Disruption
 Pandemics
 Physical Disruptions
Impact

1. Data Loss/Breach: Losing data can happen in several ways, from accidental deletion
to cyberattacks. Businesses rely on data to make informed decisions, and a data loss
or breach can significantly impact operations. Not only does it involve the cost of
recovering the data, but it can also lead to a loss of trust from customers and
partners.
2. Data Recovery Issue: Even with a backup, recovering lost data may be difficult or
impossible. This can be due to file corruption, physical damage to storage devices, or
other factors. You may need to hire a professional if you can't recover the data
yourself.
 3. Power Outage: A power outage can bring your business to a halt. It can also be
disruptive, especially if it lasts extended. Not only will businesses be without power,
but they will also lose access to network systems and possibly critical equipment.
4. Network Outage: An outage of your primary internet connection can disrupt
business operations. To avoid this, have a backup internet connection such as a
secondary ISP or LTE.
5. Natural Disruption: A physical disruption such as a fire, flood, or earthquake can
damage or destroy your business premises. In addition to the direct damage to
property, businesses may face challenges with communication and access to essential
services.
6. Pandemics: A pandemic can cause widespread sickness, death, and economic
disruption. It can significantly impact businesses regarding health and safety concerns
and the potential for lost productivity. To minimize the impact of this scenario on your
business, have a plan in place for how you will maintain operations during a
pandemic.
7. Physical Disruptions: Physical disruptions such as riots, protests, and strikes can
disrupt business operations.

How to Conduct Business Analysis Impact In 10 Steps?

The steps to conducting business analysis impact can differ from company to company
depending on their requirements and team. However, the general steps of how to conduct a
business impact analysis are as follows:
 Getting approval from senior management.
 Selecting experienced staff to perform a BIA.
 Preparing a detailed business impact assessment template and the plan.
 Gathering information from interviews, documentation, and questionnaires.
 Evaluating the gathered data.
 Performing an analysis so that the technologies needed could be discussed.
 Preparing a report or a detailed BIA template.
 Showing the results to senior management.
 Define strategies for recovery after examining the results.
 Using these results to develop a sample business impact analysis plan and then
working with the team and seniors to make it a final plan.
To learn more about conducting effective business analysis, one can choose
KnowledgeHut which offers some of the best business analyst courses. The courses cover
everything from the basics of impact analysis to advanced aspects for assessing the
potential ramifications of proposed changes under the guidance of project management
professionals. KnowledgeHut’s best Business Analyst courses are interactive and
engaging, offering students the opportunity to learn through real-world examples.
PHASES OF BUSINESS ANALYSIS IMPACT

The business impact analysis process involves 4 phases. They are:

1. Define the Objectives and Scope

The first phase is to define the goals, major objectives, and scope of the business impact
analysis. The business's goals should be clear. Once approval has been obtained,
businesses should gather trained people to perform a BIA together. These individuals
should understand the organization's business processes well and be familiar with risk
assessment methods.

2. Collect Data and Information

After initiating the business analysis phase, the analyst will gather information. This is
done through a variety of means, including a BIA questionnaire template, interviews, and
documentation review. The goal is to collect data that is relevant to the analysis and that
can help to answer questions about the problem or opportunity at hand. Once this
information has been gathered, it can be used to generate insights and recommendations.
The collected information should include:
 The process name
 What the process entails in detail
 Inputs and outputs
 All business impact analysis tools and resources to be used in the process
 Users involved in the process
 Timing
 Financial and operational affect
 Regulatory and legal impacts
 Historical data
3. Review the Information
The third phase of business impact analysis is information review. This is the process of
documenting and reviewing the collected data to prioritize a list of business functions or
processes, identify human and technology resources needed, and establish a recovery
timeframe. This phase can be automated or done manually, depending on what is easiest,
reliable, and, most importantly, practical.
This phase is important in crisis management and contingency planning because it helps
company leaders make decisions about allocating resources and managing operations
during and after a disruptive event. Information review might seem a basic part of
the business impact analysis process, but it is an essential step in making sure that your
company is prepared for any eventuality.
4. Making a Detailed Report
One of the most important business impact analysis steps is making a detailed report. This
report comprehensively documents the findings of the previous phases and offers
recommendations for recovery in the event of a disruptive incident.
Here is a business impact analysis report example explained in detail:
The report begins with an executive summary, which provides an overview of the
objectives, the scope of the analysis, and a summary of the findings. This is followed by a
section on methodology, which outlines the data-gathering and evaluation methods used.
The next section presents a detailed finding on the most crucial processes, the disruption
impact, acceptable duration, acceptable loss level, recovery cost, etc. The report concludes
with a section on supporting documents and recovery suggestions.
The final phase of business analysis impact is showing the Business Impact Analysis
(BIA) report to seniors. The report should be shown to seniors to get their input on the
findings and recommendations. The analysts can choose from any business impact analysis
template excel available online to present the report.
After the BIA report has been reviewed and approved by seniors, it can be used to develop
a plan of action in the event of a disruption. The goal of this phase is to ensure that seniors
are aware of the risks and impacts associated with disruptions and that they understand the
role they play in mitigating those risks.
Effects of Not Performing a Business Analysis Impact
Not conducting a business impact analysis can result in significant negative impacts on an
organization. These include the following:
1. Lack of clarity on which business processes are critical and need to be safeguarded.
2. Inadequate protection of key assets and resources.
3. Poorly designed continuity plans that do not take into account all risks.
4. Increased exposure to financial, reputational, and legal risks in the event of a
disruption.
5. Difficulty obtaining insurance coverage or adequate compensation from insurers in the
event of a loss.
6. Poor decision-making during a crisis is due to a lack of information about the potential
impacts of various actions.
Conducting a business impact analysis risk assessment is essential for any organization
that wishes to protect itself from the potentially devastating effects of disruptions. By
identifying critical business processes and assets, organizations can ensure that their
continuity plans are comprehensive and effective and that they are taking all necessary
steps to mitigate risks.
COMMON CHALLENGES WITH BUSINESS ANALYSIS IMPACT
In business analysis, the impact of a change should be measured to ensure that it is worth
implementing. However, this can be difficult to do accurately. There are several common
challenges that analysts face when trying to assess the impact of a change:
1. First, predicting how users will react to a change can be difficult. They may not use the
new features as intended or find workarounds that negate the impact of the change.
2. Second, it can be hard to identify all the stakeholders affected by a change. Some
stakeholders may have hidden agendas that make them resistant to change, while others
may be unaware of the potential impacts.
3. Third, analysts must deal with uncertainty when assessing impact. Changes often have
complex ripple effects that are difficult to predict.
4. Fourth, analysts must balance conflicting demands when assessing impact. For example,
a change that benefits one group of users may have negative consequences for another
group.
5. Fifth, analysts need to take into account both tangible and intangible factors when
assessing impact. For example, a change may improve efficiency but make users feel less
engaged with their work.

KEY RISK INDICATORS

A key risk indicator is an indicator, or metric, used to assess and measure a possible risk. A
simple way to think about a KRI is to consider it like you do an alarm. If something is
heading down the path of a disaster, you will be made aware of it by taking measurement of a
KRI, rather than waiting for the negative outcomes to occur.

As mentioned, KRIs are just a selection of measurement tools to monitor overall risk. While
you won’t focus, or even know, every type of risk your business faces, you can take proactive
and reasonable steps to keep an eye on the most crucial types of risk.

KRIs can be broken down into three main categories, based on types of risk:

 Financial: These are metrics that help to quantify market risk, regulatory changes or
competitive risk.
  People: KRIs that measure employee satisfaction, customer churn, employee
retention, etc.

 Operational: Ways to take stock of risks that can stem from day-to-day like a
technical malfunction or security breach.

‍THE RELATION OF KRIS TO KPIS

You can easily translate the aphorism, “No risk, no reward,” to “No KRIs, no KPIs.” You’ll
come across resources that separate the two, placing key performance indicators under
performance management and key risk indicators under risk management. However, you
really can’t have one without the other. A KRI can help greatly in informing a KPI. This is
because every KPI has to be met by a strategic plan to make it come to fruition. Within
strategic development, you must outline, understand and consider what risks will be brought
on along the journey.

To reach a business goal, you will undoubtedly want to track key performance indicators. The
most simple way to track KPIs is through automation tools that can leverage real-time data.
Such software runs processes for you to reduce risk inherently. Simultaneously, you can view
dashboards to see how processes are performing. Easy-to-read visualisations and reports
allow business leaders to keep track of KPIs and monitor any changes made for success. If
you aren’t reaching KPIs, then you will look to resolve issues hindering success.

In the same vein, as you measure a KPI, you’ll want to be measuring a KRI. This is because a
KPI helps answer questions as to how to achieve a business goal. In this pursuit, your
business naturally assumes risk. A KRI answers what risk you are likely to face that could
inhibit your business reaching its goals. A KRI can also be an early warning device to signal
that a KPI won’t be met because an issues has occurred.

QUALITIES OF GOOD KRIs

When defining your business’ key risk indicators, it’s best that each possesses the following
characteristics:

 Quantifiable (can be associated with numerical costs)

 Measurable (accurately and precisely)
 Can be validated (have a high level of confidence)
 Relevant (measuring the right thing associated with decisions)

Here are some examples of KRIs that are commonly used by those in finance:

 Credit risk: quick ratio, current ratio, value at risk (VaR)

 Operational risk: number of accounting deadlines missed, percentage of departments
without KPIs in place
 Technology risk: mean time between failure (MTBF), mean time to repair (MTTR),
Percentage of devices not covered by monitoring solutions
‍REASONS FOR ORGANISATIONS STRUGGLE WITH KRIS

One of the most common struggles that organisations face when dealing with KRIs is the
ability to glean insights from data. While the first necessity is choosing a measurement that is
quantifiable, the second is making sure you can access and transform the required data into
understandable bites of information. Many organisations fail to allocate the resources needed
for this to happen.

It’s important to choose a software tool that can manage your data so you don’t have to worry
about it. In many instances, businesses collect and store data disparately across the
organisation. From spreadsheets to manual data entry, there’s a high risk for errors and
delayed data. But, with an automation tool, you can leverage the power of technology to
access data in real time and assess trends and benchmarks at any given time.

Furthermore, many organisations conflate key risk indicators with key performance
indicators. For example, a financial institution may be increasing their clientele, adding to
their bottom line. But, at the same time, their number of accounting deadlines missed -
external can be growing. This will increase their regulatory risk. So, it’s important that KRIs
are separately measured with regard to overall business goals.

DESIGNING EFFECTIVE KRIS

Designing effective KRIs can be done through a mapping exercise. You begin by defining the
business goal. For example, we will call this increasing profits.

Then, you can make a map of the ways by which you can increase profits - increasing
revenues or decreasing costs. Each path can be accomplished by an infinite amount of
strategies, but your team can choose the most feasible methods to either increase revenues or
decrease costs. Then, you want to define the risks associated with each. For example,
increasing revenues could come by increasing product prices. But, this could cause the risk of
customer churn or losing competitive share if you are undercut.

So, by linking each KRI to a strategic initiative, you will be able to follow the path of least
resistance. This direct pathway helps management teams keep an eye on the KRIs that matter,
without getting bogged down by excess and unnecessary data points and information.

ROLE OF TECHNOLOGY AND KRIS

In today’s competitive business landscape, you’ll be hard pressed to find a successful

organisation that doesn’t take advantage of the most powerful business tools. WIthin the suite
of business intelligence sits automation software that can store, track, transform and report
data. At the heart of all KRIs (and KPIs) is data records. It’s up to your team to define the
right KRIs to measure, but it’s up to the system to do the heavy lifting.

With real time data analytics and reports at your fingertips, you can rest assured knowing that
processes are running as planned. Once you’ve designated KRI thresholds, the system will
alert you when a KRI is approaching that number. To deal with KRIs, you can design action
plans in advance and leverage automation tools to follow suit once activated.
While you manage the high-level concerns within a business, the automation tool will track,
perform and report whatever you may need to meet your outlined business objectives.

CHALLENGES IN THE ADOPTION OF EFFECTIVE KRIS

While KRIs help organizations to combat risks and adversities, there are a few key reasons
behind why KRI monitoring also fails to deliver business benefits which are usually as
follows:

 Difficulty in identifying KRIs for all risks

 Insufficient focus on the causes of the risks

 Failure to automate the collection of KRI values

 Not using existing KPIs in conjunction with KRIs

 Not associating actions with thresholds

But for each of these challenges, there are remedial recommendations: organizations should
start with the key risks and then, expand. They should assign KRIs against each cause. As
many KRIs as possible should be automated to prevent them from becoming stale. Existing
KPIs should also be mapped with the KRIs and both should be used to forecast risks. Lastly,
associating actions with thresholds goes a long way in synchronizing appropriate thinking
when defining thresholds.

Designing and setting up KRIs is critical to a successful ERM process. While the potential
advantages of creating an effective set of KRIs has been highlighted, it is equally important to
set the design elements and protocols for their proper communication and flow within the
sphere of corporate governance.

KRIs in conjunction with the KPIs are deemed to be efficient indicators of not just the
potential risks to an organization but also how its different units have been performing.
Though the difference is simply in perspectives, an organization benefits far more when
examining KPIs using risk lenses.

CHARACTERISTICS OF KRIS

 Relevant: the indicator/data helps identify, quantify, monitor or manage risk

and/or risk consequences that are directly associated with key business
objectives/KPIs.

 Measurable: the indicator/data is able to be quantified (a number, percentage,

etc.) and is reasonably precise, comparable over time, and is meaningful without
interpretation.

 Predictive: the indicator/data can predict future problems that management can
preemptively act on.
  Easy to monitor: the indicator/data should be simple and cost effective to
collect, parse, and report on.

 Auditable: you should be able to verify your indicator/data, the way you sourced
it, aggregated it, and reported on it.

 Comparable: it’s important to be able to benchmark your indicator/data, both

internally and to industry standards, so you can verify the indicator thresholds.

Risk Financing Costs

Risk Financing Costs include all insurance premiums and attendant costs. Attendant costs
include broker commissions/fees, captive contributions, dividend adjustments, letters of
credit, and any other costs impacting the funding of risk transfer or retention.

Loss Costs
There are two types of Loss Costs: The direct cost and the indirect cost of losses. Both loss
components impact the organization’s Total Cost of Risk.

 Direct Costs of Losses — Deductibles and claims that are anticipated and funded
inside the organization’s risk financing program (e.g., captive, deductible, or self-
insurance programs.)
 The cost of administering claims by third party administrators (TPA’s) are also
considered a direct cost, as the TPA expense is usually a direct correlation of the
claims experience. An uninsured loss is also a direct cost of loss.

 Indirect Loss Costs — Every loss creates a corresponding expense that is unfunded
and, in some cases, unanticipated. While the risk financing (insurance) may pay
the known claim, there is a high correlation of additional unfunded business
expenses that arise from virtually any claim.

These indirect loss costs are commonly known as the portion of the iceberg that
lurks below the surface. Indirect costs must be quantified and measured to create
an accurate Total Cost of Risk calculation.

For more on the subject of Indirect Loss Costs, see the Wikipedia Indirect Loss
Cost topic.

Administrative Costs
Administrative Costs are the financial impacts associated with providing services to
administer a Total Cost of Risk Program effectively. They include claims management, risk
control, and all other project costs such as data analytics. If a firm pays additional fees or
expenses for these services, they are an addition to the TCOR formula. However, when a
third party (insurance brokerage or risk management services provider) provides the services
as part of the relationship, they reduce the TCOR to the extent the measurable ROI exceeds
the cost of the services.

Taxes and Fees

Taxes and fees attached to the placement of the risk financing program must be added to the
TCOR. These are the various state taxes attached to insurance placements and are paid to
governmental and regulatory bodies (e.g., state surplus lines or admission fees.)

Calculate TCOR – The Formula

The Total Cost of Risk Formula is:

Risk Financing
+ Loss Costs (Direct and Indirect)
+ Administrative Costs*
+ Taxes and Fees
= Total Cost of Risk

*In cases where the administrative projects are provided as part of the risk financing costs, the Administrative Cost is a cost reduction based upon the valuation of the services provided.

Uses of Total Cost of Risk

Executives use TCOR inside the financial and risk services industry in various ways:
  Risk Management Professionals – TCOR provides an accurate analysis of their
complete cost structure. Professionals use the TCOR analysis to allocate expenses
throughout an organization (by business unit or location) and to determine the ROI to
the organization.
 C-Suite Executives – Through the analysis of TCOR using comparison years, the C-
Suite can accurately budget costs and review the increase or decrease of their cost
structure.
 Brokerage and Risk Services Providers – Total Cost of Risk is the only method that
a brokerage (or a risk services provider) can demonstrate the quantifiable impact of
their services to buyers. The valuation of loss costs, indirect loss costs, and the value
of risk control and claims management projects provide the complete TCOR picture.

Issues in Risk Management

Whether it’s addressing workplace accidents, keeping up to date on legal compliance issues,
or handling unemployment claims, risk management is important for any business or
organization.
Risk management programs aren’t just about minimizing crippling risks; they’re also an
opportunity to reduce costs, save time, and gain the competitive edge.
But, there’s only so much you can do on your own. Learn about the top 8 issues in risk
management and how a Professional Employer Organization (PEO) like Resourcing Edge
can help.
What Is Risk Management
Risk management means different things to different people, but generally it refers to the
management of anything that might jeopardize organizational goals. This includes liability
and legal risks, financial risks, workplace safety, fraud, and data security.
Since each organization is different, there is no one-size-fits-all approach. This is why it’s so
important to hire a Professional Employer Organization to help identify and mitigate the risks
that are unique to your business.
In the world of human resources, risk management deals with things such as workers’
compensation, unemployment claims, and compliance and regulatory issues.
As a business or organization, you want to minimize potential risks as much as possible.
Investing in risk management allows you to save time and money, reduce accidents, and be
prepared when crisis strikes.
Top 8 Issues in Risk Management
1. Workers’ Compensation
Workers’ compensation claims cost businesses over $60 billion every year. In order to
prevent accidents and injuries, save on workers’ compensation insurance, reduce the direct
cost of premiums, and save on all the indirect costs of on-the-job accidents, it’s important to
take a proactive approach.
Indirect costs can include hiring and training replacement employees, adjusting work
schedules, investigating accidents, and implementing safety procedures and corrective
measures.
Here are some things you can do to reduce workplace accidents and injuries:
Effective Hiring and Training
It’s important to hire qualified employees to reduce employee mistakes and increase
productivity. Make sure you have sufficient time to find the right employee. Careful selection
makes sure you have the best employee for the job.
Consider using:
  An application form
 Background checks
 Reference checks
 Effective and consistent interview techniques
Once you hire the right person, there should be appropriate training that incorporates a
combination of different learning styles. Keep in mind that training should never stop. All
employees need periodic refresher training.
Safety Programs and Guidelines
Prevent workplace accidents before they occur by teaching employees safety standards and
procedures.
A PEO can help you set up:
Safety programs, manuals, and guidelines
Workplace inspections
Drug testing and background checks
Workers’ compensation insurance
Workers’ compensation claims investigation, representation, and management
Remember, safety programs aren’t just documents. Hands-on, on-the-ground training is
absolutely necessary for putting safety standards and procedures into action. There should be
proper supervision and ongoing evaluation and support from management.
Return-to-Work Program
Despite proactive safety measures, accidents still happen. It’s beneficial for both parties to get
injured employees back to work as soon as possible. The longer a workers’ compensation
case remains open, the more expensive the claim becomes.
A return-to-work program helps employees get back to work even if it is on a part-time
schedule. Getting employees back to work helps maintain workplace ties and increases the
chance of employees returning to work.
How a PEO Helps
A PEO helps manage workers’ compensation costs and claims, while also increasing the
safety of your employees and business.
A PEO can help:
 Choose workers’ compensation plan coverage specifically designed for your
company. Save money by negotiating with insurance providers and eliminating fees.
 Take over administration of your existing policy.
 Evaluate and design safety programs to prevent workplace injuries.
 Implement a return-to-work program that reduces workers’ compensation claims and
increases employee morale.
 Provide representation at claims hearings.
1. Payroll and Tax Management
All the reporting and filings associated with payroll must follow federal, state, and local laws
and regulations. Complying with payroll regulations requires specialized HR expertise.
A PEO can help:
 File payroll tax documents.
 Create, file, and send W-2s.
 Administer unemployment, including plans, payroll collection, and claims handling.
  Calculate and withhold federal, state, and local payroll taxes — withholdings are
electronically remitted to the government.
Payroll administration can present many potential risks, including wage and hour compliance,
regulatory reporting, and federal, state, and local tax compliance.
The expert payroll professionals at Resourcing Edge can take care of the burden of payroll
and tax management for you. Our online tools give you access to our Payroll Solutions 24/7,
weekends and holidays included.
1. Technology
Technology, or lack thereof, can be a huge risk. You want to make sure your data is secure
and develop a plan in the event of an IT crisis. Technology risks include hardware and
software failures, human error, viruses and malicious attacks, and natural disasters such as
floods and fires.
The increase of our dependence on technology has led many companies to develop an
Information Technology Risk Management (ITRM) program. The goal of an ITRM program
is to discover, anticipate, and avoid risks before they turn into problems that could harm the
organization.
As businesses and organizations rely more and more on technology, the need for technology
risk management increases. What are you doing to protect your digital data?
This is the time to assess whether or not you have a proper program in place to manage
technological risk. Companies that ignore the risks associated with technology will end up
paying the price later.
Here are some things to consider:
 Many companies have responded to technological risk by outsourcing data
management to third parties, yet how much assurance do you have that they
are handling data in a safe and secure manner?
 As companies merge and participate in joint ventures and partnerships, it’s important
to manage your own technological risk properly, but what are you doing to ensure
your partners do so as well?
 Workers’ interaction with company technology is not really thought about outside of
work, but sensitive company information is often compromised outside the
workplace. This can be private email accounts, social media, phones and computers.
Is there anything being done to manage security breaches that occur outside of the
workplace?
 Data quality and security can make the difference between which business fail and
which succeed. Are you treating your data and technology as seriously as you should?
1. Third Parties
No company is an island. Today, every organization works with third-party intermediaries,
usually in the hundreds or thousands. As organizations continue to interact with more and
more third parties, it becomes increasingly important to monitor and identify the risks
associated with them.
While it can be a challenge to determine third party risk, it’s important that Chief Risk
Officers (CROs) and upper management thoroughly vet third parties before signing up. Third
party vetting should also occur on a continual basis.
 1. Fraud and Misconduct
In order to limit financial loss and damaged reputations, organizations need to continually
monitor the risks associated with employees, vendors, and third parties to identify and
prevent fraud and misconduct.
The majority of insider fraud is caused by collusion of two or more employees. This is
because working together creates more opportunities to commit fraud and circumvent anti-
fraud controls.
Here are some ways you can reduce the risk of employee fraud:
 Monitor all user behavior in order to detect unusual behavior, such as unusual changes
to information systems, eyebrow-raising data searches, and sudden extravagant
purchases.
 Segregating functions across roles and channels can help prevent fraud, but if there is
collusion, you may need to find commonalities in employees’ actions. For example, a
couple of employees are constantly viewing the same accounts. Multiple employees
performing suspicious actions on the same accounts can indicate fraud.
 There are tools available that can help you uncover fraud by clustering events and
identifying trends.
By monitoring and analyzing employee, vendor, and third party activity, organizations can
identify suspicious behavior before any funds, information, or reputations are lost. The
additional benefit of having fraud-detection systems in place is that employees are less likely
to commit fraud if they know there is a significant chance of getting caught.
1. Employment
Employment risks cover a large scope. In addition to hiring the right people and providing
adequate coaching and training, you also need to worry about wage and hour claims,
nonexistent or incomplete job descriptions, workplace harassment, turnover rates, and more.
From discrimination and sexual harassment to wrongful termination and unlawful retaliation,
a PEO can help prevent issues from happening in the first place as well as support and
represent you in the event that a claim is made.
A PEO can help:
 Prevent claims by offering best practices and developing an up-to-date employee
handbook that every employee must sign.
 Develop training procedures and schedules for all employee levels.
 Standardize processes for interviewing, hiring, onboarding, training, and firing.
 Provide claims coverage, such as Employer Practices Liability Insurance (EPLI).
Manage claims and provide representation.
 Conduct harassment prevention training to identify, prevent, and address workplace
harassment.
 Complete 401(k) plan compliance.
 Make sure health plans meet coverage requirements.
 Designate a single point of contact for questions and assistance.
Provide expert support and guidance through regulatory and economic complexity.
Our comprehensive Employment Practices Risk Management program helps protect you
from the many liabilities associated with discrimination, wrongful termination, harassment
claims, and more.
In addition to ensuring compliance and preventing issues from happening in the first place,
Resourcing Edge also supports you in the event that a claim is made. This includes claims
coverage (Employer Practices Liability Insurance) and claims mitigation (active claims
management).
1. Legal Compliance and Regulatory Requirements
Laws and regulations, enforced by a variety of agencies, affect every organization. In order to
stay aboveboard, it’s important to anticipate and plan for regulations before they are
implemented.
There should be protocols and mechanisms in place to manage regulatory change and
evaluate current compliance. A PEO can help you assess regulatory risk and maintain
compliance effectiveness by through active monitoring, testing, and reporting.
Here are just some of your obligations under the law when it comes to HR compliance:
 Job descriptions, advertisements, and interviews are ADA compliant and meet state
requirements
 Written authorization for background checks
 Employees are properly classified as exempt or non-exempt
 Benefit plans comply with federal and state law
 Company policies and procedures comply with federal and state labor laws (paid
leave, sexual harassment, worker safety, etc.)
 HR policies and procedures apply equally, fairly, and consistently to all employees
 Final paychecks are delivered as required by state law
This list is far from all-inclusive. It goes on and on. Complying with labor and employment
regulations gets more and more complicated every year.
Prevent potential liabilities and lawsuits by contacting Resourcing Edge for a comprehensive
HRAudit. We’ll make sure you are compliant with all federal, state, and local laws and
regulations.
1. Crisis Management
CROs and upper management should place a big emphasis on crisis management — scenario
planning to deal with potential risks and crises, such as cyberattacks, regulatory scrutiny,
workplace harassment, compliance challenges, litigation, and more.
Since these issues often occur without warning, it’s important to have a plan to deal with
them when they occur. This can include on-call lawyers, IT experts, consultants, and other
professionals in order to take swift action on a moment’s notice.
Top 5 HR Risks
1. Employment– discriminatory practices, hiring the wrong candidate, “unjust”
employment, errors in employment contracts and employee handbooks, and more.
2. Labor Protection and Workplace Safety– physical injuries, uncertain working
conditions, lack of safety checks, lack of staff training, inappropriate clothing and
safety equipment, and inadequate or non-existing safety policies and procedures.
 3. Employee Supervision– insults, harassment, revealing personal information,
inadequate job descriptions, no employee manual, disconnect between training and
actions, and no adequate monitoring or discipline procedures.
4. Leaving of Employees– compensation, organizational assets and equipment theft,
and not deactivating all access codes and passwords.
5. Compliance and Regulatory Issues– labor and employment regulations,
compensation, payroll, taxes, benefits, and more compliance and regulatory
requirements.
Risk management can’t eliminate risk, but you can save a lot of time and money by hiring a
PEO to handle your HR functions. This includes proactive measures such as helping you
come up with safety programs and ensuring you remain compliant with all laws and
regulations, but also mitigation and claims support such as providing representation and
active management of claims.

ADVANCED ISSUES IN RISK MANAGEMENT

Advanced issues in risk management go beyond the basics of identifying and mitigating risks
and involve more sophisticated strategies, tools, and considerations. Here are some advanced
issues in risk management:

1. Integrated Risk Management:Organizations are increasingly adopting

integrated risk management approaches that encompass various types of
risks, including financial, operational, strategic, and compliance risks. This
involves a holistic view of risk across the entire organization.
2. Quantitative Risk Analysis:Advanced risk management often involves
sophisticated quantitative analysis to assess and quantify risks. Techniques
such as Monte Carlo simulations, scenario analysis, and stress testing
provide a more nuanced understanding of potential outcomes.
3. Cybersecurity Risk Management:With the increasing frequency and
sophistication of cyber threats, organizations need advanced strategies for
managing cybersecurity risks. This includes threat intelligence, continuous
monitoring, and incident response planning.
4. Climate and Environmental Risk:Organizations are recognizing the
importance of addressing climate-related and environmental risks. This
involves assessing the impact of climate change, regulatory developments,
and shifts in consumer preferences related to sustainability.
5. Supply Chain Risk Management:Global supply chains face various risks,
including geopolitical events, natural disasters, and disruptions. Advanced
supply chain risk management involves real-time monitoring,
diversification strategies, and the use of technology for visibility.
6. Reputational Risk Management:Protecting and enhancing an
organization's reputation is a critical aspect of risk management. Advanced
techniques involve monitoring social media, sentiment analysis, and
developing proactive communication strategies.
7. Model Risk Management:Organizations relying on models for decision-
making face the challenge of managing model risk. This includes validating
 models, ensuring accuracy, and understanding the limitations and
assumptions underlying the models.
8. Regulatory Compliance:Staying compliant with a complex and evolving
regulatory landscape is an advanced issue in risk management. This
involves understanding and addressing regulatory requirements across
jurisdictions and industries.
9. Behavioral Risk Management:Incorporating behavioral aspects into risk
management involves understanding how human behavior within an
organization can contribute to or mitigate risks. This includes addressing
biases, communication challenges, and cultural factors.
10. Crisis Management and Resilience:Advanced risk management includes
preparing for and managing crises effectively. This involves developing
robust crisis response plans, conducting simulations, and building
organizational resilience.
11. Third-Party Risk Management:Organizations often rely on third parties,
and managing the risks associated with these relationships is complex. This
includes assessing the cybersecurity posture of vendors, ensuring
compliance, and having contingency plans for third-party failures.
12. Emerging Technology Risks:As organizations adopt emerging
technologies like artificial intelligence, blockchain, and the Internet of
Things, managing the associated risks becomes crucial. This involves
understanding the unique challenges posed by these technologies and
developing risk mitigation strategies.
13. Data Privacy and Security:With the increasing emphasis on data privacy,
organizations need advanced strategies for managing risks related to the
collection, storage, and processing of personal and sensitive information.
14. Risk Culture and Governance:Building a strong risk culture and effective
governance structures is an advanced issue. This involves fostering a risk-
aware culture throughout the organization and ensuring that risk
management is integrated into decision-making processes.

CHANGING SCOPE OF RISK MANAGEMENT

STEPS IN Changing Scope of Risk Management

1.Identify the sources

The first step is to identify the sources of scope changes and uncertainties in your project.
These can include external factors, such as market conditions, customer feedback, regulatory
requirements, or natural disasters, or internal factors, such as unclear requirements,
incomplete design, resource constraints, or team conflicts. You can use tools such as
brainstorming, interviews, surveys, or SWOT analysis to gather information and identify the
potential causes and effects of scope changes and uncertainties.

2.Assess the impact

The next step is to assess the impact of scope changes and uncertainties on your project. You
can use tools such as risk matrix, probability and impact analysis, or Monte Carlo simulation
to evaluate the likelihood and severity of each risk and prioritize them according to their
potential impact on your project objectives. You can also use tools such as sensitivity
analysis, decision trees, or expected monetary value analysis to estimate the possible
outcomes and costs of different scenarios.

3.Plan the response

The third step is to plan the response to scope changes and uncertainties in your project. You
can use tools such as risk register, risk response strategies, or contingency plans to document
the actions and resources needed to prevent, mitigate, transfer, or accept each risk. You can
also use tools such as change management plan, change control board, or change request
form to define the process and criteria for approving and implementing scope changes in your
project.

4.Monitor and control

The fourth step is to monitor and control the scope changes and uncertainties in your project.
You can use tools such as risk audit, risk review, or risk report to track the status and
performance of each risk and its response. You can also use tools such as variance analysis,
earned value analysis, or trend analysis to measure the actual versus planned scope, schedule,
and cost of your project and identify any deviations or issues.

5.Communicate and update

The fifth step is to communicate and update the scope changes and uncertainties in your
project. You can use tools such as communication plan, stakeholder analysis, or
communication matrix to determine the frequency, format, and content of communication
with your project team, sponsors, customers, and other stakeholders. You can also use tools
such as lessons learned, risk register update, or change log to capture the results and feedback
of scope changes and uncertainties and incorporate them into your risk management plan.

6.Learn and improve

The sixth step is to learn and improve from scope changes and uncertainties in your project.
You can use tools such as post-mortem analysis, root cause analysis, or gap analysis to
identify the strengths and weaknesses of your risk management plan and process. You can
also use tools such as best practices, recommendations, or action items to implement the
lessons learned and improve your risk management skills and capabilities for future projects.

Risk Control -Risk Techniques

Risk control basically means assessing and managing the affairs of

the business in a manner which detects and prevents the business
from unnecessary calamities such as hazards, unnecessary losses,
etcetra that may occur
Risk control is the set of methods by which firms evaluate potential losses
and take action to reduce or eliminate such threats. It is a technique that
utilizes findings from risk assessments, which involve identifying potential
risk factors in a company's operations, such as technical and non-technical
aspects of the business, financial policies and other issues that may affect
the well-being of the firm.

Risk control also implements proactive changes to reduce risk in these

areas. Risk control thus helps companies limit loss. Risk control is a key
component of a company's enterprise risk management (ERM) protocol.

RISK CONTROL TECHNIQUES

Modern businesses face a diverse collection of obstacles, competitors,
and potential dangers. Risk control is a plan-based business strategy that
aims to identify, assess, and prepare for any dangers, hazards, and other
potentials for disaster—both physical and figurative—that may interfere
with an organization's operations and objectives. The core concepts of risk
control include:

 Avoidance is the best method of loss control. For example, after

discovering that a chemical used in manufacturing a company’s
goods is dangerous for the workers, a factory owner finds a safe
substitute chemical to protect the workers’ health. Avoidance,
however, is not always possible.
 Loss prevention accepts a risk but attempts to minimize the loss
rather than eliminate it. For example, inventory stored in a
warehouse is susceptible to theft. Since there is no way to avoid it, a
loss prevention program is put in place. The program includes
patrolling security guards, video cameras and secured storage
facilities. Insurance is another example of risk prevention that is
outsourced to a third party by contract.
 Loss reduction accepts the risk and seeks to limit losses when a
threat occurs. For example, a company storing flammable material in
a warehouse installs state-of-the-art water sprinklers for minimizing
damage in case of fire.
 Separation involves dispersing key assets so that catastrophic
events at one location affect the business only at that location. If all
assets were in the same place, the business would face more
serious issues. For example, a company utilizes a geographically
diverse workforce so that production may continue when issues
arise at one warehouse.
  Duplication involves creating a backup plan, often by using
technology. For example, because information system server failure
would stop a company’s operations, a backup server is readily
available in case the primary server fails.
 Diversification allocates business resources for creating multiple
lines of business offering a variety of products or services in different
industries. A significant revenue loss from one line will not result in
irreparable harm to the company’s bottom line. For example, in
addition to serving food, a restaurant has grocery stores carry its line
of salad dressings, marinades, and sauces.

Utilizing a Risk and Control Matrix (RACM) for

Effective Risk Management
A Risk and Control Matrix (RACM) is a valuable tool used by organizations
to better understand and optimize their risk profiles. It is a structured
approach that helps companies identify, assess, and manage risks by
mapping the relationships between potential risks and the corresponding
control measures implemented to mitigate them. The RACM allows
organizations to visualize and evaluate the effectiveness of their risk
control strategies and make data-driven decisions to enhance their risk
management practices.

The RACM typically includes the following components:

 Risk identification: The matrix lists all the potential risks an

organization may face, often categorized by business areas,
processes, or functions.
 Risk assessment: Each identified risk is assessed based on its
likelihood of occurrence and potential impact on the organization.
This assessment helps prioritize risks and focus resources on the
most critical areas.
 Control measures: For each risk, the matrix outlines the specific
control measures implemented to mitigate or reduce the likelihood
and impact of the risk. These measures can include policies,
procedures, systems, or other mechanisms designed to manage the
risk.
 Control effectiveness: The RACM evaluates the effectiveness of
each control measure, taking into account factors such as the level
of compliance, the adequacy of the control design, and the control's
ability to detect or prevent the risk from materializing.
 Action plans: Based on the assessment of control effectiveness, the
matrix may include action plans for improving risk control measures
 or addressing identified gaps in the organization's risk management
practices.

By creating and maintaining an up-to-date RACM, organizations can gain

a comprehensive understanding of their risk landscape and the
effectiveness of their risk control measures. This information can inform
strategic decision-making, guide resource allocation, and support
continuous improvement in risk management practices.

RCAM Example

Example of a Hypothetical RCAM

Business Risk Likelihoo Impac Risk Control Control Action
Area Description d t Rating Measure Effectivenes Plan
s

Finance Fraudulent Medium High High Implement Effective Regularly

transactions strong access review
controls access
controls

Regular Effective Increase

audits and audit
reconciliation frequenc
s y

HR Employee Low High Mediu Secure Effective Monitor

data breach m storage and for new
encryption of security
data threats

Employee Partially Enhance

training on effective training
data privacy program
practices

Operation Supply chain High High High Diversify Effective Expand

s disruption suppliers and supplier
sources network

Maintain Effective Adjust

inventory safety
safety stock stock
levels

IT Cybersecurit High High High Regular Effective Increase

y attacks security frequenc
updates and y of
patches updates

Employee Partially Improve

 training on effective training
cybersecurity content
practices

This RCAM example outlines different risk categories, such as Finance, HR, Operations,
and IT, and includes specific risks within each category. The likelihood and impact of each
risk are assessed, leading to an overall risk rating. Control measures are then listed, along
with an evaluation of their effectiveness. Finally, action plans are proposed to enhance risk
control measures or address identified gaps in risk management.

Keep in mind that this is just a simplified example, and an actual RACM for an organization
would likely be more detailed and cover a broader range of risks and controls.

Examples of Risk Control

Sumitomo Electric and Disaster Resilience

As part of Sumitomo Electric’s risk management efforts, the company developed business
continuity plans (BCPs) in fiscal 2008 as a means of ensuring that core business activities
could continue in the event of a disaster. The BCPs played a role in responding to issues
caused by the Great East Japan earthquake that occurred in March 2011. Because the quake
caused massive damage on an unprecedented scale, far surpassing the damage assumed in
the BCPs, some areas of the plans did not reach their goals.

Based on lessons learned from the company’s response to the earthquake, executives
continue promoting practical drills and training programs, confirming the effectiveness of
the plans and improving them as needed.1

British Petroleum Oil Spill

British Petroleum (BP) has implemented several risk control measures following the
Deepwater Horizon oil spill in 2010, which was one of the largest environmental disasters in
history. As a result of the spill, BP was subject to a $20.8 billion settlement with the
U.S. government and five Gulf states in 2015. The company has since strengthened its risk
management approach to prevent similar incidents in the future.

BP has focused on improving its safety culture, including conducting regular safety training
and drills for employees, investing in advanced technology for better monitoring and control
of drilling operations, and implementing rigorous safety standards across its global
operations. The company has also adopted a systematic approach to risk assessment and
management, which involves identifying, evaluating, and prioritizing risks and developing
tailored risk control strategies to mitigate potential impacts.

Moreover, BP has increased its efforts to promote transparency and stakeholder engagement.
The company now publishes an annual sustainability report that provides detailed
information on its safety, environmental, and social performance, as well as its progress in
implementing risk control measures. This openness allows stakeholders to hold the company
accountable for its actions and fosters a culture of continuous improvement in risk
management.

Starbucks' Supply Chain

Starbucks, a leading global coffee retailer, has implemented various risk control measures to
manage its supply chain risks. The company sources coffee beans from multiple regions
worldwide, making it vulnerable to fluctuations in supply and potential disruptions due to
weather, political instability, or other unforeseen events.

To address these risks, Starbucks has adopted a diversified sourcing strategy, which involves
procuring coffee beans from a wide range of suppliers across different regions. This
approach helps the company reduce its reliance on any single supplier or region, ensuring a
steady supply of raw materials and minimizing the impact of potential disruptions.

Furthermore, Starbucks has established a comprehensive set of supply chain standards,

known as the Coffee and Farmer Equity (C.A.F.E.) Practices. These standards cover various
aspects of coffee production, including quality, environmental sustainability, and social
responsibility. By working closely with its suppliers and conducting regular audits,
Starbucks can ensure compliance with these standards, thereby minimizing the risk of
reputational damage and potential supply chain disruptions.

In addition, Starbucks uses advanced supply chain management software to monitor its
global supply chain in real-time, enabling the company to identify potential risks early and
take appropriate action to mitigate them. This proactive approach to risk control has helped
Starbucks maintain its reputation for high-quality coffee and build a resilient, sustainable
supply chain that supports its continued growth.

How Does Risk Control Differ from Risk Management?

Risk control is a subset of risk management. While risk management is the overarching
process of identifying, assessing, and prioritizing risks to an organization, risk control
focuses specifically on implementing strategies to mitigate or eliminate the identified risks.
Risk management typically involves the development of an overall risk management plan,
whereas risk control addresses the techniques and tactics employed to minimize potential
losses and protect the organization.

Risk Financing
The process of determining how an organisation will pay for losses in an effective and least
costly way is called risk financing. It identifies risks, determines the ways of financing, and
monitors the effectiveness of the chosen financing method.Risk financing, basically, helps
a business to align the risks it is ready to take with its ability to pay for those risks. The
potential cost of their actions and the possibility of those actions leading them to reach their
goal must be estimated.
Businesses lay down their priorities to verify if they are taking the required risks to achieve
their goals. It is also important to examine if the right kind of risks is taken to reach these
goals, and the cost of taking such risks are accounted for financially.

Risk financing techniques include retention, noninsurance transfer, and insurance. Retention
involves setting aside funds from the organization's current income to cover potential losses.
Noninsurance transfer involves transferring the risk to another party, such as a reinsurer.

Insurance Market Dynamics

Insurance Pricing

Adverse claims trends pressured pricing upward across Auto and Casualty, while Cyber and
Directors and Officers experienced a softening market as incumbent insurers sought to retain
and grow their portfolios. Property pricing remained volatile due to concerns related to
inflation, high reinsurance costs, climate change and Natural Catastrophe exposures. USA-
exposed risk (on non-USA placements) remained challenged.
Insurance Capacity

Capacity was sufficient across most products and risk types as established insurers expanded
their appetite, and other insurers (re)entered markets targeted for growth. Capacity for
Natural Catastrophe-exposed Property risks remained constrained – and expensive – driving
continued use of alternative solutions including index-based products, self-insurance and
captives (see Natural Catastrophes Will Break Several Insured Losses Records).

Insurance Underwriting

As insurers focused on profitable growth, underwriting stringency gave way to flexibility, but
discipline continued. Underwriters focused on individual risk profile, controls and
performance. Risk quality and differentiation remained a top priority. Use of data and
analytics to support decision-making continued to gain prevalence. Superior results were
achieved through early engagement with insurers and robust submission details, including
descriptions of valuation methodologies, risk control practices, improvements implemented,
and lessons learned from past claims.

Insurance Limits

Most placements renewed with expiring limits and sub-limits; however, Property limits were
pressured upward by economic inflation, which, together with social inflation and “nuclear
verdicts”, also impacted Auto and Casualty limits. Larger limits were available on Cyber and
Directors and Officers placements as clients sought to restore limits reduced in recent years.
Detailed descriptions of Property valuation methodologies were required.

Insurance Deductibles

Expiring deductibles were achieved on most placements, although increases and minimum
deductibles were required on some poor-performing risks and higher-risk sectors. Decreases
were available on some well-performing classes and risks but were often declined by clients
due to incommensurate additional premiums.

Insurance Coverages

Coverage enhancements, supported by quality underwriting data, were available in areas

targeted for growth as insurers continued to leverage coverage terms as a differentiator. Some
exclusions remained non-negotiable.

Insurance Regional Market Dynamics

volve your insurance paradigms

Think strategically about insurance as a form of “rented capital” and consider it in your firm’s
capital allocation strategy.

Capital allocation is no longer limited to retirement planning and budgeting; business leaders’
approach to capital allocation has changed as theories have evolved and as tools of business
have matured.

Through this new, more strategic lens, firms can utilize insurance as a way to free up other
sources of capital that can be deployed to drive growth and profit.

Banks have been focused on capital optimization for a long time and now, with AI,
the Internet of Things (IoT) and advances in technology that have enabled the robust
identification and quantification of risk factors, the shift can happen more broadly.

Scrutinize and carefully manage your geopolitical risk

Review policy language, limits, sub-limits and deductibles related to Cyber, Terrorism, War,
Political Violence and Civil Unrest.

Insurers are implementing further limitations and exclusions – you may want to consider
purchasing specific coverage for Political Risk, Special Risks, Cyber, War, Terrorism, SRCC,
Travel, and Accident and Health. Talk to your Aon Team about Alpha – Aon’s global facility
for Terrorism and Political Violence coverage.

Reach out to your Aon team and to your insurer(s) if your covered location(s) or operation(s)
have sustained damage or if you believe business interruption has occurred.

Start the renewal process early

Underwriters are evaluating more information than ever. In addition, while escalations and
referrals have decreased in some parts of the market, they remain common and often require
longer lead times. Start the renewal process early to ensure you have sufficient time to tell
your story and respond to queries, and to provide underwriters sufficient time to properly
evaluate and price your risk.

Differentiate your risk

Insurers are focused on risk quality, and risk differentiation is key to achieving superior
outcomes.
Provide access to experts from across your organization. Step up in-person engagement
where appropriate.

Update values and other exposures

Inflation, rising labor costs, and supply chain disruptions have driven up property and
business interruption values while social inflation and changes in companies’ operations and
geographic footprints have impacted liability risk.

Work with your Aon team and across your organization to conduct a thorough assessment of
your exposures and valuation methodologies and ensure that sums insured, indemnity
periods, limits and deductibles are up-to-date and aligned.

This will help guard against underinsurance and avoid insurer-imposed limitations such as
margin and coinsurance clauses.

GLOBAL INSURANCE MARKET IN 2024

MARKET DYNAMICS AND TRENDS:

 Increasing Global Risks: There’s an intensified focus on the insurance industry’s

capacity to act as society’s “financial safety nets” against escalating global risks like
climate change and cybercrime. Insurers are transitioning from merely reacting to
risks to preventing losses from happening in the first place.​
 Technological Transformation: The industry is undergoing a shift to a more
customer-centric business model, requiring the adoption of advanced technology and
modification of company culture. This includes improving collaboration among
employees and increasing accessibility to customer data​​.
 Non-Life Insurance Sector: This sector is experiencing top-line growth through
higher-than-average price increases across most lines of business. However, rising
loss costs are impacting bottom-line profitability. The U.S. non-life market, in
particular, is facing one of the hardest markets in a generation, with record growth in
expenses and insurance rates​​.
 Life and Annuity Insurers: There’s a focus on core system modernization and
culture transformation. The sector is poised for a tipping point in 2024 as it becomes
increasingly digitized and customer expectations for relevant and holistic product
offerings grow​.

KEY INSURANCE PRODUCTS AND SERVICES TRENDS:

 Insurtech: Advancements in AI and machine learning are increasingly integrated into

insurtech for risk assessment, underwriting, and customer service. The demand for
 cyber insurance is growing, and there’s a trend toward hyper-personalized insurance
products tailored to individual needs​.
 Group Benefits and Health Insurance: There’s a growing trend towards more
personalized and flexible benefits packages. Mental health benefits are central to
group health plans, and there’s an increased focus on cost management strategies,
including the use of telemedicine and digital health services​.

REGIONAL TRENDS AND PREDICTIONS:

 Strategic M&A Activity: Insurance companies are expected to transition to a more

strategic approach in mergers and acquisitions (M&A), likely divesting non-core
businesses and acquiring those offering new capabilities, particularly in the insurtech
space​
 Generative AI Integration: The integration of Generative AI is anticipated to
transform operations and cut costs, enhancing communication with policyholders,
streamlining claims processing, and reducing fraudulent activities​​.
 Talent Shortage and Risk Mitigation: The industry faces a talent shortage,
particularly in technology expertise. Companies are focusing on attracting tech-savvy
talent and upskilling current employees. There’s also an emphasis on mitigating risks
related to climate change, cyber threats, and social inflation​.

LOSS FORECASTING

As noted, a risk manager must also identify the risks the organization faces, and then analyze
the potential frequency and severity of these loss exposures. Although loss history provides
valuable information, there is no guarantee that future losses will follow past loss trends. Risk
managers can employ a number of techniques to assist in predicting loss levels, including the
following:

 Probability analysis

 Regression analysis

 Forecasting based on loss distributions

 The user input matrices would differ in their frequency ranging from a month to one
year. The forecasted period is based on the least available frequency to five (5)
periods for rating based and twenty-four (24) periods for days-past-due (DPD) based.
The loss forecasting procedure is computed as follows:
 Determination of Min Frequency: Minimum frequency period of the matrices for
both rating-based and days-past-due-based is used as an input for the Poisson process,
to bring down all the other matrices to the common platform of frequency.
 For example: For a given set of exposures if the matrix frequency period ranges from
Monthly, Quarterly, Half-yearly to Yearly, the minimum frequency period of all the
matrices available (monthly) will be used as a base frequency for the other matrices to
undergo the Poisson process. The forecasting is done for five (5) months for rating
based and twenty-four (24) months for DPD based, excluding the current period.
 Loss forecast for Current Period: For current period values, the LLFP application
will just populate the summation of the values on the given dimension. This will not
need any matrix intervention. Normally, the loss forecast is done on predetermined
dimensions like product type, product, asset class, and so on. Hence, while reporting
the current period; LLFP will sum up the values across the selected dimensions for
both exposure count and exposure amount level.
 Poisson Parameter: The Poisson process is initiated after the successful assignment
of Individual exposures undergoing the Expected Loss or Incurred Loss approach to
the transition matrix. The matrix is assigned based on predetermined dimensions,
Customer type, product type, and currency. All the matrices irrespective of the
frequency applicability will undergo the Poisson parameter.
Poisson Parameter = 1-exp (-?) = ?; where ? = the probability of default values for a
given period.
 Calculation of Probability of Defaults: The default values for the forecasted period,
5 periods or 24 periods, are loaded by using time-homogeneous and time-non-
homogeneous matrices. For those matrices with variant frequency, the Poisson
process of decomposition is used to trickle down the matrices to a common platform
of frequency and then loaded for the respective periods.
 Customer count & Exposure amount: The LLFP application supports the forecast
based on the customer count and exposure amount. Under the given dimensions,
Product Type, Geography, and so on, the sum of exposures or amount of exposures is
multiplied with the corresponding default values. For the second consecutive period,
the output of the first period is multiplied by the corresponding default values and so
on.