Oct 14, 2019

Organizations are witnessing an unprecedented pace of change in their risk exposures, but too many risk management functions haven’t fully adapted. The consequences are profound and often under-recognized. How did this come about, what additional changes are likely, and what can the risk manager do about it?

The typical risk management function was formed to manage workplace injuries, public liability claims and motor vehicle accidents, and to oversee an insurance portfolio and related service providers. Beyond a couple of core functions, the staff is typically too small for meaningful specialization. Technology tools are oriented toward recording, summarizing and analyzing claims in a relative handful of loss categories. Reactive activity is the norm despite wishes to the contrary. On most days the staff goes home frustrated, wishing they had more organizational influence and more time to pursue difference-making initiatives.

None of the “traditional” risks have gone away, and the stream of events that must be responded to isn’t diminishing. But in the midst of this daily activity stalemate, the organization’s exposure portfolio is most likely growing in complex and unprecedented ways. Why? There are at least two critical reasons:

  • Disruptive technology. As digits replace bricks and mortar, they take costs out of just about every activity and make possible things that were barely thought of just a few years ago. This unstoppable trend can have serious consequences. New and different things can, and do, go wrong. Risk is aggregated and concentrated in ways not previously contemplated, and organizations can be held responsible in ways not previously experienced.
  • Changing expectations. The second reason is very much related to the first: Society’s experiences and expectations are changing. People feel detached from large organizations, if not downright adversarial. Although users enjoy the benefits of technology, they dislike the feeling of powerlessness that seems part of the package. People are often disappointed in the behavior of organizations, and with the growth of social media, their complaints have new ways of being heard. Meanwhile, the political environment has become toxic and polarized, prompting new levels of regulatory inconsistency at the state and local level.

At the same time that adverse events can become more widely known than ever before, society has diminished tolerance for real or perceived harms. This is true of not just cyber breaches or privacy invasions. Workplace injuries and tort-based losses are increasingly unacceptable, a sign of the failure of an organization to honor its basic obligations to society and its own workforce. As injury rates continue their long secular decline (a phenomenon driven in no small part by technology), such events will increasingly become outliers. The financial consequences will be larger, the sanctions more punitive, and the victims’ megaphone even louder.

Threat plus opportunity

The deflationary impact of technology forces organizations to reduce costs (with the risk management operation in no way exempt) at the very time that they must manage risk more effectively and thoroughly. In such an environment, yesterday’s risk management practices aren’t good enough. This constitutes both a threat and an opportunity for the risk manager.

Some risk managers must upgrade their skillset. This doesn’t mean deep expertise in matters such as cybersecurity, data privacy, employment law, global trade regulation and wage-hour law, but rather enough competence and vision to engage the leaders of relevant functions and establish a coherent risk management strategy for all significant risks.

As the risk environment changes, the risk manager’s role can become vulnerable. Internal issue ownership tends to be settled only after matters reach a certain degree of financial and transactional significance. Before that time, it may be seized by whoever steps up to take control. If the risk managers aren’t in the mix, then their role and significance may be permanently diminished. Be the affirmative and preemptive voice, clearly linking societal trends to organizational risk and setting forth a coherent plan of how to address the changing environment.

Look beyond insurance

There is no substitute for the ability to transfer millions of dollars of financial risk at a price that represents a small fraction of the potential loss exposure. Nor are insurers standing still — there are dynamic and mature markets in areas that essentially didn’t exist a decade ago. But insurance is not a particularly elegant way of dealing with matters such as damage to reputation, regulatory sanctions or destruction of market capitalization

Loss control may need to expand into new realms. Most organizations have a reasonably effective and sophisticated loss control function, but it’s probably assigned to specific areas such as facility fire protection and enforcement of key safety policies and practices. What about ensuring a respectful work environment or compliance with trade sanctions? How about privacy and security awareness? Has the practice addressed processes and organizational dynamics, as opposed to claim-based subject matters?

Technology tools must be proactive while promoting efficiency. Organizations certainly need top-notch risk management information systems to deal with financial audits, internal reporting and endless demands from customers and counter-parties for certifications and attestations. But these systems and their analytical tools are fundamentally reactive: They record and report on matters that have already occurred. If the risk manager is going to deal with a new spectrum of issues at the same time that budgets are frozen and expectations are heightened, tomorrow’s risk management technology must offer time-saving efficiencies, bring forth insights and resources not previously available, help ensure compliance, and enable risk assessments before, not after, losses occur.

Align with corporate strategy

Finally, risk management ultimately must be incorporated into corporate strategy. If the organizational mindset reflects a deep split between “hazard” losses (which are the province of the risk manager) and “strategy” risks (where the risk manager is not even part of the dialogue), then a profound spectrum of loss exposure is most likely under-addressed. If this dichotomy is preserved, there is little likelihood of the risk manager being regarded as a critical resource, let alone part of the executive leadership team. The organization’s senior leaders are just as busy as the risk manager, and they might welcome some insightful advice concerning how to enhance the corporate strategy risk dialogue.

In these and other ways, the changing risk environment presents not just new challenges, but new opportunities. When seen in this light, there has never been a better time for the risk manager to be a difference-maker who reduces costs, improves the organization’s risk profile and ensures that people go home safely so that they can continue to pursue their mission and aspirations.

As published in PropertyCasualty360