Businesses today must protect themselves against a number of different risks, but it isn’t always easy to plan for the unexpected. How do you mitigate risk to protect your company, your clients, and your investors? It starts with an understanding of risk management, risk management processes, and insurance coverage that may—or may not—be available for each type of risk.
As Douglas Morrow, CEO, Excel Insurance Group Inc., explains, “There are two kinds of risk, speculative risk and pure risk. The difference between the two is that pure risk presents no chance of profit, only a chance of loss—those are insurable risks. But with speculative risk, where there is a chance of profit or a chance of loss, you simply have to ‘hope for best, plan for the worst,’ to quote Lee Child. All you can really do is try to look for trends, either in your business, in the economy or in the direction of government, and try to build an organization that is resilient—but you certainly can get caught out. There are no guarantees.”
Morrow explains, “It is part of the risk management process to help businesses separate these types of risks into what you can buy insurance for and what you have to try to build internal resilience against,” he adds, outlining the basic steps of risk management theory: “1) talk about and identify the various risks that face the company; 2) minimize those risks with internal controls, safety programs, financial deposits or investments; 3) make decisions about which risks may be assumed and/or managed internally; and 4) transfer the remaining risks to an insurance company to the extent that insurance is reasonably available.
“Successful businesses have to be structured both from an organizational and financial perspective so they have the resilience to be able to survive in a fast changing world.”
Morrow continues, “There are a number of risks that companies already know to protect themselves against, for instance, property and liability risks, but there are also some emerging risks of which business owners should be mindful. The number one emerging trend is cyber liability. If your business gets hacked by some outside party, your whole IT system could be held hostage, or it could involve access to your customer records or banking details. Financial losses, damages, and costs are the largest impact of cyber risk, but secondary can be a loss of reputation or trust. If customer information is compromised, it can really affect the future of the business.”
Cyber crime and liability insurance can help, but in addition, Morrow points out, “Public relations support can shape how the company represents itself after a cyber attack, and that can be crucial to business recovery.”
“Another risk that is often overlooked is directors’ and officers’ liability—financial liability for decisions that are made by directors and officers. The interesting thing about D&O insurance,” says Morrow, “is that the D&O insurance policies that are in force today will cover decisions that were made years ago; the company remains protected as long as they originally carried directors and officers liability back when the decisions were made, and as long as insurance has continued in force to present day without any interruption.”
As Morrow advises, in the area of speculative risk, there are areas for which no insurance is available. One of these that can have a huge impact on companies is the risk of government policy change.
In most cases, however, as the City of Edmonton explains, the government does take steps to make decisions regarding policy changes as transparent as possible to allow businesses time to plan safeguards before those policies come into effect.
“The City of Edmonton’s primary risk management tool is open and transparent communication. To facilitate this, we identify and report on the top 10 risks (Risk Register) annually each November, providing Council, the public, and the business community with the City’s primary strategic risks, as well as the mitigation strategies that are being undertaken to address these risks.
“Additionally, to mitigate risk and uncertainty, before implementing any changes to City policy, we participate in extensive public engagement to obtain feedback, to ensure we act in a transparent and predictable manner, and to provide ample notice to the business community and the public at large.”
“Through our Economic Development teams,” the City of Edmonton adds, “we run a number of programs that are intended to support small businesses through periods of economic and government change. We also have a role as a community facilitator where we try to address concerns brought to the City by the business community, and when appropriate and aligned with municipal interests, we work with the provincial and federal governments accordingly.”
Companies, however, aren’t the only organizations to experience the risk associated with changing economies, changing governments, and changing policies. As Andrew Leitch, director, ERM Programs, University of Alberta, points out, “Universities are affected by the same things affecting the provincial economy generally.”
“We are affected in ways too numerous to count,” Leitch explains, “starting with the potential for diminished resources when the economy slows. It can affect everything from what programs our students want to our ability to recruit outstanding academic staff and attract research funding, which is critical to what we do. The most significant risk right now is that universities, which are slow to change, struggle to move quickly enough to respond to resource changes and the changing expectations of government. Post-secondary institutions will be affected differently by this risk, depending on their size and mandate. As the largest, oldest, and probably most complex university in the province, the University of Alberta will have significant challenges. At the same time, however, these qualities have helped us develop an incredible range of capabilities. We must ensure we align our capabilities, including our resources and energies, most effectively.”
He continues, “Part of risk management at the enterprise level is to evaluate uncertainty in a way that includes both the bad things that may arise as well as the good things – the opportunities,” Leitch continues. “In these uncertain times in Alberta, there are things to worry about, of course, but for universities, there are tremendous opportunities as well. We have opportunities to increase our efficiency and effectiveness while making a significant contribution to the success of all our stakeholders.
“As we contemplate the next few years, we need to have plans in place for various funding scenarios. We also have to ensure we have the leadership and governance mechanisms that permit us to adapt as needed.”
“Many risk events are unavoidable,” Leitch agrees, “so you need to focus on the mitigation of those risks. This can be accomplished by such things as effective long-term planning, development of various scenarios, effective communication plans, stakeholder engagement strategies, and response plans and strategies.”
He concludes, “Effective risk management is about taking on and managing risk in order to advance the objectives of the organization. There should be a direct link between strategy and risk management: if the strategy is about what you want to get done, then risk management is about making sure you can succeed. We don’t see risk as something to protect ourselves from. It is something to manage. When we do it well, our eyes are open to our constraints and the possible hazards, but also to our strengths and possible opportunities.”