Do you want to know what risk to manage in your business?…just follow the money!
Risk can be defined as an exposure to a loss of which one is uncertain. We can reduce risk by reducing the exposure (what we have at risk) or by acquiring more information (reducing uncertainty). Traditional risk management focused on activities revolving around the purchase of insurance. Enterprise risk management, on the other hand, looks at risk management in a broader way, considering all risk management activities that the organization performs.
Activity-Based Risk Management© is a business method developed by INSIGHT, with an enterprise risk management approach, to help companies meet their goals and objectives by acquiring information about the exposures associated to the company’s resources, activities and products ; and then, by performing a series of risk management activities to reduce those exposures. Activity-Based Risk Management© uses a rational and systematic way to identify risk by following a company’s money flowing down from resources, to activities, and finally to products; and then determining the exposures associated with them. In other words, we look at the risk associated with what the company buys (resources); does (activities), and sells (products).
The Activity-Based Risk Management© process is divided into the following steps:
I. Collect/Update Company Information
We start the process by collecting, or updating (if the process is triggered by a new event) information about what the company buys or brings into the business (resources); what the company does with those resources (activities); and what the company finally sells (products). In other words, we just “follow the money” flowing from resources down to activities and finally to products. Company’s resources like cash, buildings, equipment, vehicles, raw material, labor, energy and others, can be obtained from the general ledger. Activities like assembling, packaging, shipping, hedging, purchasing, recruiting and others, can be obtained by identifying what the company does internally (within the organization) with those resources. Products are whatever the company offers for sale. These can be products or services.
II. Identification and Grouping of Exposures
The next step is to identify and group the exposures that are associated with a company’s resources, activities and products. These exposures are based on what the company has established as their goals and objectives. We’ll group these exposures into three categories: resource related, activity related and product related.
1. Resource Related Exposures Also known as market or environmental exposures, are usually caused by external sources; the company has little or no control over their outcome; their linkage between cause and effect is usually hidden; they cannot be eliminated; and every other business in the same market has them.
Under step 1 above, we already identified our resources by bringing them from the general ledger. Now, based on a company’s goals and objectives, we are going to determine what exposures we have associated with each of those resources. We start by separating those coming from the Balance Sheet and the Income Statement, which usually have to do only with rate changes (price) or product availability (quantity).
Balance Sheet Exposures
- Cash – let’s assume that of the company’s objectives is to keep as much cash as possible at any given time. One resource exposure would be to have it in the right currency; or to have it in the right place (secure).
- Inventory – one inventory exposure could be from a loss as a result of a fire or a natural disaster. Other exposures would be losses in inventory value due to market depreciation.
- Buildings – similar to inventory exposures but less sensitive to market price depreciation.
- Accounts Receivable – a large A/R exposure is loss due to defaults from credit accounts (credit risk).
- Accounts Payable – one exposure here could be losses due to increase in interest rates from borrowed money.
- Long Term Debt – one exposure could be the inability to borrow money, at allow interest rate, on a long term basis (debt financing).
- Retained Earnings and Dividends – one exposure could be due to changes in government taxation on capital gains.
Income Statement Exposures
- Revenues (Sales) – one exposure could be due to the company’s assets not keeping up with sales growth.
- Raw Materials Cost – exposures to product availability (supply) and changes in unit price.
- Labor Cost – exposures to skills available in the labor market, minimum wage laws, unions, employment related litigation, and others.
- Energy Cost – exposures to energy price fluctuations as well as environmental law limiting emissions.
2. Activity Related Exposures Also called man-made exposures, these are the ones created each time the company performs an activity to increase revenues, reduce cost, or even, mitigate risk . Because they are caused by internal sources (people or equipment in the company); companies have some control over the outcome, especially those exposures from activities performed by the company for many years; linkage between cause and effect can be easily traced; they can be eliminated by doing nothing ; and they are unique to each business.
Activity related exposures can be grouped into categories like strategic, financial and operational, or activity centers like Procurement, Production, Marketing & Sales, Human Resources, Purchasing, Financing and Accounting, or Risk Management.
One very important set of activity related exposures to watch for are the ones created when we perform an activity to mitigate risk like hedging, subcontracting or outsourcing, insurance purchasing, claims management, litigation, safety management, business continuity planning and others.
3. Product Related Exposures Same as resource related exposures, they are also known as market or environmental exposures. They are caused by external sources; the company has little or no control over their outcome; linkage between cause and effect is usually hidden; they cannot be eliminated; and every other business in the market has them.
These exposures are the ones associated with the products (output) of the company. Here we are concern about those exposures after the product has left the company (sold) , until it reaches the ultimate user (consumer). For service providers, this refers to exposures after the service has been performed.
Exposures under this category not only include those products and services for which the company gets paid. For example, if a bagel producer decides to donate some of its “out-of-grade” bagels to a school, the exposure to be held liable for getting some children sick still exists. If a company gives away its waste to a recycling company, it could still be held liable for the environmental damages that its waste can cause. If a doctor volunteers work at the church and a person dies while he is performing CPR on her, his exposure to litigation is still there.
Click here to see a sample of a product exposure.
III. Activity-Based Risk Analysis
After identifying and grouping the company’s exposures in each category (resource, activity and product), now we need to determine how large our exposure is (how much we have out there at risk) for each resource, activity and product; what would the impact be of doing (or not doing) something about it; and what is the likelihood of an unwanted outcome (something bad happening). The tables below show a sample criteria that can be used to determine the likelihood and impact of a particular exposure.
IV. Activity-Based Risk Mitigation
This is the most important step in the Activity-Based Risk Management© process. Here is where we decide what risk management activities we need to perform to reduce a company’s exposures (associated with its resources, activities and products) to not meeting the company’s goals and objectives. Below are some of the activities we could perform to mitigate risk.
Hedging – usually used by companies to manage the risks that arise from high volatility of energy prices, can also be used to reduce exposure to price risk for revenue and expense related fluctuations. As long as we know the quantities of the resources we need to buy (or sell), we can hedge this risk by purchasing derivatives like futures, forwards, swaps, options or any contract to keep future unit prices and quantities fixed. We could hedge exposure to energy prices by purchasing future contracts; to raw materials price availability by buying forward contracts; or to labor cost changes, by signing operating and maintenance agreements.
Insurance – consider the most expensive way to transfer risk. Insurance should only be used to reduce the exposure to catastrophic property and liability losses. Insurance can reduce resource related exposures (buildings, equipment, vehicles, inventories); activity related exposures like employer’s practice liability exposures; work related injuries (WC); and other legal liability exposures; and product related exposures like (product liability coverage and completed operations coverage. Insurance can be also used to complement other risk management activities like in the case of business interruption coverage, for the continuity of operations plan (COOP) of the company’s business continuity plan (BCP).
Subcontracting (Outsourcing) – this risk management activity is usually performed to reduce cost and risk at the same time. It is also the largest source of uninsured or underinsured exposures. One reason is because although the reduction in cost can be easily measured, the reduction in risk cannot. Another reason is because this risk management activity usually brings a series of unknown exposures that can take time to be identified by the company. We can only mitigate risk that we can perceive. Contractual risk management is critical to subcontracting (outsourcing).
Business Continuity Planning (BCP) – like all of the above, this risk management activity can represent a series of activities to keep the business going in case of the lost of one or more of the company’s critical functions as a result of a natural or man-made hazard. The exposure to total business shut down is probably the largest of all business exposures. One way to mitigate this risk is to develop a Business Continuity Plan (BCP) that includes an Emergency Response Plan (ERT) showing how the company will respond to an emergency; a Business Impact Analysis (BIA) showing how bad to the business the emergency was; and finally, a Continuity of Operations Plan (COOP) showing how we get back to work.
Claims Management & Litigation – one of the largest exposures for US corporations is the risk of expensive litigation. The activity of claims management can increase or decrease this exposure. One way is to assume that each claim may end up in litigation; manage the claim to avoid it but be prepare in case litigation becomes unavoidable.
V. Activity-Based Event Trigger
Risk management is an on-going process 24/7, 365 days/year. New exposures associated with companies resources, activities and products can appear anytime. Any event that creates new exposures will trigger the Activity-Based Risk Management© process and restart it again. Events like sudden changes in natural gas prices or forecast of severe weather conditions. For example, the risk manager could be notified by accounting each time a new asset is added to balance sheet, or before terminating an employee, who could be a key witness in an ongoing litigation.