why risk so much for so little
DESCRIPTION
An exceptional read, from the author Mimile Mukuna Maisha, released March 2012. A very informative, and very useful approach for business owners to prevent business failure by managing risk.TRANSCRIPT
Why Risk So Much For So Little?
WHY RISK SO MUCH FOR SO LITTLE
Copirght©2012 by Mimile Mukuna Maisha
ISBN: 978-0-620-53170-2
.
Printed in South Africa
ALL RIGHTS RESERVED
No part of this publication may be reproduced, stored in a retrieval
system, or transmitted in any form or by any means—electronic,
mechanical, photocopying, recording, or otherwise—except for
brief quotations in printed reviews, without the prior written
permission of the author
For information:
Contents Foreword ix Acknowledgements xi Introduction xiii PART ONE ENTREPRENEURSHIP, More than just RiskTaking 1
1. AFRICAN BUSINESS CHALLENGES 9 2. Entrepreneurial Deficiencies 9
The Concept of Entrepreneurship 9 The Critical Evolution 10
3. AFRICAN BUSINESS CHALLENGES 12 4. Poor Corporate Entrepreneurship 12
What is “Intrapreneurship” 12 Features of Intrapreneurship 13 Difference between an Entrepreneur and an Intrapreneur 13
5. AFRICAN BUSINESS CHALLENGES 15 6. The Adverse Business Environment 15
The Business Environment 15 Micro/Operating Environment 15 Macro/General Environment 16
7. SOUND BUSINESS PRINCIPLES 18 Introduction 18 Imperative Business Principles 19
8. AFRICAN BUSINESS MERCENARIES 21 The Mercenaries’ Survival Techniques 21 The Survival of the Fittest? 22
9. OVERCOMING FAILURE 24 Entrepreneurial Resilience 24
10.PLANNING FOR SUCCESS 28 Integrating Business Plans, Strategic Plans and Risk Management 28
11.SCENARIO PLANNING 31 Preparing for the Future 31
12.THE CONCEPT OF RISK 34 Defining business risk 34
The Right Perspective 34 Objective risk 35 Subjective risk 35
13.THE CONCEPT OF RISK MANANAGEMENT 37 What Risk Management is Not 37 What is Risk Management 38
14.ETHICS AND RISK MANAGEMENT 40 15.RISK COMMUNICATION 42 16.PRELIMINARY STEPS 45
Overview 45 Communicate and Consult 45
17.IDENTIFYING RISKS 46 Introduction 46
18.ANLYSING RISKS 47 Introduction 47
19.RISK EVALUATION 48 Introduction 48 ALARP as an Essential Risk Evaluation Method 48
20.RISK RESPONSE PLANNING 49 Introduction 49 Terminate/Avoid risk 50 Treatment/Control of Risk 51
Frequency Reduction 51 Severity Reduction 52 Passive Retention 53
Transfer Risks 54 Contractual and non-insurance transfer 54
Risk Financing 55 Introduction 55 Retention 56 Conclusion 57
Alternative Risk Financing 57 21.IMPLEMENTING 59 22.THE RISK MANAGEMENT PROCESS 59
Introduction 59 23.THE COST OF MANAGING RISK 61
Risk Management Administrative Costs 61 Retained Losses 61 Insurance Premiums 62 Loss Control and Safety Costs 62 External Services Costs 62
24.DOCUMENTING 63 25.THE RISK MANAGEMENT PLAN 63
Risk Management Plan 63 Contents of a Risk Management Plan 63
Executive Summary 63 Risk Policy Statement 63 Introduction 64 Risk Register 64
26.ENTERPRISE RISK MANAGEMENT 65 27.The Next “Under construction” Level 65
Introduction 65 Conclusion 66
Foreword
There are many different risk management books available. Often times these
books are unnecessarily technical or written for an academic audience. As both a
risk management expert and entrepreneur, I have endeavoured to write this book
from risk management’s best practices and personal business experience in Africa
in a way which African entrepreneurs and business executives can relate.
This book has been inspired by the consequences of my own failures to identify
and manage the risks I have encountered in my business ventures in Africa and
especially in my native country. The failures of other African entrepreneurs and top
managers that I have observed support my conclusion that African business
owners and executives must not have a high risk appetite, but instead a well
measured risk tolerance. Often it is not business risks that bring down a business,
but the entrepreneurs or executives who fail to adequately respond to these risks.
Hence, the most important risk they should guard a business against, is
themselves.
It is also my view that the most successful entrepreneurs or business
executives are not the ones who can prevent their business from failure, but the
ones who can comeback from failure.
I hope you find this book as interesting and relevant to read, as I found writing
it!
ix
Acknowledgements
Writing this book took some of my attention away from my two children,
my daughter Mia and my son Maël. I am sorry that for almost a year I have
failed to give you the best of me. You are my precious treasures. You bring me
so much joy, strength and purpose that you could never imagine; being your
father is my greatest pleasure and reward. The mistakes you should avoid and
the principles you should uphold when or if one day you run or own your
own business, have motivated me to write this book.
Eudoxie, we have lost some battles in the past but we both know the “war”
will be won. Your kindness has enabled me to close the most difficult chapter
of my life and to therefore concentrate on finishing this book. Thank you for
being you.
This book, like everything else I have achieved in my life, is the result of
Grace through which I have received the inspiration and support of very
special people I have encountered in my professional and business life. I
extend my deepest gratitude and thanks to:
My long-time friend Collin Griffiths. Collin was instrumental in my
employment at Munich Re in the early nineties. Without him, I probably
would not have known much about insurance, reinsurance or risk
management. For many reasons, including for his support when I was the
Managing Director of Compania Geral de Seguros de Moçambique, I am
indebted to him. His unwavering belief in me has always given me the
strength I needed to overcome professional difficulties. It is that same strength
that I have drawn from to write this book.
My late friend and business partner Billy Saad. Billy helped me set up
Continental Risk Management as a Division of his company, Maritime
Brokers and Consultants. He opened the doors to my career as a risk
management consultant in Africa. He found my memos and reports to be
rather literary and as a result, told me on more than one occasion that I should
write a book about my professional and business experiences in Africa. Billy, I
owed it to you to write this book.
My former colleagues at Eikos Risk Applications. It would have been
impossible for me to write this book if it was not for the experience I gained in
my interactions with these risk management and risk financing experts. They
helped my career evolve to a level that has enabled me to provide pertinent
xi
consultancy work internationally. This book is somewhat a fruit of many of
their thinking.
Sydney, Sophia, Aberi, Brad and Jabu Stone, our friendship has not just been
about helping one another to see beyond circumstances but most importantly
to stay beyond them. Because of your friendship, I was more emotionally
equipped to finish this book earlier then I could have.
And finally, thanks to all of the entrepreneurs and other participants who
attended my seminars these past few years for sharing their experiences and
thoughts with me. Your heroic efforts in dealing with the African business
challenges, your enthusiastic attempts to respond to business risks, and the
remarkable lives you have all created are the inspiration that led me to write
this book and share your experiences with others. Thank you for being the
models of vision, discipline, purpose, passion and responsibility that Africa so
desperately needs.
In Part Two, I have drawn information from three main sources. These
include: Triple Bottom Line Risk Management by Adrian R. Bowden,
Malcolm R. Lane and Julia H. Martin; Risk Management and Insurance (9th
Edition) and Integrating Corporate Risk Management by Prakash Shimpri.
I conducted most of the research alone and therefore I take the
responsibility for any errors that I may have unintentionally made in the book.
xii
INTRODUCTION
Termites are small insects that are highly organised and very cooperative
in their search for food and in building their colonies. They are hardworking,
intelligent and capable of astonishing accomplishments such as building huge
mud towers, hollowing trees, moving vast amounts of soil, and… devouring a
house.
Whether a house is in stucco, brick or wood, once termites enter they hide
away in all kinds of crevices in the walls and ceilings, working day and night
eating anything made of wood, synthetic materials, plants and cotton. They
may also attack stored food, books and household furniture. Over time, their
damage weakens the structure of the house and eventually leads to the
collapse of the building.
If you intend on investing in a home situated in a termite-infested area,
you should be certain that your house will suffer termite attacks. What will
however be uncertain is whether these attacks will result in any damage,
which, if it happens, might negatively affect your objective of having the
house as a sound investment.
Likewise, if you intend to start or grow a business in Africa, you should
recognise that it is certain that your business will endure particular adversities
which I would refer to as African business challenges such as corruption, poor
infrastructure, political instability, high inflation or entrepreneurial
deficiencies. What will however be uncertain are the negative effects that these
challenges might have on your business objectives if they eventuate.
The damages or negative effects which if they occur, will prevent the home
owner in a termite-infested area or the entrepreneur in Africa from achieving
their objectives constitute the risks that they may potentially face because they
are uncertainties. Termite attacks for the former and the well-known African
business challenges for the latter cannot be considered as risks since, in both
instances, they are certainties. A risk is an event or an outcome that may
occur, in other words it is an uncertainty.
However, for a risk to be considered relevant in any activity, it must be
deemed so in relation to the activity objectives that may not be achieved if
such a risk occurs. I refer to these objectives as the “objectives at risk”, a
distinct concept that can be used as a simple tool to identify the real risks or
the uncertainties that matter in any given activity.
xiii
For instance, in Noah’s mission to save two of every kind of creature from the
flood that God had ordained he would have easily identified his real risk by
establishing his “objective at risk”, which was to keep the ark afloat until the
flood had receded. Presuming that in his mission Noah also had to save
termites, he would have, for example, understood that the real risk for him
considering his objective at risk was not the presence of termites on board the
ark but the potential damage that these termites could inflict to the ark. In a
business context, if an entrepreneur intends to introduce a product due to the
insufficient supply of the product in the market, one of his main “objectives at
risk” would be to ensure that the product is profitable in the long run. With
this “objective at risk” in mind, he will be able to understand that the real risk
for him is not a potential lack in demand of the product but rather to have a
product that may not satisfy customers due to its low quality or poor customer
service.
Establishing their “objectives at risk” should therefore be a matter of
priority for African entrepreneurs, to be able to adequately identify the real
risks their businesses are exposed to. They should also have a good
understanding of the different kinds of the challenges that create risks to
businesses in Africa, because just as each termite specie causes a different type
of damage, different challenges give rise to distinct business risks. Sound
business practices can however assist them in putting their businesses on a
firm footing and in the direction of success in spite of the African business
challenges, but only the effective management of risks can help them ensure
that their business objectives are achieved and, as a result, their business
success is guaranteed.
xvi
PART ONE
ENTREPRENEURSHIP More than just risk-taking
1
AFRICAN BUSINESS CHALLENGES Entrepreneurial Deficiencies
The Concept of Entrepreneurship
The present chapter is an examination of African entrepreneurial deficiencies
with a purpose of helping understand their effects on African business failure.
For this examination to be precise, it is important to understand that
entrepreneurial deficiencies relate to the challenges that originate from
entrepreneurs themselves and are usually evident in their decisions, actions,
approaches, thinking in or about the business they own.
It is however relevant, before we explore these deficiencies to discuss what
the word entrepreneur means. But at this stage I need to state that by
“entrepreneur” I also refer to corporate managers who in my view should
become more “intrapreneurs” or “corporate entrepreneurs”. I will expand on
the concept of intrapreneurship in chapter two.
“Entrepreneur” originates from the French word “entreprendre” which is
composed of two words, “entre” i.e. to enter or to go into, and “prendre” i.e. to
take. But its translated meaning is to “undertake”. In a business context, it
means a person who is willing to assume the responsibility, risk and rewards
of starting and operating a business.
The concept of entrepreneurship has a wide range of meanings. On the one
extreme and entrepreneur is a person of very high aptitude who pioneers
change. On the other extreme, anyone who wants to work for himself is
considered to be an entrepreneur.
It is difficult, if not impossible, to define what an entrepreneur is. The word
itself is best used in the past tense to describe a successful business person.
However defined, the entrepreneur is the key to the successful launch and
operation of any business.
The major characteristics of entrepreneurs that have been listed by many
experts include:
• Self-confident and multi-skilled. The person who can make the product,
market it and count the money, but above all they have the confidence
that lets them move comfortably through unchartered waters.
• Confident in the face of difficulties and discouraging circumstances.
• Innovative skills. Not an “inventor” in the traditional sense but one who
is able to carve out a niche in the market place, often invisible to others.
• Results-orientated. To make be successful requires the drive that only
comes from setting goals and targets and getting pleasure from
achieving them.
• A risk-taker. To succeed means taking measured risks. Often the
successful entrepreneurs exhibit an incremental approach to risk taking,
at each stage exposing themselves to only a limited measured amount
of personal risk and moving from one stage to another as each result is
achieved.
• Total commitment. Hard work, energy and single-mindedness are
essential elements in the entrepreneurial profile.
However, two warnings need to be attached to this partial list of
entrepreneurial qualities. Firstly, thinking that the individuals can be
successful entrepreneurs on the basis of such a set of attitudes and skills is not
a foregone conclusion. The same traits shared by two individuals can often
lead to vast different results: successful and unsuccessful entrepreneurs can
share the characteristics commonly identified. As well, the studies of the life
paths of entrepreneurs often show decreasing “entrepreneurship” following
success, which tends to disprove the centrality of character or personality traits
as a sufficient basis for defining entrepreneurship. Secondly, the
entrepreneurial characteristics required to launch a business successfully are
often not those required for growth and even more frequently not those
required to manage it once it grows to any size. As the business now needs a
professional management focus, which calls on a different set of skills, to
manage and sustain growth, that are distinct from the skills necessary to start
an enterprise and promote an idea. Applying management skills allows the
adolescent enterprise to continue to do well, but the business culture begins to
change. The emphasis of management is structure, policies, procedures and
the bottom line. The role of the entrepreneur needs to change with the
business as it develops and grows, but all too often the entrepreneur is not able
to evolve by creating or adopting capabilities that can help them grow and
mature.
The Critical Evolution
African entrepreneurs, possessed of considerable drive, vitality and high
risk appetite, have established multitudes of small businesses. Such
undertakings are easy to start, even by men and women with little education,
African Business Challenges; Entrepreneurial Deficiencies 4
2
AFRICAN BUSINESS CHALLENGES Poor Corporate Entrepreneurship
In their 2011 book Corporate Entrepreneurship: How to Create A Thriving
Entrepreneurial Spirit Throughout Your Company, authors Robert D. Hisrich and
Claudine Kearney explain why businesses of all types need to embrace
entrepreneurial values: “Entrepreneurs challenge existing assumptions and
look to generate value in more innovative and creative ways. Entrepreneurs
change the way business is conducted by identifying opportunities and
successfully filling them.”
My argument in this chapter is that existing African business (small,
medium or large), need to develop internal entrepreneurial capabilities also
known as “intrapreneurship” to ensure that they become innovative and
competitive. I am not saying that entrepreneurs are smarter than corporate
businesses, or that they are strategically and morally superior. They just work
harder under challenging conditions, with fewer resources and no tolerance
for failure.
What is “Intrapreneurship”
Intrapreneurship is the practice of entrepreneurship by managers and
employees within establish businesses of any size.
The business encourages its employees especially its managers to become
corporate entrepreneurs. The managers/intrapreneur can use their creativity
and start-up business techniques within a firm to create for their employer new
products, services or new entire business units for the firm with the full
backing of the firm’s resources
The term is derived from a combination of “intra” or internal, and
“entrepreneurship”. Intrapreneurs are usually highly self-motivated, proactive
and action-oriented people who are comfortable with taking the initiative in
pursuit of an innovative product or service.
According to this definition, a corporate manager who starts a new
initiative for their company which entails setting up a new distinct business
unit and board of directors can be regarded as an intrapreneur. In contrast, a
corporate manager who starts a new initiative using pre-existing corporate
structures is not an intrapreneur. Nor is a leader of a Research and structures
is not an intrapreneur. Nor is a leader of a Research and Development unit
within an organisation, whose innovations are managed by the organisation.
Were this R&D leader to create a new stand-alone organisation, which
performs its own functions and sells its own products—albeit with strong
continued links to the parent company—it would count as intrapreneurship.
Features of Intrapreneurship
Entrepreneurship involves innovation, the ability to take risk and creativity.
Entrepreneurs is able to look at things in novel ways, i.e. to “think outside the
box”. They have the capacity to take calculated risk and to accept failure as a
learning point. Intrapreneurs is and thinks like an entrepreneur—looking out
for opportunities, taking new initiatives which profit the business they work
for.
Persistence, creativity and the need to defy overwhelming odds are
common parts of the entrepreneurial journey; the way to success lies with
protagonists who do not quit because they are fully invested (in all senses of
the word) in their project. Hence, the most important characteristics of
intapreneurship, like in entrepreneurship, is the acceptance of risk or failure.
This means that intrapreneurs must have a personal stake in their initiative’s
success.
Difference between an Entrepreneur and an Intrapreneur
An entrepreneur takes substantial risk in being the owner and manager of a
business with expectations of financial profit and other rewards that the
business may generate. On the contrary, an intrapreneur is an individual
employed by a business for remuneration which is based on the financial
success of the unit, product or service he initiated.
The major difference between entrepreneurs and intrapreneurs is that the
fruits of success default to the business rather than to them. Intrapreneurs also
have the comfort of knowing that failure will not have a personal cost—as it
would for an entrepreneur—since the business would absorb losses arising
from failure.
Intrapreneurs share the same traits as entrepreneurs such as conviction,
zeal and insight. As intrapreneurs continue to express their ideas vigorously,
the gap between them and the philosophy of the business they work for is
revealed. If the business supports them in pursuing their ideas, they succeed, if
Poor Corporate Entrepreneurship
40
3
AFRICAN BUSINESS CHALLENGES The Adverse Business Environment
The Business Environment
It has been maintained so far that one of the major impediments to the success
of African businesses is attributable to entrepreneurial deficiencies of most of
African people who own a business or want to start one. The other serious
impediments are those associated with difficulties in the African business
environment.
The term “Business environment” is composed of two words “Business”
and “Environment”. In simple terms, the state in which a person remains busy
is known as Business. The word Business in its economic sense means human
activities like production, extraction, or purchase or sales of goods that are
performed for earning profits. On the other hand, the word “Environment”
refers here to the aspects in the surroundings of the business other than
entrepreneurs’ abilities.
Business environment has two components, internal environment, which is
usually within the entrepreneurs’ influence and external environment which
entrepreneurs cannot influence.
The internal environment includes 5 Ms, i.e. man, material, money,
machinery and management and despite the fact that entrepreneurs can
influence them, they are dissociated with their abilities since they do not
derive from entrepreneurs.
The external environment relates to factors that literally exist outside the
business. Without any confusion, these are independent from entrepreneurs
‘abilities. These factors exist in two types, micro or operating environment and
macro or general environment.
Micro/Operating Environment
The environment which is close to business and affects its capacity to work is
known as Micro or Operating Environment. It consists of Suppliers,
Customers, Market Intermediaries, Competitors and the Public.
• Suppliers: They are the persons who supply raw material and required
components to the company. They must be reliable and the business
must have multiple suppliers i.e. they should not depend upon one
supplier only.
• Customers: These are regarded as the kings of the market. The success
of every business depends on the level of their customers’ satisfaction.
The main types of customers are:
- Wholesalers
- Retailers
- Industries
- Government and Other Institutions
- Foreign markets
• Market Intermediaries: They work as a link between business and final
consumers. They include:
- Middleman
- Marketing Agencies
- Financial Intermediaries
• Competitors: Every move from a competitor affects the business. Each
business has to adjust itself according to the strategies of its
competitors.
• Public: Any group who has actual interest in the business enterprise is
termed as the public e.g. media and local public. They may be the users
or non-users of the product.
Macro/General Environment
It includes factors that create opportunities and threats to business units. The
following are the elements of Macro Environment:
• Economic Environment: It is very complex and dynamic in nature. It
constantly changes with policies or political situations. It has three
elements:
- Economic Conditions of the population
- Economic Policies of the country
- Economic System
- Other Economic Factors: Infrastructural Facilities, Banking,
Insurance companies, Money markets, Capital markets, etc.
• Non-Economic Environment: The following are included in non-
economic environment:
African Business Challenges; The Adverse Business Environment 48
4
SOUND BUSINESS PRINCIPLES Foundation for Business Success
Introduction
It is possible for African entrepreneurs to put their businesses on the path for
success by establishing and applying sound principles in their businesses. As
they build the foundations for their businesses, ground rules or guiding
principles that they and their employees will abide by will need to be
established. These ground rules or principles will dictate what and how
decisions should be made, how their businesses should operate and these
should be viewed by other people and other businesses. If these principles are
established up front, there will not be any questions about how African
entrepreneurs will react when dealing with both the challenges relating to their
deficiencies and those relating to the business environment.
Planning for business success requires African entrepreneurs to do a few
things.
Firstly, they must decide on the ideals for their business. If they want their
business to be very professional and white collar, then they should include
these ideals in their guiding principles so there is clarity on how as to how the
business should operate.
Secondly, they need to hire employees who agree to abide by the guiding
principles. Much like a standard of behaviour that larger corporations institute
through their human resources office, the guiding principles must be accepted
by all of the employees. If one employee breaks the mould by not agreeing
with these principles they could create a slippery slope of dissent that will
result in the business being undermined. These guiding principles should be
put into place and adhered to by anyone who wishes to have a future within
the business.
Finally, setting up a business for success should begin with African
entrepreneurs’ introspective look at what the guiding principles mean and if
they, as the business leaders, can uphold them. Business principles can make
or break a business but if the entrepreneurs’ life reflects sound principles then
their business will simply be an extension of who these entrepreneurs are,
rather than an alter ego that they slip into when they go to work each day. The
guiding principles should be stated clearly and in plain view of employees and
customers so they all know what the entrepreneurs and their business stands
for.
Sound business principles will dictate how a business will operate and will
inspire and reinforce solid management practices. Bad business principles
teach bad habits to employees, will let entrepreneurs and employees settle for
less than the best. As leaders of their businesses the onus are on African
entrepreneurs to set from the beginning the principles that will determine how
their business will operate and deal with challenges.
Business principles govern every area of a business. African entrepreneurs
will need to put these into practice to handle human resources issues. Without
sound practices there will not be any standard method for hiring employees
and there will not be an organised structure of benefits, time off, sick days, or
conflict resolution. Sound business principles are also vital for the marketing
function which determines how a business gets the word out about its
products and services. Without a solid marketing plan in place there is no way
of knowing which products or service should be sold, where to reach target
audiences, the best way to reach them and how much money to spend for
reaching those audiences.
African entrepreneurs should also develop solid business practices for their
management team. If the management of the company does not have solid
business principles then there is no hope for the business. The people who
make decisions within a business must all adhere to the same principles so
there is continuity and consistency within the business. Following a set
standard of guiding principles is a solid foundation on which a business can
operate on grounds of professionalism, integrity, efficiency, and credibility.
Imperative Business Principles
In my opinion, the solid business principles that can prevent African
entrepreneurs from being subjected to their own inadequacies and to those of
their business environment include:
Having a good solid business plan
This applies to your business and to a new product or a new service you
want to launch. There is an old saying: “Those who fail to plan, plan to fail”.
A detailed set of plans for success needs to be made. You need to have the
steps from point A to point B listed in great detail, including realistic cost
estimates for and risks involved in accomplishing each step.
Sound Business Principles; Foundation for Business Success 64
5
AFRICAN BUSINESS MERCENARIES
In Africa, despite the efforts that entrepreneurs may make to promote and
observe sound business principles, the fact is that most entrepreneurs find
themselves powerless and unprepared in the face of the ever-present and
overwhelming challenges so much so that most of them end up depressed and
discouraged to the point of abandoning their business endeavours.
Some entrepreneurs manage to bounce back after suffering a setback or
after experiencing failure, not just with renewed determination and new
resources but also with a commitment to adhere to business principles that
they know will guard them from succumbing to the effects of African business
challenges. Some entrepreneurs conversely choose to use deceitful practices as
means of surviving in business when facing African business challenges. I refer
to these types of entrepreneurs as “business mercenaries”.
The Mercenaries’ Survival Techniques
The techniques of survival used by these so-called entrepreneurs are varied,
but undoubtedly the most predominantly applied tactics are a blatant
disregard for certain laws.
The first of these tactics is recourse to the currency parallel markets.
Businesses with heavy reliance and dependency on imports or whose exports
do not yield sufficient foreign exchange, resort endlessly to sourcing their
foreign currency requirements in the illegal alternative markets. The other
frequent disregard for the law is profiteering, especially on the retailing of
imported goods. Another technique is the reduction in overhead expenditures
wherever possible including nonproduction of auditing of financial statements
and non-insurance of assets against the countless risks confronting enterprises.
Most businesses also address containment of operating costs by resorting
unusual maintenance of plant, machinery and equipment, although doing so,
lessens the value of those assets and often impacts on the quality of products
and on productivity. However, these businesses seek the benefit of immediate
reduction of costs in order to survive, despite knowing that doing so is a sure
catalyst for future cost increases. A further method of cost containment in
order to survive is by cutting expenditure on personnel training and
development and by maintaining unfair labour practices.
To counter increasing inflation which erodes capital resources of most
businesses, some resort to borrowings, but at considerable cost, as interest
rates rise gradually, driven upwards by inflation. Such costs diminish
prospects of survival, unless other compensatory cost reductions could be
effected. Other businesses address their capitalisation needs by seeking
investors that are willing to acquire a stake in the business, whilst others seek
to reduce their capitalisation needs by discontinuing provision of credit to
customers, lowering levels of stockholdings, and by disposals of assets.
Corruption is another but one of the most practiced methods of survival. It
generally involves businesses ensuring that they receive preferential treatments
or access to business opportunity and security through bribery or payment (in
money or kind). These include kickbacks, gratuities, pay-off, sweeteners,
greasing palms, etc. Many businesses owe their apparent resilience to
favouritism and nepotism which exempts them from the application of certain
laws or regulations or give undue preference in the allocation of scarce
resources. Other businesses base their operations on fraud using trickery,
swindle and deceit, counterfeiting, racketing, smuggling and forgery in order
to survive. In Africa are funded through the misappropriation of public money
by public office holders, and the apparent strength of these businesses is due to
the political position or connections of the people involved.
Often the category of entrepreneurs who employ bad business practices
have as their sole pursuit in business to “make money and more money”. In
other words, the love of money is their only objective for entering or staying in
business. They often do not have any notion regarding cost, profit, cash flow,
ethics or management as they only care about how much money they can
make and take through their business. They view their businesses not as an
enterprise that offer products or services to the public or a vehicle that adds
value to customers and creates its own value by successfully achieving its
mission. The popular Christian saying that the “love of money is the root of
all kind of evil” cannot be more true when one tries to understand their
behaviour and motives of this type of entrepreneurs. Benjamin Franklin
rightly stated that “he that is of the opinion money will do everything may
well be suspected of doing everything for money.” In any case, it is commonly
known that greedy people do not have a moral compass.
The Survival of the Fittest?
“It is a jungle out there!” is the general saying used when referring to doing
business in Africa. This implies that the best way to succeed in the African
African Business Mercenaries 90
6
OVERCOMING FAILURE The Spirit of Entrepreneurs
Entrepreneurial Resilience
African entrepreneurs generally face unusual business challenges which result
in high rate of business failure. As is the case elsewhere business failure means
a personal loss. They are distressed when passing through traumatic events
and setbacks and react negatively to business failure. These negative reactions
take four forms: emotional, behavioural, physiological and mental:
The emotional reactions to failure include helplessness, depression,
loneliness, anxiety, and withdrawal. A strong emotion is as that of guilt and
self-blame as they feel responsible for the failure of the business. The
behavioural reactions to failure include evasion from reality and suicidal
intentions or actions. Some entrepreneurs who will not endure the scrutiny of
society or family and cannot face the reality will chose to “evade” or “die”.
Physiological reactions generally involve the physiological changes that a
failed entrepreneur suffers due to emotions and behaviours. The entrepreneur
may lose weight, get sick. Finally the mental reactions include the
entrepreneur becoming sleepless, lunatic, addicted to alcohol and obnoxious.
These negative reactions are generally due to the pressure of financial
liabilities, inability to meet one’s family basic needs, loss of self-worth, feelings
of being useless to society, slander of personality and lawsuits after the failure.
The main causes of negative failure reactions are “loss of control” and “loss of
social status”, as many entrepreneurs would struggle to integrate failure in
their personal lives.
“Loss of control” is one of the principal factors leading to the
entrepreneurs’ reactions failure. Most of the entrepreneurs are motivated to
start a business in order to “be in control” of their own destiny and work.
However, when things are out of their control, entrepreneurs will often
interpret this as a loss of influence and power.
The “loss of social status” is also one of the key causes of entrepreneurs’
reactions failure. Entrepreneurs are devoted to their business and regard it as a
personal achievement. People in society show respect for their success.
However, once they fail, their statuses disappear and they feel worthless,
escaping from the world to ease the pain and shame caused by the failure.
Most management and business studies, however, mainly focus on how
entrepreneurs succeed failure by advocating that entrepreneurs are optimistic,
active, result-orientated, self-controlled, risk takers, showing autonomy and
problem solving capability.
Some literature on leadership and business advice assume that leaders are
rational beings, hardly focusing on the leaders’ irrational side. These books are
less likely to explore how entrepreneurs face their business misfortunes or
adapt to psychological weaknesses. Nonetheless, it has been my experience
and observation that most successful entrepreneurs and leaders experienced
fluctuant career and business failures. They are not always optimistic, positive
and brave in facing challenges when they slump, which result in some
entrepreneurs’ collapse after a failure or setback. But some entrepreneurs are
willing to bounce back from business loss and treat the opportunity as a new
start up process for re-positing self-identity. How true entrepreneurs are able to
bounce back after business bankrupts or failure is neither fully known nor
effectively conveyed.
I will first state categorically that business failure is normal. A failed
business may mark the end of a venture, but it does not mark the end of a true
entrepreneur. My experience shows that, for real entrepreneurs, failure can be
an opportunity to succeed, to build on what has been learnt. True
entrepreneurs are the ones who are able to pick up the pieces and move
forward. In this chapter, I explore and share how the failed entrepreneur can
overcome the dark side of failure and misfortune in business through
entrepreneurial resilience.
Resilience is one of the great puzzles of human nature, which is neither
ethically good nor bad, but merely the skill and the capacity to be robust under
conditions of enormous stress and change. It is more than education, more
than experience, and more than training. A person’s level of resilience will
determine who succeeds and who fails, and it does matter in business.
There is a gap between business practice and the theory of how an
entrepreneur bounces back after business failure or whilst facing difficulties.
One psychiatrist indicated this phenomenon in a magazine interview, “The
patient who faced business failure and suffered from psychosis is the hardiest
case to cure for us.” Thereby, entrepreneurial resilience seems increasingly
important for the business field but is less exploited when entrepreneurs faces
high failure rate and how they can restart new business if failed.
My argument here is that typical successful entrepreneurs’ capabilities of
calculated risk taking, innovativeness and aggressiveness are not inherent but
are cultivated from experiencing failure and challenges. Therefore, it is critical
for entrepreneurs to assess the failure causes and the reaction to these causes,
Overcoming Failure; The Spirit of Entrepreneurs 94
PART TWO
RISK MANAGEMENT
DEMISTIFIED
7
PLANNING FOR SUCCESS Integrating Business Plans, Strategic Plans
and Risk Management
The ability to manage risk is often indicative of an entrepreneur’s ability to
achieve long term success. But an entrepreneur may decide not to deal with
some risks because the chance that they will happen is slight or the effects are
trivial. Some will have a minimal impact and can be managed easily, whilst
others may threaten the longevity of their business.
The management of risks or risk management therefore helps
entrepreneurs to anticipate potential adverse events and problems, be more
forward-looking, and establish appropriate risk responses, thereby reducing
the possibility of bad surprises that may cause the disruption or termination of
their business endeavours. The success of a business depend less on
entrepreneurs’ risk taking ability and more on their risk management capacity
as the consequences of failing to adequately manage risks can be critical to the
survival of a business.
African entrepreneurs should therefore adopt risk management as an
overriding business principle and an integral part of managing their businesses
to ensure that they create long term value for their businesses. In most
developed countries all sectors of the economy have focused on management
of risks as the key to making businesses successful.
Businesses of all types and sizes face a range of risks that can affect the
achievement of their objectives. As discussed in previous paragraphs, some
risks are given rise to by challenges existing in the business environment such
as changes in exchange rates or the changes in interest rates. The others are as
a result of deficiencies relating to entrepreneurs’ own shortcomings and
include risks occurring following non-compliance with laws and regulations.
When it comes to risks originating from challenges in the business
environment, one of the most predominant risks is that of a change in
customers’ demand for the goods and services produced or sold by the
business. If the change is a positive one, and the demand for the offerings of
the business increase, the amount of risk is decreased a great deal. However, if
consumers demand for the offerings decreases, either due to loss of business to
competitors or change in general economic conditions, the amount of risk
involved will increase significantly. When a business’s risk factor is considered
to be increased due to outside factors that are beyond the control of the
entrepreneur or management to correct, chances of growing the business are
very slim.
Challenges relating to the entrepreneurs’ inabilities may also result in
significant business risks. Often, these can easily be identified and corrected.
For instance, if failing sales can be attributed to an ineffectual marketing effort
or a sales force that is not performing to expectations, changes can be made in
the marketing approach or sales efforts can be restructured to maximise
success opportunities for the business. The same is true if a business’s manufacturing facilities are not
operating at optimum efficiency. Revamping the operational structure of the
plants and facilities will decrease the element of business risk and result in
higher profits at the same level of production and sales.
Risk management is simply a common-sense and structured approach to
dealing with uncertainty, whether this uncertainty is given rise to by
inadequacies in the business environment or by the inadequacies pertaining to
entrepreneurs’ own deficiencies. The aim is to allow proactive management,
rather than waiting for risks to mature leading to situations requiring a
reactive crisis response.
How to approach risk management will depend on the size, activities,
internal environment and management structure of a business. The scope of
the risk management needs also to be considered in how risk management
should be approached. For instance, large business organisations may need
comprehensive risk management planning but in smaller businesses specific
areas of activity can be chosen for risk management.
However the most important variation that needs to be taken into account
in establishing how risk management should be approached is based on
whether a business is starting or already established. For new business
initiatives; the risk management plan should be integrated in the initial
business plan. For businesses already established, risk management should be
an integral part of the strategic plan.
Business and strategic plans should clearly define how business objectives
will be achieved and how the risks that can affect these objectives or the
achievement process thereof should be dealt with. These plans are important
management techniques in a business of any size and risk management can
assist greatly in the business or strategic planning process. Risk management
can achieve this by assisting the business to effectively manage the weaknesses
and threats to achieving the objectives of the business, as well as recognising
where opportunities exist and capitalising on these to help the business grow
Planning for Success 104
8
SCENARIO PLANNING The Precursor of Risk Management
“Every organisation must think ahead, but how? We look out into the future, trying
our best to make wise decisions, only to find ourselves staring into the teeth of ferocious
and widespread uncertainties. The future is complex, uncertain and not in our control,
but the future is where the strategies we enact today will lead us.” Shell Website
Preparing for the Future
It has become a cliché to say that those who do not learn from the past are
doomed to repeat it. In today’s business world, we can say that those who do
not “learn from the future” are doomed.
From time immemorial, man has had to prepare himself for various
eventualities. Just to survive, he has had to ask questions like: What if it does
not rain? What if there is a poor harvest? Indeed, it is this type of thinking,
which made man think of taking various solutions, such as storing food,
building dams, etc.
It happens to us all. We look to the future, trying our best to make wise
decisions, only to find ourselves staring into the teeth of ferocious and
widespread uncertainties. How do we decide what kind of studies our
children should pursue when it is not clear what industries will exist in ten or
fifteen years? How do we plan buying a house in a country when we cannot
know what sort of socio-political condition this country will be in the future?
As we face each of these problems, we confront a deeper dilemma: how do we
strike a balance between predictions - believing that we can see past these
uncertainties when in fact we cannot.
Today, entrepreneurs face a similar dilemma, and also they recognise that
adapting blindly to the future outcomes of external events is not desirable. But
they often carry the additional weight that on their decisions rest the destiny of
their businesses. It is often said about entrepreneurs or Chief Executive
Officers that “it is lonely at the top”. But for most entrepreneurs these days,
the bigger problem is that “it is confusing up there”. It is no longer enough
simply to execute, to “do things right”. Entrepreneurs have to choose “the
right thing to do”: set a course, steer through the strategic issues that cloud
their business’s horizons. Do we or do not we invest in that industry? Launch
that product? Establish a presence in that market? Or wait and save money?
The pressure of the future will only increase in the years ahead.
Technological, economic, and social change in will continue to accelerate.
Technologies are cross-fertilising and mutating-unpredictability spawning new
technologies, new products, and new markets. Blink and your business is
history. The bad news is that you cannot predict the future. The good news is
that you can prepare for it.
Whatever you decide to do will make a life or death difference to a
business - t it can take years to learn if your decision was wise. Entrepreneurs
have often to immediately make a decision—and often make it now. The rest
of the stampeding world will not wait until certainty appears. Anything that
can help make a decision in the midst of uncertainty will be valuable.
When the business environment encounters a high level of uncertainty and
confusion, which occurs from either complexity or rapid change or both, one
of the most prudent and useful things you can do is spend time considering
what your business’s future may look like in different environmental
conditions.
To manage risks related to business growth that will extend long into the
future, entrepreneurs must be willing to look ahead and consider uncertainties.
But rather than doing that, many African entrepreneurs react to uncertainty
with denial. They take an unconsciously deterministic view of events and take
it for granted, that some things will or will not happen. Not having tried to
foresee surprising events, they are at a loss for ways to act when upheaval
takes place. Scenario planning is one very powerful technique to limit risks
from external influences and to identify future opportunities and uncertainties
is. As the name implies, it serves entrepreneurs to plan for several different
future possibilities. It is a “what if’” exercise. It asks questions such as:
• What if the price of raw materials doubled?
• What if we lost our biggest two customers?
The purpose of scenario planning is not to pinpoint future events but to
consider the forces which may push the future along different paths therefore
shaping which the forces that are likely to catch entrepreneurs unawares. It is
about making these forces visible by projecting them forward and by exploring
their implications, so that if they do happen, entrepreneurs will at least
recognise them and be prepared in advance rather than simply meeting them
as they come. The advance preparation can often save a great deal of time and
Scenario Planning, The Precursor of Risk Management 120
9
THE CONCEPT OF RISK
Defining business risk
The Right Perspective
The ultimate origins of the word risk have never been satisfactorily
explained. English acquired it via French “risqué” from Italian “risco”, a
derivative of the verb “riscare” which means “run into danger” or “to dare”.
Risk is present whenever circumstances give rise to an outcome that cannot
be predicted with certainty. Depending on the context, there are many
accepted definitions of risk in use.
In the business context however, the basic understanding one should have
in order to define risk is that everything an entrepreneur does aims to achieve
objectives of some sort and wherever objectives are defined, there will be risks
that could make difficult their successful achievement.
Business risks are therefore determined in relation with the business
objectives that would be affected if those risks occur. I call these objectives
“objectives at risk” which may include starting a new business, launching a
new product or service, entering a new market or trying to increase profit and
market share, meeting customer’s expectations, complying with specific
regulations or licence requirements, meeting obligations toward stakeholders
such as suppliers and employees or mobilising adequate financing to grow a
business.
The notion of “objectives at risk” is built on four conditions, namely:
• The objectives must be relevant to the success of the business.
• Causes that can create the uncertainty in the achievement of these
objectives must exist.
• The business must have the ability and resources to achieve these
objectives.
• The failure of achieving these objectives must have a direct impact on
the interruption or termination of the business activities.
This notion allows the understanding of the fact that a business risk is an
“uncertainty that matters”, recognising the fact that there are other
uncertainties that are irrelevant in terms of objectives, and these should be
excluded from the risk identification step.
For example if you have a printing business in South Africa and source
raw material from say Kwazulu Natal, a South African province, the
uncertainty about whether there may be a drought in Senegal next week is
irrelevant. But if your business involves supplying mining equipment in the
Democratic of Congo, the possibility of war or social uprising in that country
is not just an uncertainty, it matters.
Business risk can therefore defined as an uncertainty that, should it occur,
could negatively a business from achieving its objectives and ultimately result
in the business failing.
Whilst it is essential to relate business risks to business objectives, it is also
important to note that entrepreneurs’ view of risk is either subjective or
objective depending on the experience they may have had in dealing with
business risk or on their perception of it.
Objective risk
An objective risk is the likelihood of an actual risk event materialising. It is
what can really or objectively happen. This risk has been scientifically or
statistically established using available data and knowledge.
Operating in a regulated industry without the required license or not
paying the relevant taxes is objectively risky and may lead to the closure of the
business.
Subjective risk
A subjective risk is the perceived risk or what you think may happen. It is
the uncertainty based on a person’s state of mind. Two persons in the same
situation may have different perceptions of risk. High subjective risk often
results in conservative behaviour
As the term suggests, subjective risk can be defined as the degree of
uncertainty perceived by an individual. For example, a business that has
invested in developing in or distribution of a product and intends to launch it
in a market without prior marketing research will be uncertain if the product
will sell. This mental uncertainty is an instance of subjective risk.
It is often assumed that business initiatives and management decisions are
more directly determined by subjective estimates of risk than by objective risk.
In the context of African entrepreneurs, while this may be the case for events
about which there is little experience such as the global economic crises, it is
certainly not the case for everyday events such as the risks of inflation.
The Concept of Risk 144
10
THE CONCEPT OF RISK MANANAGEMENT
What Risk Management is Not
At one time, risk management meant a business having enough fire
extinguishers, safety and security. It was more about protection of physical
assets and employees through “loss” prevention and reduction programs.
Although these techniques are still widely used, modern business have
reduced their reliance on these more conventional and archaic arrangements
as many entrepreneurs have discovered that they do not adequately and
strategically provide the tools that can help them achieve their business
objectives.
Some African entrepreneurs also consider insurance to be the only
sophisticated way of managing risk. They think insurance can take care of
every loss. “Do not worry, we’ve got insurance” some entrepreneurs and
managers say to their staff. While insurance is very valuable, it is not a
panacea for risks inherent to businesses. It is a common method of managing
significant physical risks with low probabilities of occurrence and some of
their consequences such as loss of income. However, even for events that
insurance can cover there are deductibles, exclusions and limits that are
applicable. Basic to an understanding of how insurance works is the reality
that insurance does not and cannot eliminate risk. Nor can it directly help
business achieve their objectives such as increasing income, market share or
profit. It is only intended to deal with measurable or known risks and serves to
spread the impact of loss. It cannot deal with uncertainty itself and cannot
prevent losses. Also, entrepreneurs should remind themselves that insurance is
a product sold by insurers in pursuit of their own profit and not in the interest
of businesses they cover. This fact is truer with regards to pure commercial
insurers and not with mutual types insurers.
“Crisis management” is another concept that some African entrepreneurs
take for risk management. This technique may address immediate problems,
but it creates potential consequential aggravation of future problems. Let’s get
this straight. If a risk has already occurred in your business and you are
looking at solutions (i.e.; reacting to the risk), then it is an “issue”—a
“problem”. It is no longer a risk. Risk is the possibility that something bad
may happen in the future. So when a risk has occurred, there is no such thing
as probability then—the risk has turned into an event.
Many African entrepreneurs also believe that “fate” plays a major part in
the results achieved by businesses. A considerable number of them is however
realising that business results are rather influenced by their own deficiencies,
by the difficulties in the African business environment as well as by the effects
of globalisation, of world economic and financial crises, and of climate
change. Their access to modern management tools and techniques are also
helping them to better understand their business environment and improve
their business capabilities, making them able to predict, to some extent, the
various risks that may have a critical impact on their business objectives.
What is Risk Management
To be successful a business must achieve its overall objectives which are to
create and maximise its owners’ wealth whilst ensuring that the other’s
stakeholders’ expectations are met. Other specific objectives might be
providing the best quality service, maximising revenue and decreasing
expenses, having quality employees, increasing productivity and product
quality, and increasing market share. If they want their business to succeed,
entrepreneurs must therefore ensure that nothing makes uncertain the
achievement of their business objectives, and a business risk is exactly the
uncertainty which, if it occurs, would negatively affect the achievement of
business objectives.
In this context, risk management is a process through which business risks
are identified, analysed, responded to and monitored in order to enable a
business to achieve its objectives.
Risk management is recognised as good management practice in business
and is not only about the management of risks. It also allows the opportunity
to focus efforts on areas where the business can benefit most, through better
understanding of the risk/reward decisions.
Risk management is pre-emptive not reactive. Its purpose is to improve
outcomes or to secure good outcomes, in other words, it aims at increasing the
probability of success, and reduces both the probability of failure and the
uncertainty of achieving the business’s objectives.
To be effective, risk management cannot be merely a checklist or a process
that is disconnected from business decision making. Rather, it should be
integrated into on-going business practices so that risk can be managed as part
of day-to-day decision making, in a manner consistent with the business’s
objectives. Risk management should, for instance, be triggered within the
business process when special circumstances arise outside of the on-going
The Concept of Risk Management 174
“Do everything ethically….within reason of course”
11
ETHICS AND RISK MANAGEMENT
Philosophers and scholars have defined ethics as the study of what is right or
wrong, fair or unfair, just or unjust. Others have argued that ethics is, in
essence, morality.
Ethical problems typically stem from two human qualities: greed and
ignorance. Lapses in ethical behaviour caused by greed are easily
recognisable, for example kickbacks, expense account padding, stealing either
time or materials from employer. Lapses due to ignorance is more difficult to
recognise and appear often with questions of conflict of interest, for example
accepting large gifts from suppliers, failing to report significant risks to the
insurers, accountants accepting consulting assignments from audit clients.
Business ethics set the standard for how your business is conducted. They
define the value system of how a business operates both internally and
externally. With scandals concerning entrepreneurs involved in conflict of
interest, fraud, corruption, sexual immoralities making the news, it is no
wonder that businesses are increasingly giving attention to the ethical basis of
their business and how to lead in an ethical way.
While the examples above seem to be clear cut breaches of ethics, many
ethical dilemmas that not so clear cut are faced on a daily basis in business. In
fact, there may not even be a “right” or “wrong” answer to the dilemma, but
how you deal with it will say much about you and your business. These
decisions are often referred to as being in the “grey area”. They are not black-
or-white, but could be argued appropriately either way.
There are three questions you should ask yourself whenever you are faced
with an ethical dilemma:
• Is it legal? In other words, will you be violating any criminal laws, civil
laws or business policies by engaging in this activity?
• Is it balanced? Is it fair to all parties concerned both in the short-term as
well as the long-term? Is this a win-win situation for those directly as
well as indirectly involved?
• Is it right? Most of us know the difference between right and wrong, but
when push comes to shove, how does this decision make you feel about
yourself? Are you proud of yourself for making this decision? Would
you like others to know you made that decision?
12
RISK COMMUNICATION
When a crisis occurs, one of the first casualties is the business reputation. The
public always believes that many business offences are more serious that
violent crimes. This chapter is dedicated to helping entrepreneurs prevent their
businesses from losing reputation through risk communication.
At any given point in time, entrepreneurs are likely to encounter public
outrage of some sort due to perceived risks associated with the product or
service their business provides. The perceived risks are generally expressed by
the public in terms of integrity or safety concerns which can arise from
intentional bad publicity, damages suffered by a member of the public after
consuming a product or service offered by the business concerned or by the
entrepreneur’s or his employee’s unethical actions.
Whatever the situation, when a business eventually faces public outrage, a
variety of options for dealing with the situation are available.
One is to bury the head in the sand and hope that the will pass. Of course,
when one is in that position, a certain part of the anatomy is extremely
vulnerable to shack-and you may never know what kicked you.
Another option is to charge into the fight, to intimidate the public. The
main problem with this tactic is that the entrepreneur is likely to get shout out
of the saddle as a “Lone Ranger”.
Also, people often handle highly charged conflict by discounting the
credibility of others and thinking in terms of black and white: “mad-dog”
media, “redneck” producers, and “crazy” consumers. This is a human
reaction to controversy and most of us soon get a grip on ourselves and look
for more effective approaches to dealing with a problem.
One of the most common methods employed by entrepreneurs and
businesses is “damage control” whereby an incredible amount of time and
energy suddenly has to be focused on attempts to limit the scope of damage
that can affect the business’s reputation and effectiveness. Usually
entrepreneurs and businesses would focus on media management.
Entrepreneurs need to understand that it does not pay to manipulate the
media. The fact is the days of controlling the release of damaging information
are gone. Media reports abound from situations where supposedly
“controlled” information was leaked. Also our round-the-clock media-based
society spreads information like wildfire.
PART THREE
THE PRACTICE of Business Risk Management
Risk
Identification
Risk
Analysis
Risk
Response
Risk Review
13
PRELIMINARY STEPS
Overview
The generally accepted approach to risk management comprises a series of steps that when undertaken in sequence, they enable continual improvement in decision-making. These steps include the Establishment of the context, the Identification of risks, the Analysis of risks, the Selection of risk response options, and the Implementation and monitoring and performance review.
The elements of the risk management process are summarised in the figure below.
Each step offers a convenient milestone and each subsequent step is
dependant, and builds, on the work completed in the previous step, providing
an evolving understanding of the issues and development of progressively
more robust risk management actions.
Communicate and Consult
Communication and consultation aims to identify who should be involved in
the assessment of risk (including identification, analysis and evaluation) and it
should engage those who will be involved in the treatment, monitoring and
review of risk.
As such, communication and consultation will be reflected in each step of
the process.
As an initial step, there are two main aspects that should be identified in
order to establish the requirements for the remainder of the process. These are
Communicate and Consult
Monitor and Review
Establish
the Context
Identify
the risks
Analyse
the risks
Evaluate
the risks
Treat
the risks
14
IDENTIFYING RISKS
Introduction
Risk cannot be managed unless it is first identified. Once the context of the
business has been defined, the next step is to utilise the information obtained
to identify possible risks the business is expose to.
Risk identification involves finding, listing and categorising ALL risks
which may affect activities and the achievement of business objectives. It
combines retrospective or prospective identification methods.
Retrospective identification relates to the risks that have previously
occurred, such as incidents or accidents. It is often the most common way to
identify risk, and the easiest. It is easier to believe something if it has
happened before. It is also easier to quantify its impact and to see the damage
it has caused.
There are many sources of information about retrospective risk. These
include hazard or incident logs or registers, audit reports, customer
complaints, insurance claims, conducting interviews with the entrepreneur or
his long serving staff about the history of the business and the challenges it has
endured in the past, past newspapers reports about the business, the
entrepreneur or the industry.
Prospective risk identification is often harder to conduct. It relates to
events that that have not yet happened, but might happen sometime in the
future and should include all risks, whether or not they are currently being
managed. Methods for prospective risk identification include brainstorming
with staff or external stakeholders, researching the economic, political,
legislative and operating environment, undertaking surveys of staff or clients
to identify anticipated issues or problems, and flow charting a process.
It is important to remember that risk identification will be limited by the
experiences and perspectives of the person(s) conducting the risk
identification.
Also, one of the most common failings in the risk identification step is
identifying things which are not risks. Clearly if this early stage of the risk
management process fails, subsequent steps will be doomed and risk
management cannot be effective. It is therefore essential to ensure that risk
identification identifies risks.
15
ANLYSING RISKS
Introduction
The purpose of risk analysis is to provide information to the entrepreneurs to
enable them to make decisions regarding risks that are a priority, risk response
options, or balancing costs and benefits.
In the risk analysis stage, the registered risks are assessed in terms of their
significance on the business objectives and activities based on their frequency
and severity levels.
Risk analysis involves combining the possible consequences or severity of
an event, with the likelihood or frequency of that event occurring. The result is
a “level of risk”; that is:
Risk = Severity x Frequency
Frequency and severity are two most important components of risk that
need to be measured. Some risks are low in severity and happen frequently,
such as small shoplifting and workers arriving late at work. For example
Minor accidents are common in the construction industry and, while
unfortunate, they do not bring the building site to a halt. These risks are very
probable but have a small impact because they are common, the business
should guard against them, but usually they cause negligible loss or damage.
Severe events, such as natural catastrophes, business license suspension or
death of a key employee, are very improbable. A terrorist attack is
catastrophic as it can cause a business to close, but it is a very improbable risk
in most African countries. For most businesses, this type of risk probability of
occurrence is very small, there is no point in trying to manage it. If, however,
the business had an office in known terrorist area of some East African
countries, the probability of this risk materialising would be higher.
However, some severe events happen frequently. For example the risk of
fire in a textile plant is both quite probable and catastrophic or the corruption
of tax and administrative authorities in some countries are common and
severe that many African entrepreneurs are discouraged to start a business or
forced to close their business due to the financial and psychological price they
have to pay.
16
RISK EVALUATION
Introduction
It is important that entrepreneurs establish, after analysing risks, what exactly
the “frequency” and “severity” terms means to their businesses.
Risk evaluation helps them to clarify this issue by comparing the level of
risk found during the analysis process with previously established risk criteria
and, as a result, enables them to decide what level of risk is acceptable to the
business.
“Acceptable” means the business chooses to “accept” the risk because the
opportunities presented outweigh the threats to such a degree that the risk is
justified or because the cost of treatment far exceeds the benefit, so that risk
acceptance is the only option. It also means that the level of the risk is so low
that specific treatment is not appropriate with available resources or the risk is
such that there is no treatment available.
ALARP as an Essential Risk Evaluation Method
This principle of weighing risks against the risk criteria is known as
ALARP (As Low As Reasonably Practicable).Thus, ALARP describes the level
to which risks is to be kept to ensure that the business achieves its objectives.
The ALARP principle recommends that risks be reduced “so far as is
reasonably practicable,” or to a level which is “As Low As Reasonably
Practicable”. If a risk falls between the two extremes (that is, the unacceptable
region and broadly acceptable region) and the ALARP principle has been
applied, then the resulting risk is the tolerable risk for that specific application.
According to this approach, a risk is considered to fall into one of 3 regions
classified as “unacceptable”, “tolerable” or “acceptable” (see Figure below).
Above a certain level, a risk is regarded as unacceptable. Such a risk cannot be
justified in any ordinary circumstances. If such a risk exists it should be
reduced so that it falls in either the “tolerable” or acceptable” regions or the
associated hazard has to be eliminated. Below that level, a risk is considered
to be “tolerable” provided that it has been reduced to the point where the
benefit gained from further risk reduction is outweighed by the cost of
17
RISK RESPONSE PLANNING
Introduction
The Risk Response Planning phase is where strategies are determined and
actions are developed, the implementation of which will allow entrepreneurs
to have appropriate responses to risks they take to achieve business objectives.
It is therefore the most important phase in the risk management process as it
ensures that risk is dealt with appropriately based on a business’s acceptable
risks. Most risk management guidelines recognise at least four types of strategy
in responding to identified risks. A useful framework is to use the 4 Ts
characterising Risk Response Options:
• Terminate (or Avoid)
• Treat (or Control)
• Tolerate (or retain)
• Transfer
However risk management has seen in the past two decades new concepts
of response techniques as a result of large businesses and organisations
applying capital and investment concepts and strategies in the management of
risks. The two main new techniques are the so called” Risk Financing” and
“Alternative Risk Financing” Solutions.
In order for entrepreneurs to ensure that their risk response plan is
effective, they should try their best to plan a specific risk response for each
acceptable level the appropriate risk response. For example, those that fall
under the acceptable levels will be retained or controlled, while those over the
risk tolerance should be avoided or transferred.
The correlation table can better facilitate to describe the Risk Response
Planning.
Terminate/Avoid risk
This strategy is used to make the risk cease to be a possibility. This means
staying clear of the risk altogether. But it is NOT the same thing as treating
your business risks as an afterthought! Risk avoidance is a conscious, rational
decision by an entrepreneur to avoid the occurrence of a serious threat by
suspending the business activity that poses the risk to his business.
By avoiding the occurrence, the impact as well as the consequential
negative financial impact could also be avoided. In other words, you might
decide to stop manufacturing a specific product, or to stop delivering a specific
service because of the high risk involved.
Risk avoidance is important, since it involves the taking of actions which
will prevent the risk from having an effect on the objectives of the business. In
this way risk avoidance can be said to decrease one’s chance of loss to zero.
Risk Avoidance involves changing the business risk context, i.e. changing
the nature of a business or an activity to avoid its inherent risks. It also can be
accomplished by changing the process or the resources to attain an objective
or sometimes modifying the objective itself to avoid the risks involved. Other ways to avoid risk include:
• Adding resources or time to an activity or project
• Adopting a familiar approach instead of an innovative one
• Avoiding an unfamiliar subcontractor
• Clarifying contract requirements
• Improving communication
• Obtaining more information on a service or product specification
• Acquiring professional expertise
• Reduce scope of business or project to avoid high-risk activities
The Practice of Business Risk Management
271
to risks. When risk is avoided, the potential benefits, as well as costs, are given
up.
An example an example is the liability risk of owning or leasing premises
from which the business is to be conducted or the doctor who quits practicing
medicine does indeed avoid future liability risks but he also forfeits the income
and other forms of job satisfaction that may be associated with a career in
medicine; and the business that avoids manufacturing pharmaceuticals
relinquishes potential profits as well as liability risks.
Some risks will only be treatable, or containable to acceptable levels, by
terminating or avoiding the activity or activities that give rise to the risk. We
may rarely be able to stop doing the activity altogether, but should avoidance
be gained for a small cost, then it is the approach which should be used.
Treatment/Control of Risk
When I spoke of risk tolerance, I said risks that were above the entrepreneur’s
risk tolerance limit were not acceptable risks and that something had to be
done about them. Risk mitigation or control is a strategy where some work is
done on unacceptable risks to reduce either their frequency or their severity to
a point where their significance falls below the maximum risk tolerance level.
100% reduction would be equivalent to avoidance.
Risk control is generally approached on the basis of the focus and the
timing of loss control. The Focus of loss control considers frequency and
severity reduction whilst the timing of loss control considers the pre-loss
control, the concurrent control and the post-loss control.
Frequency Reduction
As a risk control technique, the goal of frequency reduction is to prevent
loss from occurring thereby reducing the number of losses from that exposure
over time and cutting the cost of paying for those losses. Properly done, loss
prevention does not need to be as potentially disruptive as exposure
avoidance. Some examples of loss prevention could include:
• Keeping any cash that is needed for business operations in a locked box
or even a safe, so that any potential robbers would have great difficulty
getting to it.
• Training employees in how to do their jobs safely, and monitoring their
job performance so that accidents and injuries to employees would
occur less frequently.
The Practice of Business Risk Management
273
• Increasing clearances between parking spaces so that collisions (and the
resulting property damage and potential liability claims) would be less
likely and less expensive in the long run.
• Clearly marking the building exit so that pedestrians would be alerted
to the danger of stepping in front of a motor vehicle leaving the garage.
Severity Reduction
As Much as loss prevention reduces the probability of losses from given
risk exposure, loss reduction aims to reduce the size or severity of such a loss.
To illustrate:
• An automatic fire detection and suppression system in operational
areas of a business would tend to reduce the size of any fires which
broke out in those areas. So would hand-held fire extinguishers—
provided the garage staff was trained in their proper use.
• Keeping no more than $500 dollars cash on the business premises could
well reduce robbery and embezzlement losses, even if the cash register
was occasionally left unlocked. There would be no more than $500
dollars there for any embezzler or thief to steal.
• Keeping first-aid kits in the office area and training employees in their
proper use would be likely to reduce severity of injuries to both
employees and third parties. This should in turn reduce the size of any
liability claims against the business for such injuries.
• An auto manufacturer having air bags installed in its fleet of
automobiles. This business is engaging in severity reduction. The air
bags will not prevent accidents from occurring, but they will reduce the
possible extent of injuries to the occupants of vehicles in a case of an
accident.
Other special forms of severity reduction are:
• Separation which involves the reduction of the Maximum Probable
Loss associated with some kind of risks. For example, a business may
disperse work operations in a way that an explosion or other incidents
will not damage more than a limited number of persons and property.
• Duplication is a very similar technique, in which spare parts or supplies
are maintained to immediately replace damaged equipment and/or
inventories. Duplication is creating a backup copy of the asset at risk.
With a building, this is a very expensive proposition, but for other
assets (data, critical documents, machinery parts, etc.), duplication is an
Risk Response Planning
274
Tolerate/Retain Risks
As with risk avoidance, risk acceptance is also a conscious and rational
decision by entrepreneurs. They accept the fact that they cannot counteract a
specific risk by avoidance, reduction, or transferring it, although, at the same
time, he acknowledges the need to continue with the business activity that
poses the risk to his business.
Using the acceptance or a retention strategy means that the severity of the
risk is lower than the entrepreneur’s or business’s risk tolerance level. If this
were not the case, it would not make sense to accept the risk. Accepting a risk
does not mean that we will not do something about the risk when and if it
occurs; it means that we will do something about it only if it occurs. It is the
category where the many insignificant and predictable risks are put. Many of
these risks cost less to fix when they occur than it would cost to investigate
and plan for them.
The difference between risk retention or acceptance and risk avoidance is
that with risk avoidance an entrepreneur avoids the occurrence of a very
serious threat that could damage his business’s financial position forever.
However, with risk retention, the entrepreneur decides to accept a risk, and
the consequential financial impact, and the fact that it cannot be counteracted
with additional controls.
There are two kinds of acceptance, passive and active.
Passive Retention
Passive or unplanned retention or acceptance involves the failure to plan a
response for a risk because the risk was not identified or because the existence
of risk is acknowledged but neglected on the assumption that the risk is simply
too remote or insignificant to be of concern or sometimes because the cost of
developing a plan can be higher than the cost of dealing with the risk without
preparation.
Risk Response Planning
280
Transfer Risks
Risk transfer means to shift the responsibility for loss or damage to another
party who will carry the risk impact and ownership of the risk response.
Partial transfers are known as risk sharing.
The general rule about risk transfer is that a business may transfer either
the actual risk or the financial consequences of a loss to another party.
Two methods are generally used to transfer risks. They involve the
contractual transfer and non-insurance transfer method as well as insurance.
Contractual and non-insurance transfer
Waiver of subrogation. The relinquishment by an insurer of the right to
collect from another party for damages paid on behalf of the insured. The
waiver of subrogation condition in current standard policies is referred to as
"transfer of rights of recovery."
Named as an additional insured. A person or organisation not automatically
included as an insured under an insurance policy, but for whom insured status
is arranged, usually by endorsement.
Hold harmless (HH) or indemnification agreements. They are clauses in a
contract under which you transfer the Responsibility for Payment to, for
example your subcontractor or tenant. They agree to assume your liability if
you are held liable for their negligent conduct. The different types of Hold
Harmless Agreements are:
• Broad Form which covers all acts or omissions with no
exceptions.
• Limited Form which covers only negligent activities of
contractor. It may be limited to property damage or bodily injury.
• Intermediate Form which covers all acts or omissions except for
your sole negligence or wilful acts.
Hold Harmless functioning consists of the following:
• It does not absolve you of liability
• It gives you a pocket from which to pay
• It does not mix with insurance requirements
• It is only as good as the person making the promise
• It defends and indemnifies any and all claims, suits, proceedings;
the costs paid as incurred, the full extent as permitted by law, the
The Practice of Business Risk Management
283
Risk Financing
Introduction
Risk financing refers to techniques that provide adequate financial
resources for those losses that a business cannot avoid or control. It is
primarily concerned with ensuring the availability of funds in the event of a
loss. For instance, rather than installing a sprinkler system, a business may
choose to protect against potential fire damage by transferring risk through the
purchase of an insurance policy that provides compensation if a fire occurs.
Or, if a business feels that its risk exposures are particularly “well-behaved”—
reasonable in size and predictable with some degree of certainty—it may
retain a portion and pay for it from the contingency or retention funds.
It is important to consider a business’s risk financing options in terms
of various layers of losses.
Primary or bottom Layer. This layer contains the high frequency/low
severity losses which are essentially predictable. It is unlikely that any single
loss in this layer could seriously impact a large business although an
accumulation of claims in any one financial period may create a problem.
This layer generally falls within deductibles.
Middle or Working Layer. This layer contains the medium
frequency/medium severity losses where there are only a few losses a year
expected. An individual loss may seriously distort the budget/financial
performance of any operating unit although it is not likely to present a major
problem for the business as a whole. The decision to insure or self-insure this
layer of risk depends on the appetite for risk-taking that the management of
the business has and sometimes it is influenced by the terms offered by
insurers.
Top or Catastrophe Layer. This layer contains the low frequency/high
severity losses. An individual loss of this magnitude can seriously distort the
financial results of the organisation in any one financial year and, may even
threaten the whole business. It is essential that insurance or an alternative
method of risk transfer is used to deal with these risks.
Depending on the size of the business the determination of these layers will
vary based on its financial strength and the historical loss experience.
The next step is to evaluate the most effective risk financing option for
each one of these layers. Businesses have 3 main options to finance their
losses. They include: Internal sources of funds or Risk Retention, External
sources of funds or Insurance and Alternative Risk Financing.
The Practice of Business Risk Management
295
It makes sense to consider all options for risk financing. There are costs
and benefits associated with each approach. These need to be weighed and
compared in light of a business’s strategic risk policy. Key matters to think
about are:
• Financial criteria—net present value, time-adjusted rate of return,
budgeting goals.
• Other criteria—legality, continuous operation, stable earnings,
growth, humanitarian concerns.
• Integrating organisational, financial and risk financing objectives.
• Ease or difficulty of implementing the chosen techniques.
• Establishing fund sources, drawing on fund sources, allocating
costs, technical decisions, and managerial decisions.
• Monitoring to ensure implementation, to achieve planned results
and to adapt when appropriate.
Retention
Retention in the risk financing context involves the assumption of risks by
a business. It means that the organisation maintains financial responsibility for
all or part of a loss and involves the payment of losses from internal sources of
funds.
Retention can be planned or unplanned. Unplanned retention is when a
business does not recognise that risk exists and unwittingly believes that no
loss could occur. It also happens when the existence of a risk is acknowledged
but if the maximum possible loss associated with the recognised risk is
significantly underestimated. For example, a manufacturer of kitchen
appliances may recognise the potential for product liability suits. But the
potential size of adverse liability judgements may be much greater than he
anticipates. Thus even though the exposure is recognised, the business is
engaging in unplanned retention of losses that exceed its estimate of
maximum possible loss.
Planned or active retention involves a deliberate of recognised risk. It
sometimes occurs because it is the most convenient risk treatment technique
or because there are simply no alternatives available short of ceasing
operations. The main forms of planned risk retention include: unfunded
retention, funded retention, and insurance covers exclusions.
Unfunded retention. Losses are treated as current expenses. It also tends to
be used for low severity/low frequency risks.
•
Risk Response Planning
296
Conclusion
The optimal retention level of an organisation can be defined as one allow
the assumption of the proper portion of the loss whilst creating a premium
savings, an investment opportunity and financial stability that are balanced by
the consideration of the risks and consequences involved.
The risk retention review should be a never-ending process for the risk
management professional. Viewing retention as an investment decision that
will result in moving retention up and down based on the claim results and the
state of the insurance marketplace. While this “yo-yo” approach to risk
retention may run contrary to risk management tradition as businesses
normally set a risk retention philosophy for stability—increasing it gradually
over time as part of the overall risk management plan, will result in a lower
cost of risk and measurable financial gain in today's drive for peak efficiency.
Increasing risk retention, regardless of risk financing structure, may save
premium payments, but without a thoughtful review of the return on
investment, and organisation's economic value may not be maximised.
Alternative Risk Financing
The traditional insurance market is perceived as having failed to deliver what
its business customers want. Others have stepped in to fill the gap with
Alternative Risk Finance solutions. Insurance is a source of finance to pay for
losses if and when they arrive. The risk financing through insurance is subject
to conditions but there is the advantage of stability in settled law and practices.
For larger businesses, insurance tends to be more a “loss-smoothing” device
rather than risk transfer, because claims are likely to be reflected in increased
premiums. It is most obviously a case of “dollar swapping” in high
frequency/low severity risks.
With insurance, there is a potential for delay in restoring assets and for
disputes over claims—the insurer's first loyalty is to its shareholders. On top of
premiums, an Insured will incur management costs of administering and
reviewing its insurance portfolio. There are also likely to be fees for
intermediaries such as to brokers and advisers.
Insurance companies emphasise “protection”, but for business customers
uncertainties remain in the form of underinsurance, over-insurance,
overlapping covers, incorrect assessment of exposures, insurer solvency, and
even policy wordings being negotiated after the inception of cover.
There are other negative aspects to insurance provision: poor quality of
service; cost of premiums may relate more to insurers overall portfolio rather
Risk Response Planning
348
than to insured’s loss experience; insurer “knee-jerk” reactions to market-wide
or insurer-specific claims problems resulting in volatility of premiums and/or
rapid withdrawals of cover (e.g. asbestosis, professional indemnity, terrorism);
premium determinations being heavily influenced by blanket re-insurer needs;
the heavy reliance on historical data for setting premium rates and little or no
recognition of the value of proactive risk management; traditionally slow to
offer new covers; primary insurers’ limited capacity; insurer takeovers and
mergers improving individual insurance business capacity but leading to
shrinking market choices; the attractiveness of personal lines business to
insurers over commercial business; costs arising out of insurers operating
inefficiencies built into premiums; and hidden costs such as broker over-riding
commissions.
The field of Alternative Risk Financing (ARF) grew out of a series of
insurance capacity crises in the US in the 1970s through 1990s that drove
purchasers of traditional cover to seek more robust ways to buy protection.
Modern businesses depend on more than physical assets and cash
resources—they rely on intellectual assets, critical just-in-time supply chains,
information and other technologies, communication tools, developments in
their marketplace, legal and regulatory compliance, brand value and
reputation. All such developments have implications for risk.
Commercial insurance has, to a certain extent, adapted with, for example,
integrated or bundled covers where claims are viewed from the perspective of
the total loss to the insured and not just an amalgam of individual policy
claims. Policies have been developed for risks previously regarded as
uninsurable, such as financial risks.
But moving beyond developments in traditional commercial insurance, we
have seen the world’s capital markets develop ways to handle insurance risks
(so-called “insurance convergence” products), especially catastrophe risk and
financial risks such as interest rate and foreign exchange risks. Demand,
supply, taxes and regulation, and information technology are drivers of
financial innovation and we have seen a rethinking in insurable risk and
principles such as indemnity and insurable interest. In short, the alternatives to
traditional insurance products are many and varied.
Alternative Risk Finance is the use of techniques other than traditional
insurance and reinsurance to finance insurable and uninsurable risks.
These mechanisms are said to be “alternative” as conventional risk transfer
and financing structures are amended, combined and finally used as
alternatives to traditional mechanisms, whenever additional cover and
capacity is needed.
The Practice of Business Risk Management
349
18
IMPLEMENTING
THE RISK MANAGEMENT PROCESS
Introduction
Risk responses are varied and none really addresses comprehensively the
risks that can cause a business to fail. Part of the difficulty is that each business
will have different types of risks, so it is difficult to generalise. Selecting the most appropriate risk response option involves balancing the
costs and efforts of implementation against the benefits derived having regard
to legal, regulatory, and other requirements, social responsibility and the
protection of the natural environment. Decisions should also take into account
risks that can warrant risk response actions that are not justifiable on
economic grounds e.g. severe (high negative consequence) but rare (low
likelihood) risks. A number of response options can be considered an applied
either individually or in combination. The organisation can benefit from the
adoption of a combination of response options. When selecting risk response options, entrepreneurs should consider the
values and perceptions of stakeholders and the most appropriate ways to
communicate with them. Where risk response options can impact on risk
elsewhere in the business, these areas should be involved in the decision.
Though equally effective, some risk responses can be more acceptable to
stakeholders than others.
If the resources for risk response are limited, the response plan should
clearly identify the priority order in which individual risk responses should be
implemented. It is both interesting and relevant to discuss how entrepreneurs
can allocate money for different risk response options. Risk avoidance is frequently going to cost some money. The money that
we spend to change or cease a business activity or to redesign a product so
that the risk of failure is avoided is money that will have to be spent regardless
of the probability of the risk. The additional work of doing the redesign and
adding more expensive parts will be part of the operating budget. No money
needs to be put into the risk reserves if the risk is completely eliminated. If the
risk has already been allocated funding in the contingency budget, the increase
in the operating budget can be taken from the contingency budget. Risk control or mitigation will have money put into the contingency
budget to handle the risk if it occurs. There will also have to be money put
into the operating budget to take care of the cost of the mitigating activities
that are being taken for this risk. The mitigation of the risk will reduce either
the probability or the impact of the risk, and the contingency budget should
therefore be reduced. Risk transfer requires money to be put into the operating budget to pay for
the additional cost of either subcontracting the risk or buying insurance for it.
The money to do the work for the activity affected, not including the risk cost,
was put into the operating budget when the task was created. The cost of the
transfer, either the additional cost that the supplier will receive or the cost of
the insurance premium, must be added to the operating budget. This money
can be taken from the contingency budget. Risk acceptance or retention including self-insurance programs will have
money put into the contingency budget if the risk has been identified. If the
risk is an unknown risk and has not been identified, the money for it will be
roughly estimated and become part of the management reserve. If the risk
does happen, the money is taken from the contingency budget or the
management reserve and moved into the operating budget when the plan for
dealing with the risk is put into place. The operating budget of the project, sometimes called the performance
budget, is the amount of money needed to do the things that are planned for.
This includes all of the work to develop a product and implement strategy to
sell it. It is not the total business budget; it includes funding only for the things
that are planned for. The management reserve is money that is set aside for the risks that have
not been identified, the so-called unknown risks. This transfer is made when a
risk occurs that has not been identified and money must be spent to solve the
effects of the risk. The contingency reserve is the money to do the things that
may or may not have to be done but that have been identified. This is where
the funding for risks that actually take place comes from. When a risk takes
place, the entrepreneur authorises money to be taken from the contingency
budget and placed into the operating budget. Generally the entrepreneur must
approve money transferred from contingency reserves to operating budgets. Risk response itself can introduce risks. A significant risk can be the failure
or ineffectiveness of the risk response measures. Monitoring needs to be an
integral part of the risk response plan to give assurance that the measures
remain effective. Risk response can also introduce secondary risks that need to be assessed,
treated, monitored and reviewed. These secondary risks should be
incorporated into the same response plan as the original risk and not treated as
a new risk, and the link between the two risks should be identified.
Implementing the Risk Management Process
376
19
THE COST OF MANAGING RISK
As an entrepreneur seeks to manage risk effectively, questions of cost also
arise since risk management is not a “zero-cost option” for risk management.
Cost of risk is driven by several components of the entire risk management
program. By understanding those components and how they are affected, an
entrepreneur can be able to work at controlling and reducing the total cost of
risk which includes all of the expenses a business incurs to treat the risks it
faces.
Entrepreneurs who do not understand the cost of risk will tend to focus
only on the obvious expense of insurance premiums, and will miss the bigger
picture, which can result in significant savings through effective risk
management.
At a minimum, the cost of risk includes these components:
• Risk management administrative costs
• Retained (uninsured/self insured ) losses/expenses
• Insurance premiums and related intermediary fees and commissions
• Loss prevention and reduction (risk improvement) costs
• External services
Risk Management Administrative Costs
These costs include all of the direct internal costs of operating the risk
management function in a business. Every business has to do some degree of
risk management, and every business has internal cost associated with it. In
larger businesses, this includes salaries, office expenses, training and
education, travel expenses, safety supplies, employee benefits, and any other
costs that can appropriately be assigned to the effort. In smaller businesses, it
is generally the time spent by the entrepreneur’s or manager’s time spent by
entrepreneurs to deal with a loss or damage.
Retained Losses
There are two kinds or retained losses. Active losses are those that you are
aware of and choose to have, generally in the form of a deductible or self-
insured retention. Passive losses are far more dangerous. These are the ones
that you are not even aware of being uncovered. It might be an exclusion on a
policy or a risk you do not have insured.
Part of a business’s overall risk strategy may be to retain certain losses in
order to reduce premium. However, problems are still common:
• Deductible options incorrectly utilised
• Unexpected passive losses
Insurance Premiums
Insurance premiums include all fees and commissions. Virtually every
business pays some form of insurance premium. Many entrepreneurs focus
solely on the premium they have to pay to insurers as the cost of managing
risk. While it is important to keep insurance premiums as low as possible, it
should not be done by means that unnecessarily raise the other components of
the cost of risk.
Effective risk management will not eliminate all premiums, but it should
identify wasted or inefficient premium dollars. Some common examples of
wasted money through insurance:
• Inflated premiums that result from risk classification errors
• Premium loading due to incorrect loss experience models or risk profile
• Policies covering nonexistent assets
• Incorrect application of EML or PML
• Unnecessary or excessive intermediaries fees and commissions
Loss Control and Safety Costs
In an effort to avoid or reduce loss, some insureds may invest in loss
control and safety. This includes safety devices such as sprinkler systems and
safety equipment like safety glasses and fall protection. Granted, some of these
are required by regulation, but such costs arise out of the inherent risk of the
operation and are thus part of the "total cost of risk."
External Services Costs
Outside services incorporate the myriad of service providers available to
assist in the implementation and running of a risk management program. The
cost of the external services relate to the fees payable to these experts among
which we can count risk management consultants, legal advisors or attorneys,
accountants, statisticians, actuaries safety consultants, etc.
The Cost of Managing Risk 382
20
DOCUMENTING
THE RISK MANAGEMENT PLAN
Risk Management Plan
The Risk Management Plan guides a business through the phases of risk
identification, risk assessment and risk resolution. This article gives a brief
overview of how all three steps are coordinated to comprise the entire
methodology of risk management. To ensure that the risk management process is implemented and performs
as intended, a documented structured approach is recommended involving the
use of risk action plans, risk registers, and monitoring and reporting tools.
Many different types of documentation can be used in the risk
management process. It is easy to become confused about which documents
to use and when. This section offers a one simple way to record the risk
management process through the Risk Management Plan.
A risk management plan is a document used to record the risks that have
been identified through the risk management process, the levels of risks or risk
rates established in the risk analysis stage, the risk response strategies chosen
for each risk. A risk management plan also documents the strategies in place
to communicate the risk information to stakeholders and the method for
monitoring and reviewing risk information. It comprises four parts:
Contents of a Risk Management Plan
Executive Summary
This section summarises the concept of risk and risk management as it is
being currently applied to the business, the motivation and objectives of risk
management plan for the business.
Risk Policy Statement
This section describes the business’s risk management philosophy and the
processes and practices that are in place to manage risks across the business.
The policy also ensures that responsibilities have been appropriately delegated
for risk management.
Introduction
This section sets out the purpose of the Risk Management Plan document,
the Goals of Risk Management for the business concerned and it approach to
risk management.
Risk Register
The individual risks should be registered to facilitate tracking of their status
and provide an indication of the residual risk. A risk register is a tool for
managing and monitoring risk on a continuing basis. The details of individual
risks may be entered into a register database that records the following
information:
For each risk category, we will use the template to document the risks
identified, the current treatment strategy (if relevant), the risk rating elements,
the priority levels of each risk and the further treatment options available.
The columns in the risk register should be used as follows:
• An identifying/Serial number. Use a numbering system to differentiate
the risks identified within each category.
• A brief description of the risk event. Write a risk statement that defines
the risk, including what can happen and how it can happen.
• An outline of the current risk responses and their adequacy.
• Impact. Describe the possible impact on objectives as a result of the
risks.
• Severity levels. Use a risk analysis tool to estimate the possible
consequence or impact upon objectives, taking into consideration
existing risk response strategies.
• Frequency levels. Use a risk analysis tool to estimate the likelihood that
a risk may impact upon objectives, taking into consideration existing
treatment strategies.
• Risk rates of risk. Use a risk analysis matrix or similar tool to combine
the results of consequence and likelihood to achieve the level of risk or
risk rating.
• Risk priority. Compare the level of risk with the pre-determined risk
criteria and rank the risks in order of priority.
• Risk response options. Identify the various treatment options available
for managing the identified risk. (These options should be in addition to
current response strategies and should aim to reduce the residual risk).
• The current status of the risk response strategies
Documenting the Risk Management Plan 388
21
ENTERPRISE RISK MANAGEMENT The Next “Under construction” Level
Introduction
Every business encounters risks, some of which are predictable and under
management’s control, and others which are unpredictable and
uncontrollable. Risk management involves identifying, analysing, and taking
steps to respond to the exposures to loss faced by a business. The practice of
risk management utilises many tools and techniques, including insurance, to
manage a wide variety of risks.
Risk management is particularly vital for small businesses, since some
common types of losses—such as theft, fire, flood, legal liability, injury, or
disability—can destroy in a few minutes what may have taken an entrepreneur
years to build. Such losses and liabilities can affect day to day operations,
reduce profits, and cause financial hardship severe enough to cripple or
bankrupt a small business. But while many large businesses employ a full time
risk manager to identify risks and take the necessary steps to protect the firm
against them, small companies rarely have that luxury. Instead, the
responsibility for risk management is likely to fall on the business owner.
The importance of risk management in business can hardly be overstated.
Awareness of risk has increased as we currently live in a more competitive and
regulated yet less stable economic and political environment.
To meet their business objectives, entrepreneurs and business executives
are now expected to address emerging and varied forms of business risk.
Intense competition is now more than ever, a major factor dominating
today’s volatile markets. To remain competitive, business leaders must
continuously adapt strategies and operations and introduce new initiatives to
meet these competitive business challenges.
However, without an appropriate risk management program, these could
expose companies to additional and increased risks. For example, new
product initiatives can increase exposure to commodity price volatility, market
risks, and additional liability lawsuits.
Diversification can expose a company to increased business risks.
Regulatory and legal compliance requirements also increase risk exposure.
The Sarbanes Oxley Act of 2002 in the US (SOX) greatly raised compliance
Implementing ERM will provide businesses with benefits in that:
• It Aligns objectives at the different levels in the business.
• It Increases the opportunity of achieving business objectives.
• It protects and enhances shareholder’s value.
• It reduced fraud and risk incidents.
• It increases operational efficiency.
• It improves compliance with regulatory requirements.
• It Improves risk awareness and assessment.
• It reduces the cost of capital.
Conclusion
ERM may have been initially driven by compliance needs; however its
development should continue to serve an internal control function for better
corporate governance. Moreover, the forces upon which ERM thrives are
related to the potential economic values generated by better managing risks
under identified objectives. One common objective for the majority of
businesses is to maximise shareholders’ value. ERM is designed to provide the
framework where businesses can optimise the risk/return relationships.
ERM is still at its early stage of development for the most part. Conceptual
and practical frameworks are still being constructed through gathered efforts
from regulators, industries and academia. More advanced methodologies,
techniques and tools are emerging every day. Therefore, some of the aspects—
e.g., what ERM really is, the real effect, how it can be best implemented,
etc.—described are necessarily vague and debatable due to the lack of
consensus regarding exactly what constitute effective ERM and lack of
evidences regarding the empirical benefits of different implementation
scenarios of ERM. It is my hope that most of the ambiguity will resolve itself
as this process goes on and more concrete and analytical discussions can then
be carried out.
Entreprise Risk Management; The Next Level
402