Risk Managers Make
Not all risk managers succeed at their jobs of identifying and addressing
organizational risks. The external environment is a minefield of risks
waiting to ensnare the vigilant and unwary alike. Departments get downsized;
risk managers must do more with less. In addition, most risk managers occupy
staff positions, making them vulnerable to changes in the prevailing
corporate winds and whimsy. Top executives and even middle management may
wonder just what a risk manager does all day. And when belts are being
tightened, the risk management role appears to be one that could easily be
consolidated with the functions of the CFO, vice president of Finance,
Controller, or Assistant Treasurer.
This means that today's
risk managers must be quick, adept, and efficient. Management isn't as
forgiving as in years past. Mistakes by an errant risk manager can spell the
end of the department. This article examines common mistakes made by risk
managers and ways to avoid them.
Insufficient Attention to Loss Control
Many managers bemoan
high insurance costs (particularly workers compensation). However, skimping
on safety and loss control can result in higher-not lower-insurance costs.
Investments in work hardening programs, ergonomic studies of job duties,
safety rewards, and modified duty job programs can pay off in the long run.
It's the risk manager's role to get the CEO to support safety in a visible
way. After all, anyone can buy insurance. Safety and loss control, however,
keep the costs down. And without safety and loss control, it can be argued
that a risk manager is just a high-priced insurance buyer who can easily be
Often, a firm's loss
control program does not receive the attention it needs and deserves. Perhaps
one reason is that it is not as glamorous as some of the other realms of risk
management. With its emphasis on sprinkler heads, lifting belts, and
materials, loss control may suffer from the perception that it is very
pedestrian and mundane, like the boiler room in the bowels of a luxury cruise
liner. Somehow the allure of risk financing techniques-cash flow management,
retention levels, captives-seem ever so much more highbrow, analytical, and
akin to what business schools teach.
In addition, many risk
managers come from either the brokerage or finance side of the insurance
business, not from safety or engineering. This may explain the preoccupation
with risk financing, giving safety and loss control shorter shrift. The
latter is somehow not quite as glamorous as flying to the Cayman Islands to
explore that rent-a-captive! Could it be that loss control is just, well, not
as sexy as the risk financing side of risk management? Maybe, but many
organizations would be better off with the mundane and boring in lieu of the
excitement of accidents, crises, and fire drills.
Examine your daily
agenda and activity calendar. Does it reflect a clear commitment to loss
control? Many folks talk the talk when it comes to loss control, but only
their daily calendars and to-do lists show whether they walk the walk. In
fact, it could be argued that the more risk managers invest in loss control,
the less time and money they will need to devote to risk financing. The best
way to manage risk is to prevent a loss so that risk-financing issues become
moot! Risk managers should spend at least half their time on loss control and
safety. It is truly a sound investment of time and resources.
TOP OF PAGE
Letting Inertia Drive Servicing Choices
Using the same service
provider because it takes too much time or involves too much hassle to change
vendors is another common mistake risk managers make. There may be many
reasons for staying with the same provider: he or she is a personal friend or
relative of a key person in the organization, there may be considerable
panache associated with using a particular vendor, or simply historical
inertia. In corporate risk management, tradition can substitute for thought.
This can create situations where the same broker, actuary, insurer, and
third-party administrator are used year after year, their performance
notwithstanding. Complacent vendors may feel they have an institutional right
to your account.
This is not to say that
risk managers should continuously shop around their business or service
needs. It does, however, imply that risk managers should periodically
"stir the pot" regarding outside vendors, evaluating each on the
criteria of (1) results, (2) service, and (3) cost.
Step back and
objectively look at the service providers used. Ask, "Is my organization
deriving full value from the gamut of service providers we use?" The
answer may be, "Yes." You may feel like you are receiving adequate
or even superior service from your broker, safety engineer, actuary, or risk
management consultant. But without staging ritualistic beauty contests,
without testing the market periodically, how do you really know? Newer, more
innovative service providers may be able to do the job better and cheaper.
Risk managers should be
discriminating shoppers for risk-related services. This involves periodically
reevaluating all relationships-even those that are long-term-and appraise
each vendor in the cold light of day. This is not to suggest that risk
managers pursue only short-term relationships with outside service providers.
However, keep in mind that as a risk manager and company employee, you
undergo an annual performance review. Why should outside vendors be any different,
especially when their fees often dwarf a risk manager's annual salary, bonus,
and benefits combined? The question virtually answers itself.
TOP OF PAGE
Risk Management "Blind Spots"
Failing to recognize
loss exposures is a third frequently made mistake. One way this can occur is
by exclusively following "canned" exposure survey programs as the
sole means of risk identification. The problem with prefabricated checklists
is that they are not that helpful on an ongoing basis. As a result, there is
a danger that loss exposures which develop with operational or organizational
changes, new medical or scientific discoveries, legislative changes, new
product or service introductions, mergers, acquisitions, and similar events
will be overlooked until the next time the survey is updated. This often
creates recognition "lag time" that delays proper evaluation and
risk identification products are not customized to the needs of your
organization, which can lead to overlooked exposures. These tools represent a
starting point-not a terminus-for any hazard identification process. Risk
managers must develop their own methods for continuously monitoring changes
in the organization and its environment to quickly identify new exposures or
increases in the levels of existing exposures.
TOP OF PAGE
Inadequate Preparation for Consequential
This mistake is related
to the one above and involves the failure to consider and plan for the
possible "ripple" effects of the loss events. This includes items
such as hidden labor costs, loss of brand equity or reputation, market share
loss, contingent business interruption, effects of laws and ordinances, and
financial loss incurred from the death, disability, or departure of key
Not all post-loss
consequences are immediately apparent. For example, the cost of a claim-even
one covered by insurance-can be extraordinary. Aside from retained claim
costs via deductibles or self-insured retentions, there is the cost of
management time that could otherwise go toward making products or delivering
services. The hidden costs of a claim also involve the time wasted by management
in communicating with legal counsel, collecting documents, answering
interrogatories, preparing for and giving depositions, dealing with the
insurer, preparing for and attending trial, etc.
If you calculate the
value of management time per hour and multiply it by the number of hours a
company may spend defending (or pursuing) a lawsuit, you might find that
these costs exceed the amount at issue. This calculation places the wisdom of
settling or perpetuating litigation in a different light. Such hidden costs-in
management productivity and fruitless downtime-are uninsurable, but risk
managers must assess and track them nonetheless. Failure to do so may spell
short-term success in litigation, but long-run failure in business.
TOP OF PAGE
Avoiding Instead of Managing Risk
Since risk managers are
paid and judged on their ability to identify risks, becoming a professional
worrywart is an occupational hazard. The risk manager's job involves looking
at the darker side, to ask, "What if the following occurs...?" This
practice causes many to view risk managers as negativists, as naysayers who
always emphasize the downside of any proposed course of action. To an extent,
this comes with the territory. However, risk managers must guard against the
Chicken Little syndrome. If every new idea is greeted by the risk manager's
cry of "The sky is falling!" his or her credibility quickly erodes.
It is very easy for
risk managers to become occupationally tunnel-visioned. However, the job is
to manage risk, not to avoid it unnecessarily. Every business action involves
risk. Even standing still and clinging to the status quo entails risk. Risk
is inherent in business as in life. The risk manager can always find a
risk-related reason to avoid undertaking some proposed organizational action,
whether it is a possible merger or acquisition, introduction of a new product
line, or revision of an employee handbook. The risk manager should identify
the risks of any proposed course of action and-this is critical-develop an
action plan to reduce or finance the chance of loss.
For example, when Eli
Lilly, the pharmaceutical giant, began having lawsuits involving Prozac: many
patients also sued the doctors who prescribed the medication. To prove, that
it stood behind its product and behind its physicians, Lilly took the
unprecedented step of offering to defend any doctor named in a lawsuit as a
result of prescribing Prozac. Although few physicians actually took the
manufacturers up on the offer, the goodwill engendered by this gesture paid
dividends by physicians who saw that the company stood behind the product. In
this case, the bigger business picture-retaining market share and
customer/physician goodwill-overrode the risk and liability concerns.
A narrow risk management
perspective would have argued against this course of action. Why embrace
defense of the doctors and expand the company's liability? But avoiding the
risk is not managing the risk, and the ongoing popularity of Prozac
reiterates the soundness of this risk management decision.
TOP OF PAGE
Failure to Communicate Effectively with
Inability to be on the
same wavelength as upper management is a career-killer and a common mistake
for risk managers. Risk managers are seldom fired or "outsourced"
because they are not up to speed on the latest commercial general liability
(CGL) form or the most state-of-the-art policy wording. More commonly, risk
management career longevity is abbreviated by communication-not competence-problems.
According to Jim
Gunther of the Harvard Aimes Group, what gets most risk managers in trouble
is their unwillingness to learn to speak the language of their boss and the
language of the greater enterprise. Further, many risk managers insist on
speaking "insurance-ese," posturing behind the jargon of their
craft. CFOs don't compliment risk managers on their elegantly crafted
manuscript policy, but rest assured, they will condemn the risk manager who
is unable to explain basic concepts to front-line and middle managers (and,
for that matter, top management) in language they can understand. Many risk
managers might derive more benefit from Toastmasters or a Dale Carnegie
course than a CPCU designation. This is not to suggest that technical
competency isn't important; just don't expect a lot of recognition for these
Effective risk managers
skillfully communicate their risk management goals, challenges, and
accomplishments. The following are just a few examples:
- Formal presentations to the
board of directors
- Fluency in written reports
and in business correspondence
- Deft use of the telephone
and of voice mail, on both the giving and receiving side of messages
- Proper observation of
"netiquette" in communicating via E-mail
"facts," particularly when presented by someone who has not
questioned the source and asked for simple backup or reviewed the source
- Informal 5-minute hallway
chats with the boss on a tough insurance renewal
- Requesting and responding
to an action plan or proposal from an outside service vendor
- Don't forget the personal
touch; it is vital and should not be overlooked. Effective risk managers
leave their workstations and offices to go eyeball-to-eyeball with folks
outside their department and their organization. Becoming too insular is
a career danger.
- Having the technical
excellence of a risk management Einstein will do little good without the
ability to listen, empathize, and communicate effectively in a wide
range of forums, contexts, and media. Note that listening is first on
the list. As one pundit observed, "God gave us one mouth and two
ears, and we should use them in just that proportion." The moral of
this lesson is to listen and hone your communication skills along with
your technical risk management expertise!
TOP OF PAGE
Failure to Develop Computer Skills
Since risk management
speaks the language of finance, a key financial tool is the computer and all
of the nifty functions software can perform. Risk managers who resist learning
and adding computer skills are not only Luddites, they flirt with becoming
Neanderthals. One might as well travel to the annual RIMS Conference by
Increasingly, the risk
manager's function requires fluency in computer systems, particularly
spreadsheet applications such as Lotus or Excel. It also helps if the risk
manager has a working familiarity with databases, networks, and cruising the
Internet and World Wide Web. Using computers should be second nature and hold
no fear for current risk managers.
This does not mean that
risk managers need programmer-level skills or be able to dissect and
reassemble a computer's internal circuitry. However, today's risk manager
should know the difference between Apple and IBM-compatibles, DOS versus Windows,
and realize a Pentium is not a Satanic symbol. In his book, Empires of the
Mind (William Morrow & Company, 1995), author Denis Waitley says that in
the 1990s, "You are either on-line or you are in a bread line."
While that may be overblown, the core idea has merit. Risk managers who are
"too busy" for computer training had better consider another line
TOP OF PAGE
Inadequate People Skills
Risk managers cannot do
their jobs alone. The Lone Ranger style of management is out; teams and
consensus building are in. Risk management-like other forms of
management-involves achieving results through the efforts of others. It is
essential that risk managers harmonize with other departments, especially
Finance, Safety, Legal, and Marketing, to execute their safety and loss
control plans. Risk management is not a one-person show. This places a
premium on people skills.
Look at the annual
"Risk Manager of the Year" Award given by Business Insurance. The
issue profiling the winners typically has at least one article and photo of
the entire risk management staff, large or small. The message here is that
while only one person's face is on the cover, winning the recognition as "Risk
Manager of the Year" requires an effective team effort. Players win MVP
awards. Teams win Super Bowls.
managers continually build "good karma" with other people and
departments. This implies generating a steady stream of non-self-promotional
communication to others about the activities, initiatives, and challenges of
risk management. This has many implications for how risk managers conduct
themselves on a daily basis. The following are some interaction suggestions.
- Include other people and departments
in risk management discussions which involve their functional areas.
- Ask yourself how you can
assist other people and departments within the organization.
- Lunch with folks from other
departments and solicit their input and opinions.
Build bridges with other departments.
- Develop empathy.
- In general, be a team
In most organizations,
risk management is a staff, not a line, function. The risk manager does not
make the goods or services on which the organization depends for profit and
existence. It is the risk manager's job to serve those who make the products
and services. When the risk manager becomes more of a hindrance than a help
toward the corporate mission, the pink slip may be forthcoming. No risk
manager is an island. The most technically brilliant risk manager with six
specialty designations after his or her name will be an abject failure unless
he or she can relate to other people as people.
TOP OF PAGE
This common risk
management mistake involves trying to do it all yourself. Effective risk
managers must learn to delegate, a tall order admittedly at a time when
downsizing is rampant. A risk management career is more like a 26.2 mile
marathon than a 1 00-yard sprint. Even the most talented and hardworking risk
manager will burn out if he or she tries to do it all himself or herself.
To avoid risk
management burnout, risk managers must:
- Learn to delegate
- Achieve a sense of balance
- Possess a realistic view of
their talents and limitations
- Periodically "sharpen
the saw" by getting away from the job and engaging in activities
that provide a sense of self-renewal
As Clint Eastwood's
movie character Inspector "Dirty Harry" Callahan said, "A man
has to know his limitations." This holds true for risk managers. Don't
try to do it all yourself, and no matter how much you enjoy the job, get
completely away from it for 2 weeks a year. You will return with a completely
TOP OF PAGE
Failure To Document
One precept of medical
malpractice risk management is to document everything; as the saying goes,
"if it was not charted, it did not happen." This axiom applies to
non-medical settings as well. Risk managers need to remember that failure to
document may get them into a bind from which they cannot recover. American
coins may say, "In God we trust," but for all other settings, get
it in writing! This can include situations involving a side-deal or
understanding with an insurer regarding claims-handling prerogatives, an
understanding with the broker regarding annual compensation, and proof in an
E&O dispute that a particular coverage or endorsement was requested.
It is always better to
have this documentation and not need it than to need it and not have it.
Insurance is no longer done on a handshake. When a loss strikes, the broker
or underwriter may be long gone, transferred to some faraway branch office or
with another company altogether. If you have any side-deals or understandings
with your broker or underwriter regarding coverage, get them in writing!
Better still, explore having them incorporated as manuscript endorsements to
the insurance policy or at least incorporated by reference.
A related mistake is
not documenting management's approval of self-insurance or large retentions.
Management loves to hear about the premium savings that higher retentions
will capture, but corporate memories are notoriously short. If a big loss
occurs, collective amnesia may arise. Indeed, top management may be shocked
to find out how much loss the organization has retained, and demand to know
what idiot arranged the scheme. Thus, at the risk of appearing to indulge in
a C.Y.A. maneuver, document. Risk managers occasionally need such maneuvers.
As one sage said, "Even the paranoid have enemies."
insurance policies in the belief that they will never be needed again is
another common documentation-related mistake. Companies should keep their
insurance policies forever (especially liability policies), and the risk
manager should keep track of them. This is true for companies acquired by
your firm as well.
TOP OF PAGE
Lack of Creativity
Highly effective risk
managers must "think outside the box" occasionally. This means considering
noninsurance, nontraditional options for treating risk exposures. Today's
risk manager must reach into every corner of the organization, seeking ways
to improve safety, efficiency, and profitability. Risk managers work with
legal, human resources, contracts, facilities, customer service, safety,
security, workers compensation, accounting, finance, information systems, and
senior management. The job is limited only by the risk manager's appetite.
Creative solutions can
be found by venturing into disciplines that pundits traditionally consider
far afield from the risk manager's conventional venue. This terra incognita
includes human resources, safety, legal issues, and employee benefits.
Looking outside the traditional boundaries of a corporate insurance buyer was
the transitional wave of risk management during the 1980s. In the 1990s,
however, the risk manager must think like a corporate officer, with or
without that official designation. Creativity is key. Two examples follow of
risk managers who dared to think outside the box.
Nancy Chambers is the
risk and insurance manager at the University of Guelph in Ontario, Canada.
For a campus open house, the student Outdoor Club wanted to rappel down a
building. After hearing that it was too dangerous and could not be done,
students showed up with ropes and pulleys to prove how it could be done
safely. University engineers inspected the building, the participants'
equipment, and their qualifications. The result is that every year there has
been a rappelling demonstration at the open house. Creativity has its limits,
though. Other student-proposed events that were considered and rejected
include fire walking and riding large ice-blocks down grassy hills!
Patrick Walker, risk
manager of WatkinsJohnson Company of Palo Alto, California, once baby-sat a
stack of files on a pending real estate deal for his company's CFO while the
latter was vacationing. His orders were clear: if a call came in, he should
feel free to buy time and defer the topic for later action. Walker peeked at
the top file, phoned the agent and attorney for a status update, and
energized them to get moving. To his pleasant surprise, he got a call 2 days
later with word of a potential buyer. Creativity is one quality that can
quickly set risk managers apart and perhaps recession-proof their careers.
TOP OF PAGE
Inadequate Commitment to Continuous
Highly effective risk
managers regularly invest time to learn more about insurance, risk management
techniques, and the operation of their organizations. This might involve
formal education, such as for the CPCU and ARM designations, seminars on
actuarial methods, or courses in teambuilding or some other specific
management skill. This also means reading all you can about your industry,
whether construction, health care, or retailing. It even means picking the
brains of folks who know more about your specialty than you.
Risk managers err by
thinking that they are too busy to pursue continuing professional education.
Life is a classroom. Effective risk managers are always learning, continually
supplementing their intellectual storehouse of knowledge, skills, and ideas.
Continuing education is the risk manager's own personal research and
development program. Like any business, it takes ongoing R&D to avoid
failure. Risk managers must find concrete ways to apply the knowledge they
glean from these continuing education efforts.
levels do not guarantee tomorrow's success for risk managers. In fact,
today's skills do not guarantee tomorrow's success. The learning process for
risk managers never ends. Highly effective risk managers are like sharks: if
they do not keep moving, they will-at least professionally-stagnate and die.
Effective risk managers keep studying and finding ways to apply what they
learn. For today's state-of-the-art risk manager, class is always in session.
TOP OF PAGE
The 12 common mistakes
discussed above are admittedly incomplete and subjective. To avoid most of
these mistakes, risk managers must ask themselves each day, "What am I
doing right now to add value to this organization/department/project or work
team?" The list of career-killing minefields is daunting; Figure 1 provides a list of other common risk manager
mistakes. Today's risk manager has a tough job indeed!
As the philosopher
George Santayana said, "Those who ignore the past are condemned to
repeat it." Examine risk manager mistakes, not out of voyeurism, morbid
curiosity, or smug satisfaction over "the other guys" who blunder.
Learn from these mistakes, if only to avoid them. The challenges of risk
management have never been greater. Fortunately, though, never have the
rewards been as promising.
TOP OF PAGE
More Risk Manager Mistakes: An Informal
A recent informal poll
on an Internet risk management discussion forum produced the following
additional nominations for common risk management mistakes.
- Not understanding the
worst-case scenario of loss-sensitive rating plans or deductible plans
or failing to communicate it to top management
- Not fully understanding the
difference between deposit and earned premiums or failing to determine
how final premiums will be determined
- Not understanding the
entire insurance policy, particularly the application of the exclusions
- Trusting blindly a broker's
understanding or representation as to what is and is not covered
- Thinking that a broker will
reverse an insurer's coverage denial of a gray area loss
- Failing to purchase
adequate insurance limits
- Not meeting face-to-face
and in person periodically with primary and lead underwriters
- Being afraid to use a
consultant to validate your program
- Taking credit for premium
reductions in soft markets
- Routinely shopping
insurance programs every year or 2
- Becoming a specialist
rather than part of the management team
- Believing you are
- Spending too much time on
professional organizations (e.g., RIMS, CPCU Society) at the expense of
- Not realizing that insureds
do have loss reporting duties under a self-insured retention
TOP OF PAGE
This piece was authored by:
QUINLEY, CPCU, ARM, AIC, AIM
MEDMARC Insurance Company
Mr. Quinley is senior
vice president of Risk Services for MEDMARC and Hamilton Resources Corp. in
Fairfax. Virginia. He has written over 250 published articles and five books
on claims and risk management, including Litigation Management, published by
IRMI. He teaches classes in commercial risk management and insurance for The
CPCU Society. Mr. Quinley received his B.A. degree from Wake Forest
University and his master's degree from the College of William and Mary.
acknowledge the cooperation of, the author, Mr. Quinley and Jack Gibson of
International Risk Management Institute, Inc., the publisher. Permission has
been granted by the copyright owner to Harvard Aimes Group to post this
article. No further permission to post or re-transmit this item is given or
implied by Harvard Aimes Group as such permission can only be given (in
writing) by the Copyright holder.
THE RISK REPORT
Copyright ~ 1996 by International Risk
Management Institute, Inc. 12222 Merit Drive. Ste. 1660, Dallas. TX
75251-2217 214-960-7693. Jack P. Gibson, editor, Bonnie Rogers. assistant
editor. ISSN 0197-7539. All quoted or reproduced only with permission in
writing from the publisher. New subscription cost: $159/yr. Renewal: $149/yr.
ALL RIGHTS RESERVED
RETURN TO: Articles and
Invitation to Keep in Touch!
Proactive Career Management - Prospective Client Information
About Harvard Aimes Group - Articles and Links
Essentials - Mistakes - Rules 101
Harvard Aimes Group
6 Holcomb Street
P.O. Box 16006
West Haven, CT 06516
TEL: (203) 933-1976
FAX: (203) 933-0281
(c)1999, 2004 Harvard Aimes Group, All