Organizations face complex risks each and every day – and not all of these risks are mitigated by insurance products. Risk managers face an increasing number of risks that, technically, are not insurable.
While organizations can insure against natural disasters, loss of a key decision maker, or cyber-attacks; it’s much harder to minimize exposure for new regulations, new presidential executive orders, or changes in the political or economic landscape.
How can organizations respond when these events are taking place? What about when they are happening at the same time? Below are some ways you can work toward reducing your organization’s uninsurable risks.
Risk managers do their best to identify organizational exposures – not only for insurable risks, but also for uninsurable risks. They then work to reduce their exposure. Risk management, or Enterprise Risk Management (ERM), typically involves identifying particular events or circumstances that could cause harm to an organization, and then assessing potential events in terms of organizational risk tolerance, likelihood and magnitude of impact, possible response strategies, and finally the monitoring process.
There are ample reference materials describing the risk management process. The five risk areas most often addressed within this framework are risks related to assets, revenue, data, key personnel, and reputation.
This last risk—reputational risk—is getting special attention recently because of how fast news can spread (particularly through social media), whether accurate or not. And the resulting harm can be very damaging. Let’s take a closer look at reputational risk.
Reputational risk is the risk of loss resulting from damage to an organization’s reputation. This damage can result in lost revenue, increased operating costs, or even loss of donors in the case of a not-for-profit.
Adverse events typically associated with reputation risk include ethics, safety or data security breaches, and service failures. Extreme cases may even lead to bankruptcy (as in the case of Arthur Andersen). The reputational damage may not always be the organization’s fault, as in the case of the Tylenol murders, which left seven people dead in 1982.
We have all seen how reputational risk can jump out of nowhere—such as the recent event at the Oscar awards, wherein the PwC accounting firm provided the wrong envelope. Or the even more recent event of someone capturing videos of a passenger being removed from an airline.
An organization’s reputation is often said to be its most valuable asset. No amount of money can restore reputation once it has been lost. Therefore, you must have a proactive approach to managing even minor situations with the public.
Warren Buffett once wrote in a letter to his top managers, “We can afford to lose money—even a lot of money. But we can’t afford to lose reputation—even a shred of reputation.”
Five Things You Can Do Now to Protect Your Organization
Review current insurance coverage
Insurance coverage should be reviewed to make sure it covers new developments, to the extent possible. New developments can result from emerging risks (such as cyber-attacks), or new court decisions that increase liability risk.
Having insurance can mean money is available to resolve a claim before it hits the papers and damages reputation. Consult with your insurance providers and advisors to make sure your insurance is adequate and current.
Organize an ERM process
The ERM process is simple: understand the risk tolerance of your organization, identify risks based on interviews and observations, quantify risks in regards to impact and frequency, and mitigate/monitor the identified risks.
When quantifying risks, watch for impact more than frequency. Generally, impact or magnitude are much less predictable than frequency, but can be much more devastating to the organization. For example, consider the BP Gulf oil spill.
Organize a Safety and Compliance Committee.
A Safety and Compliance Committee has two purposes: to help reduce the risk of workplace injuries and illnesses, and to ensure compliance with federal and state health and safety regulations. Establishing a workplace safety and compliance committee is one way management can encourage employees to participate in implementing and monitoring the organization’s safety program.
Add board members with specialized skills
Risk-taking lies at the heart of all impactful activity – and monitoring management’s efforts to identify, monitor, and manage risk is a key responsibility of the board of directors. The board has a vital role to play in assisting management to:
- Focus on the risks associated with strategies and the ever-changing business and geopolitical environment,
- Determine the organization’s risk appetite, and
- Devote appropriate resources to risk identification and monitoring.
Identifying and understanding both emerging and long-term risks can be difficult. Boards should press management to continually scan the environment and think about both the immediate future and the longer-term outlook. Many boards have added directors with specialized skills to help navigate unique risks associated with their organizations.
Implement strong policies and procedures
Some risks, such as those resulting from inappropriate or unethical behavior, can be reduced by having strong policies and procedures. Organizations should have policies addressing behavior such as an updated HR policy manual, Conflict of Interest Policy, and a Whistleblower Policy.
This article was originally published by Miller & Nash|Graham & Dunn.
© Clark Nuber PS, 2017. All Rights Reserved