Thinking beyond insurance purchases to a new cost-of-risk metric can reduce financial and operational exposures.

As risk management moves from a tactical approach centered on insurance to a strategic approach that emphasizes enterprise risk management (ERM), risk managers and finance executives need to develop new tools to handle the emerging demands generated by this shift.

The traditional tools -- cost-of-risk metrics -- have served executives well. They tend to focus on insurance-based aspects of risk, including the price tag for premiums, claims and administration. But those metrics alone no longer do the job, because they usually omit the costs of the processes used to manage and reduce risks to acceptable levels. For example, they ignore expenditures required for setting up the policies and procedures that will help reduce the number and severity of accidents as well as the opportunity costs and cost of capital associated with insuring and retaining risk.

A Difficult Path

But developing a new and more relevant cost-of-risk metric is not easy. "The biggest problem is tracking the costs, because it can be difficult to identify specifically what is spent on managing operational risks," says David Bradford, executive vice president of New York City-based Advisen Ltd.

In addition, there are structural barriers to changing the cost-of-risk calculation. In many companies, risk is handled by more than one function, with little or no interaction among the groups. Financial risks rest with the CFO/controller, treasury handles capital market risks, human risks are the purview of HR, the environmental health and safety group manages environmental risks, hazard risks are the responsibility of the insurance risk manager, and business risks stay with operations, for instance. In this environment, coordinating and measuring the cost of risk becomes more difficult. "The problem is that ERM is done either halfway or without a comprehensive standard," says Kirk N. Walsh, vice president of Risk International Services Inc. in Charlotte, N.C. "To gain the true benefits of ERM, a company must commit time and resources to understand all risks and their impact on each other, using an agreed-upon method of measurement," he asserts. "Only then can a company really understand their true cost and correlation of risk and what methods they should employ to manage it."

The scope of decision-making is also limited to individual functions. "Even risk managers tend to make coverage decisions in silos by looking at each line of insurance coverage individually and deciding to retain more property risk because insurance rates for that line of coverage are increasing," says Ed Koral, senior manager with Deloitte Consulting LLP in New York City. "Then, a few months later, they are deciding how much casualty risk to retain rather than looking at all lines of coverage as a portfolio of risks." By taking an integrated view of risk, a company can determine the optimum level of coverage and retention based on all of the risks it faces.

New ways of measuring and managing the cost of risk involve more than a holistic view of risk; they require risk managers to change their mind-set. "Risk managers need to stop thinking of themselves as insurance buyers," says Richard Sarnie, director of risk management for Engelhard Corp., a basic materials company based in Iselin, N.J. "They need to become a resource to business groups to help them manage overall risks -- not just physical risks, but business risks."

Even after companies have gathered the relevant data on a new cost-of-risk metric, they may find that benchmarking that metric is a challenge. "There are big differences among tracking metrics [across corporations], because ERM is unique to each organization," says Anne Marchetti, global practice director, global service line lead, at Parson Consulting in Chicago. For example, if a company relies on only one or two suppliers for a key manufacturing component, it will incur one level of component-availability risk by maintaining the status quo and a different amount of risk by expanding its slate of suppliers. However, another company is unlikely to face the same level of risk because its circumstances differ.

Yet even if benchmarking is not widespread, companies can still share information about their ERM efforts -- what they have learned, and what they have gained from documenting and implementing an ERM strategy. "There are tangible financial benefits associated with ERM, and it can help companies to minimize the cost of risk," says Marchetti. "Companies need to focus on executing to their plan and not just getting the plan on paper."

Expanding the Cost of Risk

Convergys Corp. has been moving beyond traditional measures of the cost of risk for the past couple of years. "The traditional approach to measuring the cost of risk does not measure risk exposure," says Carol Fox, senior director of risk management at the Cincinnati-based outsourced business services company. "We are looking at risk holistically and not focusing on specific lines of coverage." This means looking at which risks are likely to occur regularly as well as at one-time risks that are less likely to occur but could have a significant impact on the company if they do occur.

Whereas traditional cost-of-risk metrics look at past risks and expenditures, this broader cost-of-risk metric focuses on the future and potential risks that Convergys could face. The company's initial assessment includes operational risks that may occur during the next 12 to 18 months, but the more strategic appraisal -- handled through the organization's strategic planning process and management committee -- involves risks up to 10 years in the future. However, there is no set approach to measuring the cost of risk in this manner. The first step is to interview senior leaders within the company about "what keeps them up at night" and engage them in discussions of what risks they face in running the business, says Fox.

By looking at these risks holistically, Convergys can better measure its risk exposures and costs and then develop specific action plans to deal with those risks. "You have to expand your data points rather than focus on whether you are spending [a certain amount] on insurance," says Fox. "This process is much broader and more internally focused." Fox and her colleagues must understand the risks facing all areas of the business, from support organizations to business units.

The action plans allocate resources to risk-mitigation efforts that are likely to generate the highest return. To make those determinations, Convergys looks at several factors, such as the size and importance of a risk and its potential effect on the company, and then assigns each risk to one of four bands representing levels of priority. Fox emphasizes the importance of taking a macro view when allocating these risks. Once the priorities are set and the company begins to take action on a risk, it can dive into more detail, she notes.

This method of measuring the cost of risk not only results in operational changes, but also lets Convergys take a broader view of its insurance programs. "We look at insurance deductibles and consider why we are buying insurance at a certain level," says Fox. "It often leads to a change in the way we spend our risk management dollars as we look for ways to use our resources more judiciously." And when the company does purchase insurance, it uses the information gleaned from this process to communicate with underwriters about risk mitigation and control plans. "This creates a higher comfort level among insurers that management takes risks seriously and has a risk mitigation plan in place," says Fox. The company's business continuity plans already have had an impact on underwriters.

Convergys has only begun the shift to the new cost-of-risk metric and will be undertaking its second iteration this year, says Fox. How frequently a company updates its information and goes through the process will vary according to its needs. "It is important to adapt it and make it your own," she says.

Building New Relationships

For many risk managers, tracking and measuring an expanded cost-of-risk metric will require new relationships with workers throughout the company, particularly employees in the finance functions. Although Fox has long had a strong working relationship with the company's internal audit group, this new approach to measuring risk and the cost of risk is causing her to work even more closely with that department and operational managers. For example, this year, the company's internal audit group will be focusing its audit activities on the risks identified in 2005 to see how effective the mitigation plans for those risks have been and are likely to be.

Engelhard's Sarnie has a ready-made method of developing new relationships. He is a member of the company's finance council, which is headed by the CFO and includes the business unit controllers and the heads of tax and treasury, among others. It is in this environment that Sarnie gathers information from other council members about emerging risks facing the company. By making these contacts, Sarnie says, he is more likely to hear about new products or markets into which the company is expanding and offer advice about the risks to consider, their associated expenses, and how to minimize both.

When risk managers have established these valuable relationships, they can help other managers and executives consider the level of risk associated with different types of business activities so that they can require a specific rate of return that will compensate the company adequately for the level of risk involved. For example, if one business unit is assuming a higher level of risk than other units, the company can use that information to determine whether the performance of that unit -- and the returns --are strong enough to justify the additional risk or whether to exit the business altogether. Says Jim DeLoach, Houston-based managing director at independent internal audit and risk consulting firm Protiviti Inc., "Companies need to look at what level of market share, growth, revenue and operating margin they want and how much risk they are willing to accept to get there."