Lessons From The Trenches: Lesson #2
In my years in risk management I couldn’t help but find three constant lessons that keep popping up for me and every time I ignored one of them I paid for it. In my last post, I addressed Lesson #1: Know the Odds.
Now the second lesson: Never take too much risk for very little reward
It is well understood that risk is intrinsic to any business undertaking, but the true quandary of threading the risks vs. reward equation comes down to understanding how much risk can an organization realistically afford to bear in the accomplishment of its objectives. To this point, it is often said that according to Warren Buffet, the first rule of investment is capital protection and the second asks to refer to rule number one. In risk management parlance, the Buffet rule would equate to the risk management mission to first and foremost protect their organization’s value.
Organizations are confronted in every aspect of their businesses with the decision as to what amount of risk they could reasonably retain, transfer or avoid altogether. Because risk professionals are in the business of protecting their organization’s value, they would be better served when evaluating risks and potential risk treatment options to heed the oracle of Omaha advice.
As an illustration, organizations of all sizes are now confronted with the decision of whether to buy cyber coverage or not. In considering whether cyber coverage is an option, risk managers would have to understand the amount and nature of data held by their organization (Personal Identifiable Information, Personal Card industry information, Private Health Information).
My own observation in this area is that renewal discussions seem most often centered around premium or benchmark with peers. While these are valid data point in the analysis, in themselves they are not the magic bullet…
With a good understanding of their organization’s data, risk professional can enlist their brokers and or carriers to understand the kind of solutions available in the market for the type of information at risk. Savvy brokers would know and understand what solutions the markets can provide. This is where it would be a good idea for those in charge of risk with the help of brokers and or carriers to compare the solutions available and see whether there could be a solution tailored to their specific risk.
My own observation in this area is that renewal discussions seem most often centered around premium or benchmark with peers. While these are valid data point in the analysis, in themselves they are not the magic bullet. If risk transfer is ultimately considered merely on the basis on these without considerations to actual risks facing the organization, then the organization might end up buying too much or too little coverage which in either case are ultimately detrimental to the organization.
The worse scenario would be to find out after a loss that there is not sufficient coverage or that the existing policy has little to no coverage for the type of claim at hand. The key takeaway is that those in charge of risk are to help their organizations take calculated risks rather than assuming risks by default.
I’ll cover lesson #3 in a future Risk Insider article — stay tuned.