Realizing the True Cost of Risk
Let me get right to the point: Total Cost of Risk (TCoR) usually isn’t.
Don’t get me wrong — calculating the Total Cost of Risk makes a lot of sense. Understanding our risk-related costs allows us to focus on those areas where we can reduce our expenses. The problem is that we often miss the “slow drip” costs in our risk control efforts, meaning we can miss opportunities to save our organizations some serious cash.
Why does this happen? A lot of it comes down to how we traditionally define the elements of our total cost of risk. The profession has agreed (for the most part), that TCoR contains three elements:
Total Cost of Risk = Insurance Premiums + Retained Losses + Risk Control Costs
Calculating our insurance premium costs usually doesn’t cause us too much heartache. We pull out the invoices and tally up how much premium we paid. It doesn’t really matter if we utilize a captive or place lines in the market; premium is premium.
By applying this cost-focused risk lens to their business processes, organizations tap into a wider pool of expertise when identifying systemic inefficiencies.
Sure, we might need to do some fancy allocation math, but let’s be realistic: If we don’t know how big the insurance check is every year then calculating TCoR is probably the least of our worries.
You might think that calculating retained losses should be pretty straightforward as well. Traditionally we would include items like deductibles (insurance or workers’ comp), costs of minor repairs or replacements, ex gratia payments, etc.
But what about the losses we retain from missing an opportunity to be first to market with a new product? What about our lost sales revenues caused by product recalls or data breaches? For all the talk about the value of reputation, how many organizations currently factor in the loss they retain when their reputation takes a hit?
Risk control costs can include both internal and external expenditures, and are often the hardest to track. Traditionally, we would include costs of attorneys and auditors, the salary and benefits of our risk management teams, and maybe the training and equipment costs of our safety or quality programs.
But what about other costs of regulatory compliance such as complying with environmental protection requirements? Do we account for the staff time it takes us to perform our SOX audits? What about the payroll tied up in business or enterprise risk register review sessions?
By applying a broader, enterprise definition to retained losses and control costs, organizations can identify new opportunities to reduce cost across the full spectrum of risk.
By applying this cost-focused risk lens to their business processes, organizations tap into a wider pool of expertise when identifying systemic inefficiencies. Accounting for those inefficiencies through a robust TCoR process can help to drive risk-informed improvements to business processes, and accelerate cost savings.
After all — reducing the true total cost of risk is something leaders of every organization can get behind.