Tuesday, January 30, 2018

What is Your Risk Appetite?


What is “risk appetite”?  While there are many definitions, the University of California provides a very straightforward explanation:

Risk appetite is the total amount of risk, in broad terms that an organization is willing to accept in the pursuit of value.”

If there is not clear understanding from all levels of an organization as to how much risk the organization is willing to take in pursuit of value, attempting to incorporate risk management practices into strategic planning will be difficult.  In addition, daily business decision making may be frustrating or time-consuming to reach consensus.  Stakeholders within the organization need to agree on the type and amount of assumed risk.   Risk appetite is an overarching philosophy that can be distilled into a written statement to serve as the foundation for the development of risk management goals and plans. 

An organization’s “risk tolerance” works in tandem with risk appetite, adding a number of quantitative and qualitative metrics as boundaries.   For quantitative measures, financial performance indicators are a good tool (not losing X% in operating capital for example).  And qualitative measures such as reputation, employee safety, and regulatory requirements are also good tools.  While qualitative measures are not evaluated by numbers, they offer another aspect to determining tolerance.  Setting quantitative measures will require some discussion to establish agreed parameters.  For an inclusive measure of tolerance, metrics should include a blend of both qualitative and quantitative measures. 

Why is understanding risk appetite and tolerance important when all you want to do is manage that which can potentially affect you from reaching your goals? The 2012 RIMS Executive Report, Exploring Risk Appetite and Risk Tolerance, authors provided a number of benefits for an organization having a defined and measurable risk appetite and tolerance:

1.     It encourages an organization to take measured risks in order to generate value and avoid intolerable losses.
2.     Aligns stakeholders on the amount and type of risk the organization is willing to take.
3.     Creates awareness about and actions to prevent, excessive levels of risk that could lead to adverse consequences.

From my experience, the process of developing a risk appetite and tolerance statement is almost as important as the statement itself because it brings together different stakeholders within the organization who each look at risk through a different lens.  This exercise can make future work on strategic goals or tactical decisions easier since the participants were able to contribute to the development and foundation of the risk management program.

What does a risk appetite/risk tolerance statement look like?  Here are a couple of statements provided in the 2016 RIMS Executive Report: The Steps to Successful Risk Taking.

Appetite: “Our organization operates in a highly competitive market. To compete we must adopt a higher risk appetite related to product development and partnerships.”
Tolerance: “We will not accept a risk in a new business line that will reduce our operating earnings by more than X% over the next ten years.”
Appetite: “We will not enter markets that create a substantial risk to the brand. Cost of entry, legal considerations, and risk of loss with an ROI premium will be assessed prior to market entry. We will ensure the distribution network as a whole remains profitable.”
Tolerance: “New subsidiaries achieve break even within X years and the distributor net­work is profitable (net profit before tax).”

Risk appetite and risk tolerance are concepts that are the foundation of a good risk management program.    Of course, every organization, its operations, and team are different, so these examples are meant to help you start thinking about how your firm approaches risk.  Do you have a sense of your firm’s appetite and tolerance?  Is it memorialized it in writing?

Until next time, stay safe and be kind to one another.

Sunday, January 21, 2018

Insurance is not Risk Management

As I mentioned in a previous post, I served as Navy Logistics Officer for over 20 years.  One of my duties was to proactively identify, analyze and prioritize pure risk associated with upcoming tasks or operations.  After that, I implemented techniques to eliminate or mitigate the effect of any potential risk on the exercise or operation.  Insurance procurement was never part of the strategy.  We simply tried to prevent risk or minimize harm. 

Fast forwarding to my second career, I found it curious the first time I was asked to contact our insurance broker to see whether there was an insurance policy to cover an exposure that concerned us. After a few similar requests from my colleagues, it seemed that this was how our risk was regularly “managed”, by purchasing an insurance policy.  When there was no time or resources to engage in a risk management process, I saw how insurance can be a quick and viable solution…but it’s just vanilla pudding.

Risk management is a parfait.  Imagine a banana pudding parfait (this happens to be my favorite which is why I am using this analogy).  On one layer, you have graham cracker crumbs (strategic plan), next you have whipped cream (policies and procedures), then sliced bananas (risk mitigation programs like loss control and emergency management), and finally the vanilla pudding (insurance).  As you can see insurance is just one layer to the parfait known as risk management.

·       Strategic Plan – Outlines the firms overall approach to risk management and defines long and short-term goals.
·       Policies and Procedures -Well written risk management policies and procedures that support the strategic plan and are the substance of the risk management program.  They may define risk appetite (what will be retained and what will be transferred to an insurance company), how to assess risk as well as how to mitigate risk.
·       Risk Mitigation Programs – Dependent on the operation.  Examples are programs for loss control, emergency management or physical or cyber security.
·       Insurance – The risk financing component of your risk strategy.   

Insurance alone is not a risk management plan.  It’s just the vanilla pudding.   

Until next time stay safe and be kind to one another.

Sunday, January 14, 2018

Who's who in the Risk Zoo?



In the world of risk and insurance, there is a growing number of "players" and participants and they come from a variety of backgrounds such as; legal, actuarial, accounting, finance, operations, insurance, safety, and security. Each possessing a different skill set and approaching risk from a slightly different frame of reference, but all with the same goal.  While every role in risk management is important, for the purposes of this blog, I want to limit the conversation to three. The Insurance Broker, The Insurance Underwriter, and The Risk Consultant.   


The Insurance Broker:
  If you have ever purchased insurance (either for business or personal reasons) chances are good that you purchased your coverage through an insurance broker.  This sounds pretty basic, except in many cases the term Insurance Broker is unknowingly used synonymously as Insurance Underwriter.  Insurance brokers and insurance underwriters may work in the same industry and serve many of the same customers, but their primary duties are very different.  An Insurance Broker is the primary point of contact between the client and the insurance companies. Their chief responsibilities are: 

  • Gather information about the risk exposure of the client and present the information along with the coverage requirements to several underwriters shopping for the best possible coverage on behalf of the client. 
  • Collect the quotes from the underwriters compare the differences in coverage and rates.  Make a recommendation on a selection based on an understanding of the client's needs and the availability of coverage. 
  • Perform administrative tasks associated with managing the coverage throughout the policy period; such as providing certificates of insurance, making policy changes, maintaining accurate records, and processing policy cancellations and renewals. 
  •  The Broker communicates frequently with the client answering questions and educating them on different aspects of the coverage that has been purchased.   



The Insurance Underwriter:  The insurance underwriter, on the other hand, works for the insurance company.  In some cases, the underwriter and Broker will work for the same company, but in most cases, the Broker and Underwriter work for different companies.  The Insurance Underwriter almost never communicates directly with a client.  The Underwriter's chief responsibilities are: 

  • Analyze the information the Broker has presented on behalf of their client in regard to insurance coverage. 
  • Decide on the extent of coverage and the rate for the coverage that can be provided adhering to the insurance company's policies, and allowable risks. 
  • Communicate the decision to the Insurance Broker and the company. 



The Risk Consultant:  Finally, the Risk Consultant is an expert advisor who can help organize, prioritize and make sense of the chaos we know as the risk.  The Risk Consultant works directly for the client, exclusive of the Insurance Broker.  The Consultant's chief responsibilities are: 

  • Help the business decision makers (Client) identify, analyze, and prioritize potential risk. 
  • Help the client understand their appetite for risk and develop a strategy for managing their risk. 
  • Act as an advisor to the selection of a Broker and with navigating the complexity of an appropriate insurance program (in support of the risk finance strategy). 
  • Advise on programs, policies, and procedures to supplement risk financing in developing the company's overall risk strategy. 



One thing to consider when interviewing your insurance broker and you are considering engaging a Risk Consultant; select someone who has experience in your particular industry.  Insurance is not one size fits all so the more experience your Broker and Consultant have in your particular industry, the better the recommendations will be suited to your needs 

And so, you see, help is much closer than you might have thought and it is not necessary to go it alone.  



Until next time, stay safe and be kind to one another.  

Sunday, January 7, 2018

What’s risk and why do I want to manage it?


I figured a good place to begin this journey is with a discussion of what’s risk and why are we talking about it? In the daily routine of running a business and making a living managing cash flow, making payroll, meeting customer deadlines, and generating new business all usually take precedence over risk.  And everyone feels like they have a good handle on managing "the important risk" (put locks on the doors, secure valuables, make sure good lighting is available for safety and security.  But do you know what you don't know?  Are you aware of and do you have a plan for managing the seemingly inconsequential task or event that can have an impactful effect on your business? 

By one definition, the process of controlling risk is risk management: “The identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks. An organization may use risk assumption, risk avoidance, risk retention, risk transfer, or any other strategy (or combination of strategies) in proper management of future events.”  http://www.businessdictionary.com/definition/risk-management.html

I like this definition provided by Business Dictionary website because it not only includes the concept but also the process in the definition.  The basic process consists of six simple steps:

1.       Identify
2.       Analyze
3.       Prioritize
4.       Control
5.       Measure
6.       Adjust

September 11, 2001, changed the way many of us look at risk and the ways it can impact our businesses and our lives. It became seemingly clear that it does not really matter the size of your organization, there is risk present every day that can affect your ability to reach your organizational goals.  Accept and embrace this fact by identifying the risks, analyzing and prioritizing the risk, then controlling the risk through a number of different risk strategies (or combination of risk strategies). 

I understand you don't have time to do all of this and run your business as well.  Not to fear, there is help out there and, in some cases, it is closer and more economical than you might think.  In my next post, I will introduce you to the different players (some you already know and some you may not). 


Until next time, stay safe and be kind to one another.

Tuesday, January 2, 2018



Happy New Year and welcome to The Risk Chat. 

I am Shawn Thornton and I will be your host and moderator.  Since my childhood, I think I always had an inherent awareness of risk.  Many called that being a “rule-follower”, to me it meant calculating the risk of following versus not following the rules and determining the best outcome.

This naturally led me to a career in the military as a naval Logistics Officer.  I made an exciting career managing operational risk with the U.S. Navy around the world and for the past 9 years, I have work with two amazing companies in the real estate development industry.  My latest experiences have introduced me to the world of risk financing (a.k.a. Insurance).  After all of this time analyzing, embracing and managing risk, there is another layer to the parfait.  Insurance can be a bit daunting and mystifying, but with a little understanding, it becomes a welcomed component of your risk strategy.   Risk awareness is my life and it is my passion.  I look forward to sharing this passion with you.

I have three goals for this blog:
  1. I hope to share tips, best practices, and anecdotes about everyday risk facing businesses, every day.  While I do not want to limit who can read the blog, I think there will be something for everyone; the blog will be geared toward small and medium-size businesses.  In the daily routine of running a business and making a living, managing cash flow, making payroll, meeting customer deadlines, and generating new business all usually take precedence over risk. 
  2. Risk is all around us, it always has been.  There is a greater awareness now through better technology and instant communication.  How to be more aware, appreciative and to incorporate risk into a decision-making regimen is a focus. 
  3. To keep things spicy, I will co-author periodic blog posts with friends and colleagues.  I also hope to receive suggestions from you on questions you might have or topics you might like to see covered. 

So, 2018 begins the journey.  I look forward to making this journey with you.