Everyone seems to be claiming they are risk management experts, but clients must find those with the real know-how to get the right advice, as Dr Alan Waring explains.

So, you're a risk management expert? “Me too. And me”. Suddenly anyone with any kind of professional connection with risk management, however defined, is claiming it to be their fiefdom. From insurance brokers and account executives to Independent Financial Advisers, from property loss control surveyors to accountants, from IT security advisers to financial auditors, from engineers to lawyers. Patently, they all have a legitimate claim to be engaged in the field of risk management but, equally clearly, they cannot all be experts across all areas of the very wide spectrum that is risk management.
To me, risk management is an all-embracing term covering the identification and evaluation of both pure risks (for example, safety, fire, environmental hazards) and speculative or opportunity risks (for example, ecommerce, contracts, marketing IT strategy). Generic coping strategies may involve any or all of avoidance, deferment, reduction, sharing, limiting, mitigation and financing (transfer or retention). A lot of people, however, see risk management as just an alternative term to insurance.
Does it matter? Of course it does, if unsuspecting clients are not receiving the right advice and support for their particular needs. The struggle for survival, growth and prosperity demands responsible risk taking to enhance shareholder value and reduce the cost of capital to the business. For example, the Stock Exchange Combined Code on Corporate Governance and Turnbull guidance emphasise that risk management is an essential part of good corporate governance. It has become necessary for all organisations, whether SE listed or not, to know and understand far more coherently than before the array of internal and external strategic risks which may affect them. Incomplete, partisan or defective advice can have serious consequences.

Extravagant Claims
The Combined Code and Turnbull report make clear that the management of risks to the business should not be seen as primarily a function to be controlled by the narrow interests of finance departments and internal audit, since so many different functions and disciplines are likely to be involved. One guide on managing risk and achieving Turnbull compliance from a respected accountancy institute, notes that as Turnbull does not clearly define “business risks”, the term may be construed as equivalent to “strategic risk”. Yet nowhere does it define this all-important term strategic risk. Nevertheless, finance and internal audit seem to have captured the field and many onlookers are concerned that they may be defining the nature of risks and management of them in areas way beyond their scope of experience.
But what about the insurance sector? Are they any less guilty of extravagant claims? Why have claims to risk management expertise taken on such a high profile? One reason may be the fact that transactional business remains relatively flat and the soft market conditions have compelled brokerage firms to seek additional revenues from perceived growth areas, like risk management. Nothing wrong in adaptation for survival, however, claims to expertise must be solid and risk management should not be merely a euphemistic cloak to mask the traditional selling of insurance – plus a token or minuscule amount of technical risk services thrown in for “added value” as part of the brokerage fee.

Where's the added value?
In addition, the traditional linear model of insurance is dying fast. The rigid broker-controlled relationship between client and carrier must, and I believe will, change. Many of the transactional aspects of insurance have become commoditised and the advent of ecommerce will enable greater transparency and speed. As clients become more knowledgeable and demanding, any undifferentiated transactional products become less and less interesting. Unless a broker or carrier has a substantial risk management consulting capability to offer, price is often the only differentiation between rival bids. Clients are therefore asking: Where's the added value?
Some brokers have seen the light and seek to provide a wide range of risk management expertise on a proper consulting basis, separately budgeted from the client's transactional fees. This is more than simply disentangling commercial and consulting activities and the different professional standards and ethics demanded. They have recognised that, whereas account directors and account executives should be experts in risk financing, they are usually out of their depth in the wide range of other risk strategies that should take precedence to insurance, and in the many risk areas that require in-depth technical knowledge. Increasingly, firms in the insurance sector are contracting out to independent consultants the provision of risk management expertise to their clients. This is so that they can concentrate on the transactional business and developing and maintaining client relationships. This strategy also enables them, with low overhead costs, to tap into an array of specialist expertise to match the wide range of risk areas encountered by their clients. Typically, independent consultants will provide highly experienced specialists holding masters degrees and chartered status, which adds confidence to their advice and recommendations.
In the new context, it is no longer sensible for client organisations to rely largely on insurance as the basis of an approach to risk management. Risk financing is a vitally important component in the risk management strategy mix, but should not be predominant, even though insurance remains the standard approach to risk management in many developing and third world countries.

A practical proposition
In the new scenario, three key linked areas need to be addressed:

n Business risk appraisal
In the past, many organisations have addressed risks in a fragmented and incomplete way, with the result that their overall risk exposure is much greater than they realise. The strategic risks to a business are many and varied, but inevitably they interact. Strategic risk management will also involve assessments of the risk of not taking critical actions, for example, developing new markets and adequate brand valuation. Not all the examples of risk areas listed below will always represent strategic threats to an organisation. An important aim of risk appraisal is to identify both threats and responsible risk-taking opportunities and, crucially, how they interact.

Speculative risk areas Pure risk areas
HR risks Health & safety
Major change strategies, BPR Major hazards
Political risks Fire
Marketing Security
Country/territorial trade risks Environment
Mergers and acquisitions Product safety
IT strategy IT reliability
TQM Product QA
Contracts Motor fleet
Project risks
Currency values
Value chain vulnerabilities

It would be interesting to determine how many of these risks apply to all those parties affected by such high profile events as BSE, UK major rail accidents and BMW's withdrawal from Rover. Also, how much of the losses were uninsurable?

The right risk culture
Many people believe that the cultural aspects of organisations including those relating to risk can be engineered or fixed quickly by “tell/sell” programming. But what is the “right” risk culture and is it achievable in any kind of relatively straightforward “quick fix” way? Changing an organisation's culture is a lengthy process, typically 5-10 years, with an unpredictable end point and outcome. Not only my own research and consulting experience bears this out, but also that of many other organisation specialists. It is also a fallacy to regard speculative or opportunity risks as the only ones important in the right risk culture. The railway industry after the major accidents of Ladbroke Grove, Ealing, Clapham and Paddington, for example, highlight how pure risks such as safety can devastate corporate
reputations. With pure risks, a desirable value is that people should be averse towards taking them. With speculative risks, a desirable value is that people should be orientated towards taking them. In developing a culture of responsible risk-taking, both kinds of value and behaviour will need to be addressed. Cultural characteristics need to be identified competently, followed by non-prescriptive nurturing.

Risk systems and strategy
The Combined Code as part of the SE listing rules requires that:
n The board should maintain a sound system of internal control to safeguard shareholders' investment and the company's assets'
n The Directors should, at least annually, conduct a review of the effectiveness of the Group's system of internal controls and should report to shareholders that they have done so.
n The review should cover all controls, including financial, operation and compliance controls and risk management'.
The Turnbull report states that “Internal control is one of the principal elements in the management of risk used by a Board to achieve the company's objectives” and provides guidance on what companies should do to institute these controls.
According to Turnbull, the adequacy of internal controls should be assessed by the Board under four inter-related headings:

n Risk assessment
n Control environment and control activities
n Information and communication
n Monitoring

A number of different strategy responses to Turnbull by companies is emerging such as prescriptive compliance, problem focus and comprehensive validation. Whereas some 30% of large organisations claim to have a strategy for holistic, integrated risk management, less than 10% are believed to have implemented such a strategy to any serious extent. This highlights the long haul ahead and the fact that excessive dominance of risk management by any one function or discipline or, indeed, strategy (for example, insurance) within an organisation is likely to ensure a non-holistic dis-integrated outcome.
n Dr Waring can be contacted at www.awa.demon.co.uk