Proactive vs. Reactive Approach to Risk Management

Proactive vs. Reactive Approach to Risk Management

Welcome to CFO.University’s transcript of Nick Warren’s CFO Ed Talk, A Proactive vs. Reactive Approach to Risk Management Nick invites you to learn how to maximize your return on investment by using a proactive risk management strategy

Enjoy. Learn. Engage.


So we all love insurance. Well, actually that’s just me. Most people tend to tense up when they hear the word “insurance”. Organizations typically buy insurance based on catastrophic events that can cripple their business. I’ll never forget when I was twenty-two years old and had just become an insurance broker. I sat down with the owner of a sign manufacturing company. After fifteen minutes of talking about risk and their insurance needs, the owner turned to me and said, Nick, “I really have no idea what you’re talking about, just make sure that sh—is covered when it hits the fan.”

Those types of situations are what we typically run into; more of a reactive approach than focusing on a proactive situation. Most people don’t like to buy insurance. Insurance has a negative connotation. It has a negative ROI for a lot of companies. So a finance executive, when thinking about the insurance world, sees spending a lot of money on premiums without a return. When they do get a return it’s because there’s been a claim submitted and that’s not a good situation either. From a finance executive’s perspective, insurance tends to be the thirtieth item on their priority list and typically why they’re willing to outsource it to a broker.

So when do people actually like insurance? Well, here’s a case, when there’s a burning building.

Proactive vs. Reactive Approach to Risk Management

But there’s an adage in the insurance world “you can’t insure a burning building”. Typically that’s when people want to talk about insurance; when the buildings on fire, when their employees have gotten hurt, when there’s some type of catastrophic event that’s caused damage to their property or to their people. I’ve spent most of my 15 year professional life trying to master the art of risk management. I’m going to share a few of my stories.

Proactive vs. Reactive Approach to Risk Management
Why Take Risks?

So back to basics, what is risk? Risk is an activity or an action that causes something to go wrong. Another way of saying it is certainty versus uncertainty. Certainty is obviously something that everyone’s comfortable with when they understand what the situation is or what the need is. Uncertainty is where we start getting into risk. Why do we take risks? Think for example of a person jumping off a cliff into the water. They’d likely walk to the edge of the cliff and take a look down to see that there was nothing at the bottom. Hopefully they actually walked to the bottom, swam around a little bit, checked out the bottom to make sure there were no issues with the rocks underneath, climbed back up did their dive, came back to the top and did it again. Enjoyment!

In the world of business, why do we take risks? Well, we take a lot of risks because there are certain things that can be enhanced in our businesses by doing so. Whether it’s efficiencies, cutting costs, or maybe finding some type of market advantage against our competitors. There are all types of reasons why companies take risks. They feel it will be beneficial but, that’s obviously not always the case.

Proactive vs. Reactive Approach to Risk Management
How Do We Identify Risks?

How do I identify risks? When we sit down and talk to organizations/clients about where they’re at from a risk perspective, we look at four quadrants: Financial, Operational, Strategic, and Hazard. I will dive into each of the four areas with a few topic related stories to lighten the mood on a topic – insurance – that can be a little dry.

Financial Risk: I was with a company in Alaska recently and our client was talking about theft. He had about forty thousand dollars’ worth of inventory stolen, including a power generator. Obviously not a fun way to start off the week when they found out that the storage facility had been raided by an unknown source. Fortunately, we had talked to them two years ago about putting cameras in so they had film of what the suspects looked like. Unfortunately, they were wearing masks. They were however able to I.D. the truck used in the heist because the license plates were visible.

Another example of financial risk is from a cyber-security perspective. About ten years ago the topic of cyber-security was a foreign concept to a number of organizations. Everyone thought that their systems were beefed up. They had no issues in terms of focusing on the need to prevent the risk from happening. They had the money and they had the I.T. staff to be able to solve the issues proactively. Well, we’ve learned through the years now, looking at T.J. Maxx, the Federal Government and Delta that people are realizing, if the Federal Government can get hacked into, likely my mid-size company is susceptible too. So we’ve really ramped up in terms of the financial risk and looking at transferring that risk from a first party to a third party. When we work with companies on that regard, we think of proactive risk that you can actually mitigate, eliminate or avoid. Then there’s a transfer of risk; working with an insurance company on coverage that transfers the risk of a cyber security breach to a third party.

Strategic Risk is the positive and negative outcomes from strategies focused on moving your company forward .Think about hiring and firing. Every company is hiring and firing. There are typically issues that come up whether it’s in the on boarding process, having employees as they operate within your organization or the off-boarding process if you have to ask them to leave or they leave to a competitor. There is also strategic risk related to mergers and acquisitions and real growth. There are various ways to grow. You can grow organically, so you can keep growing and doing the same things you’re doing to increase revenue. You can grow through expansion; buying other facilities, going into different geographies, expanding internationally. However, seventy to ninety percent of acquisitions fail. So there’s obviously some strategic risk both positive and negative when figuring out your best route in order to optimize the strategy from a risk perspective.

I have two interesting stories in regard to Operational Risk, the third quadrant. In the world of manufacturing and doing manufacturing jobs, finger dexterity can be very critical skill. It helps with lifting and pulling. The ability to put your finger and thumb together can be required in some operational jobs. We had a client that unfortunately had a circumstance where an employee was working the night shift and lost the top of his finger down to the first knuckle. He ended up going out on Worker’s Comp, had some significant downtime and was awarded twenty-five thousand dollars for his pain and suffering. That is an insurable risk that comes through Workers’ Compensation.

Now, we also had a very clever second employee who assumed that with twenty-five thousand dollars for one knuckle, maybe if you lost two knuckles you would be awarded fifty thousand dollars in damages. He was burdened with debt. He wanted to buy a truck and a ring to give to his girlfriend when he proposed. He figured by losing his index finger, not a big deal, he would be able to get the fifty thousand dollars. After the first accident and Worker’s Comp claim we suggested the client focus its safety monitoring features on the specific machine the accident occurred on. Cameras were installed throughout the facility and caught this gentleman doing what he did. His finger was severed up to the second knuckle. It was an uninsured loss because intentional acts are uninsurable events. When you talk about risk management and insurance there are Insurable Losses and Uninsurable Losses. Part of risk management is creating an environment that prevents uninsurable losses being paid out as “valid” claims (fraud).

Proactive vs. Reactive Approach to Risk Management

Hazard Risk is when Mother Nature decides to have an impact on our business. Whether it’s an earthquake, a flood or a wind storm, it can be devastating to our organization, causing interruption, delay or maybe even shutting down an operation. The really “Big One” that everyone’s heard about came out of a New Yorker article and created discussions with many of our clients. This was of special interest in the Pacific Northwest which includes the Cascadia Subduction Zone. An area that appears geologically ripe for an earthquake. As soon as it was understood that there was a threat, that it could shift and cause a massive earthquake, we all of a sudden saw a huge uptake in people being concerned about their facilities; where their employees are, when they’re looking for expansion and relocation, where they’re going to be located and really taking a focus on these catastrophic types of risk scenarios.

So overall the four quadrants of risk, financial, strategic, operational and hazard, are the basis for getting an organization started in terms of looking at what their risks truly entail.

Proactive vs. Reactive Approach to Risk Management

Prevention of risk starts with PEA.

The P stands for proactive versus reactive. We’ve talked a lot about being on the forefront of actually analyzing your risk and looking at certain ways to help mitigate those risks; finding ways to evaluate and eliminate. The adage we use is “plan your work and work your plan”. We have so many organizations that have policies, whether it’s your employee handbook or other types of policies and procedures. You put these beautiful nice glossy binders together and what do you do when they’re all finished up? You put them on the shelf never to be seen again. Well that really is a great first step but it must be more than a check the box exercise. It doesn’t help prevent the losses from occurring in the first place if it’s not an active plan that you’re actually working. Interesting scenario; we noticed that there was an increase in clients submitting wire Transfer frauds. A lot of international operations probably similar to your organization get rush requests for a financial need overseas. A wire transfer is typically made to fulfil these requests. Well, hackers are now figuring out creative ways to hack into organizations and then create false requests. I had a large steel manufacturer that I was working with. The CFO had been there for twenty years. She retired and within a week of the new CFO coming on my client (treasurer) received an email from him saying “I need a wire transfer of one hundred thousand dollars as quickly as you can to this new bank account”. Fortunately, we knew this was a fake wire transfer. A) The request wouldn’t go to the Treasurer it would go to the Controller at the time and B) This one week CFO was so brand new he was not familiar enough at this point and would not be sending this immediate request. So, our plan worked. The request was sent to the wrong person and we had previously set up a procedure to make sure that anything over twenty-five thousand dollars would be signed off by two finance executives before being processed. Throughout the last couple of years we’ve caught a number of fake wire transfer requests.

OSHA statistics, confirmed by Liberty Mutual Insurance, shows that for every one dollar spent on safety there are three dollars earned in reduced claims. This relates to both employee and facility safety. So speaking of return on investment, this is a significant way to earn a roughly three hundred percent ROI on an investment in safety.

The E in the prevention of risk PEA Model stands for empowerment. Empowerment is important within your organization for a variety of reasons, but traditionally in the risk management world the adage we use is, “It’s not if, it’s when”. This is particular to cyber-security and insurance which has started to affect every organization that has significant amounts of data internally and are also utilizing the cloud. I got together with the CFO, Finance Team, IT, Legal department, Security and HR of a food processing client. We sat around the table for two and a half hours talking about their overall risks related to cyber security. It was incredible what came out of it and the amount of concern each department had beyond simply the IT team. A disruption in HR ‘s systems could prevent payroll from being made, delay hirings and disrupt staff planning levels in the short term. The legal team would loss access to contracts that required frequent oversight. There were all these different inputs about what would happen in the event of someone coming in and shutting down the systems.

At the end of the two and a half hours the General Counsel actually turned to everyone and said, “We should do this more often”. We laughed and said this is such an easy way of empowering the people to speak about their concerns, figure out ways to get synergy and collaborate agroup in order to talk about risk and insurance needs.

The A is for awareness. Awareness is something that’s very difficult for a lot of organizations because everyone is working in silos. We had a building materials company that unfortunately had an issue with some decking that was a legacy claim and product recall originating twenty years ago. You can’t find every house this decking went into throughout the country, pull it out and replace it. So still within the last year, we’ve actually had a claim arise. The CFO was not aware that this claim had occurred and the Treasurer was the one that actually got the reporting. We were sitting around the dinner table one evening, mentioning the deck claim that had occurred. The CFO was upset that she was not aware of the permanent injury that had come upon a third party and the significant claim that would greatly affect the balance sheet going forward.

Proactive vs. Reactive Approach to Risk Management

Prevention of risk starts with PEA. In a world where “Ten minutes can save you ten percent on your insurance”, there needs to be more focus on the proactive side versus the reactive side. The road to risk management success can feel uncertain. A singular focus on profitable ventures without time committed to risk management can often have you riding a high wire. Starting with the four quadrants of risk and focusing on the PEA Model can help you form a proactive strategy and protect your organization while improving your overall balance sheet.

Identify your path to CFO success by taking our CFO Readiness Assessmentᵀᴹ.

Become a Member today and get 30% off on-demand courses and tools!

For the most up to date and relevant accounting, finance, treasury and leadership headlines all in one place subscribe to The Balanced Digest.

Follow us on Linkedin!