Risky Business

Education Forum: A series of articles provided by the Insurance Institute of Canada

In last issue of Claims Canada, Education Forum looked at the interplay between stakeholder relationships and a firm’s brand and reputation. In this issue, we look at how to identify risks to that reputation.

A good reputation can be a significant intangible asset for any firm. For service providers such as adjusters, whose offerings can’t be evaluated before purchase, reputation is especially important.

The risks that any business faces can be grouped into four broad categories:

• hazard risks, such as the risk of having staff injured while adjusting a loss at the site of a catastrophe;

• financial risks, such as credit or liquidity risk, or the risk of changes in interest rates;

• operational risks, such as the risk of internal fraud or a computer failure; and

• strategic risks, such as changes in regulatory requirements or the launch of a new competitor.

“Reputation risk” is not really a separate category of risk. Instead, it is associated with all of the above risk categories because all risks can potentially have an impact on reputation. Withdrawal from a line of business; a drop in financial results; a breach of customer data security because of a technology failure – any of these can impair the trust that insurers or regulators have in an independent adjusting firm.

Since it can be affected by so many potential sources of risk, reputation can be a significant concern for anyone running a business. To get to grips with reputation risk, start by identifying and assessing the various other risks that contribute to it.

What’s the risk?

Risk identification is the first step in any risk management process. It involves identifying, defining and prioritizing all sources of risk that might affect the firm, including current sources, expected sources and potential sources. Some risks are easy to identify; others can be difficult to spot or to isolate.

It’s important to establish consistent processes for identifying risks – both risks that represent threats and those that represent opportunities. Some qualitative approaches that can be used to identify risks include:

• surveys;

• internal workshops;

• brainstorming sessions;

• internal auditing;

• reviewing strategic analyses (analyses of the internal and external environments, SWOT analyses, etc.);

• reviewing external sources of information; and

• analyzing new trends or phenomena.

Once risks have been identified, they need to be analyzed to determine their potential impact.

Analyzing financial risks often involves quantitative tools that are beyond the scope of this article. Qualitative assessment, on the other hand, can be applied to most risks and involves thinking about how the organization’s most significant risks affect the business as a whole.

Sometimes qualitative assessment is the only form of risk assessment possible – some risks don’t lend themselves to numerical analysis because the required quantity and quality of data are not available. For example, it would be difficult to quantify regulatory risk or a social risk such as long-term trends in claim inflation. For these kinds of risks, qualitative assessment methods are important tools for measuring the significance of the threat or opportunity.

Ideally, qualitative assessments are done by a team that includes people from different parts of the organization, to ensure that risks are considered from multiple angles and perspectives. The exercise involves making relative judgments about the probability, impact and priority of different risks. Tools that can be used to analyze risks qualitatively include:

• questionnaires;

• internal workshops or brainstorming sessions;

• interviews;

• internal audits;

• expert opinion;

• checklists;

• decision trees; and

• risk maps and priority rankings.

Mapping the terrain

Risk maps provide a visual overview of a firm’s risks. At its simplest, a risk map can be a matrix on which you plot risks according to their relative impact and probability – high, medium, or low. Risks that fall into the upper right corner of the grid have the highest overall priority ranking; those in the lower left corner have the lowest.

Alternatively, you can use a limited numerical scale such as 1-3, 1-5, or 1-10 instead of the descriptors high-medium-low. The risk map should involve enough levels to meaningfully differentiate between risks, but not so many that you get bogged down in assigning the values.

By using additional columns or colour-coding, you can also capture other related information such as the business objectives or program the risk is related to, the risk owner (the business unit or individual responsible for managing the risk), the risk management measures currently being taken, and the risk measures that are planned.

Risk maps can be developed for the organization as a whole or for a business unit or program. They can also be based on clusters of risks that have things in common, such as risk category, source or impact.

Exercising judgment

Whatever the specific technique used, qualitative analysis requires using business judgment to assess the various potential consequences of each risk and of combinations of risks – including the impact on reputation. The assessment team should ask hard questions about the magnitude of risk, the acceptable level of risk, and the risk management measures that are currently in place. Once this level of assessment is available, it’s easier to decide what additional risk management measures are needed to protect the firm and its reputation.

This article is based on material used in the Insurance Institute’s FCIP program, the pinnacle of learning in Canada’s p&c industry. Focusing on strategic leadership and advanced management principles, the program blends academic business theory with practical insurance application.