Risk Identification Methods - From Checklists to Experts

If you would rather listen to this as a podcast, click here

Through my travels and experiences, I have found that many companies today approach risk management in reverse. As a result they have a bad taste in their mouths. They purchase insurance based on the "best quote" and subsequently put safety programs into place should the carrier issue a "subjectivity". This is not effective risk management. This is "buying insurance". There is a definite difference between the two. The first, and most obvious, question is: What are you covering? Do you even know? How do you know? Did your insurance agent have a list of "recommended coverages"? Do they know your business well enough to offer those types of recommendations or did you find them from the Yellow Pages or Google?  Now, there is nothing wrong with advertising this way.  The question is, does your insurance agent understand the operational side of your business well enough to give you that type of advice?

The fact is, contrary to the current thought process,  the first (and most important) step in any risk management plan is risk identification. Before any exposure can be effectively analyzed, controlled or financed, it must first be identified. Are you with me? Buying insurance without going through a thorough identification process leaves you and your organization wide open for problems down the road. The number one result of transactional insurance purchasing today is an excess of passive risk in the organization. Passive risks are those risks that you or your company have assumed but don't know about. If you have read my hubs in the past, you know that I am a huge proponent of active risk. I want you to make an informed business decision that has the ability to save you money and operate more efficiently. However, it is absolutely impossible to have an accurate active risk strategy in your organization unless you first go through a risk identification process. In the remainder of this hub, we will discuss ten different methods of identifying risk, spending more time on the most common.

1. Checklist and Survey
2. Flowchart
3. Insurance Policy Review
4. Physical Inspection
5. Compliance Review
6. Procedures and Policies Review
7. Contract Review
8. Experts
9. Financial Statement Analysis
10. Loss Data Analysis

Checklists and Surveys are probably the most common form of risk identification. Notice I didn't say that they are the best. For some industries, they may be. For others, there may be a more efficient and complete solution. Checklists and surveys are used to systematically search using a list to identify as many exposures, perils, and hazards as possible. Many people like them because they are standardized, they can be used by non-risk management personnel with minimal training, information can be easily classified and they can be used to create a history. On the down side, they cannot cover all areas or operations, they provide limited, if any, financial impact effect, they do not prioritize the exposures that they identify and they may not identify new exposures.

The Flowchart Method is used to graphically and sequentially depict the activities of an operation or process to identify exposures, perils and hazards. There are a variety of methods that can be used including: product analysis, dependency analysis, site analysis, decision analysis and critical path analysis. These methods can illustrate interdependency within your organization, they can easily pinpoint bottlenecks and they can determine a critical path. They do not indicate frequency or severity, show minor processes with major loss potential, they have a limited applicability to liability exposures and in most situations, they are too process-oriented.

Insurance Policy Review is used to determine possible exposures and perils. You can do this type of analysis internally if you have the core competency, or you can hire an outside expert to perform the analysis on your behalf. The good part about insurance policies is that they are black and white (if you know how to read them!). They tell you everything they are going to cover in the first 80% of the policy and then they tell you everything they are not going to cover in the last 20%. When I do an insurance policy review, I always flip to the endorsements and exclusions first. The main issue with insurance policy analysis is that it will only address the exposures covered by the policy. It is most effectively done when combined with another risk identification technique.

Physical Inspections are one of my favorite ways to identify risk in a company. I always equate it to having a stranger over for dinner. When they walk into my home, they will see every dusty corner that has gone unnoticed. The same holds true with physical inspections. I can walk into a facility or review a contract and immediately see exposures that otherwise go unnoticed. Physical inspections can be performed both internally and externally. Physical inspections give you the opportunity to find otherwise unreported hazards or even assets. The downside is that they are time consuming and often too expensive.

Compliance Reviews are usually free of charge. They give you the benefit of an outside opinion, whether you want it or not. Examples of compliance reviews would be a visit from OSHA or the Fire Marshall. While they may provide exposure information, they could also cause you heartburn. Oftentimes, your vendors can give you a compliance review free of charge and it will be as detailed as what you would get from the governmental agencies (they want you to buy their product :))

Policy and Procedure Reviews are used to identify how your organization functions. It can be done either internally or externally as well. While there is an opportunity to identify exposures, organizational politics may prevent this from being effective.

I conduct Contract Reviews with all of my clients. This is a broad category and oftentimes they are under the impression that since their attorney wrote it or blessed it, that it was OK. Not so much. Contract review includes a wide variety of material, including but not limited to: contracts, leases, hold harmless and indemnification agreements, purchase orders and sales contracts, bills of lading, warranties, advertising materials, employment contracts, service contracts and insurance certificates. Regardless of the size of your company, you face nearly all of the aforementioned. If you have not solicited a full contract review, it is safe to say there is passive risk in your organization.

Experts save organizations lots of time and they bring a level of expertise to the table that doesn't exist internally. It may not be possible to find qualified experts in your area and if you do, they could be expensive.

Financial Statement Analysis can aid in exposure identification and valuation, financial capabilities and financial-based decision-making. It can assist in forecasting financial losses from a specific event and can serve as the basis for developing crisis contingency plans. Usually this type of analysis does not address business risks and does not contemplate the contingent risk of losses pertaining to key suppliers, customers or employees.

If your organization has good record keeping practices and has been in business long enough, the Loss Data Analysis method is also one of my favorites. You can use the loss runs from your insurance carrier, internal loss runs, incident reports and accident reports that show not only incurred losses but near misses, as well as trend analysis. You can use this information to benchmark against your SIC peers as well as to forecast future losses and development trends. Some view this as a "reactive" method. I would argue that you can't improve in the future if you don't learn from your past. It is important that you have credible data, or this method will not serve its purpose.

As with risk management programs in general, the most effective way to identify risk in your organization is to use a combination of methods. On each of my engagements (regardless of client size) we use a standard set of methods unless otherwise dictated. We have industry based checklists and surveys that can serve as the initial framework of risk identification. Once the frame work is established, we do physical inspections, employee interviews, procedures and policies reviews, contract reviews, loss data analysis and finally insurance policy review. By integrating all of these methods, there is very little room for risk to sneak through the net that we have cast.

You probably have a headache if you have gotten this far. I have told you a variety of ways to identify potential risks in your organization but I haven't supplied you with the manpower or the expertise to do it. You are also probably wondering how you will address the risk once it has been identified. The good news is, there are plenty more hubs to come! Our next topic will teach you how to classify the risks that you have identified using these practices. Please feel free to read our other information and please leave feedback. We appreciate knowing who has read our posts and what you think.

David R. Carothers, CIC, CRM is a Risk Management Consultant and Licensed Insurance Agent with Praxiom based in Tampa, FL. To contact David Directly, please email him atdrc@praxiom-rm.com.