PART ONE
ESSENTIALS OF ENTERPRISE RISK MANAGEMENT
HERE WE TELL THE STORY of why organizations should create modern risk management programs. Risks are related. One risk affects others as they cross the often-artificial walls of day-to-day operations. People can be too close to risk or just too busy to recognize impending critical problems.
We start with the features of modern risk management, a discipline that morphed from a narrow insurance-buying role. Stories and examples help us grasp hazard risk management as a foundation for ERM. What is modern risk management? What does it mean for an organization? What are the contributions it makes to our understanding of risk?
Then we take a detour. Two challenges arose in 2007 and 2008 that seemed to undermine ERM. We examine Nassim Talebās concept of the black swan and what it means for risk management. We follow up the 2008 financial crisis with the lessons we should have learned. We finish with the implementation of an ERM program. How can it be done? How should it be done? What resistance can we expect?
CHAPTER 1
HAZARD AND ENTERPRISE RISK MANAGEMENT
RISK QUOTE: More than at any other time in history, mankind faces a crossroads. One path leads to despair and utter hopelessness. The other to total extinction. Let us pray that we have the wisdom to choose correctly.
āWOODY ALLEN, MOVIE PRODUCER
RISK QUOTE: Better to remain silent and be thought a fool than to speak out and remove all doubt.
āABRAHAM LINCOLN, U.S. PRESIDENT
Hurricane Andrew
In 1992, Hurricane Andrew caused significant losses to Allstate, State Farm, and other insurance companies because Florida insurance law did not handle flood and wind damage properly. If wind took off the roof before a storm surge destroyed a house, how much would separate wind and water policies pay to reimburse the damage? After cleaning up the mess, insurance companies worked with the Florida State Insurance Department to apportion loss from a combination of water and wind. In 2004 and 2005, hurricanes Frances, Charley, Ivan, Katrina, and Rita damaged property in Florida. As a result of the new laws, insurers saved money, and homeowners received prompt and efficient claims processing.
The change made after Hurricane Andrew is effective risk management. Still, it had a flaw. The insurance companies operated in isolated units that did not share risk information. They did not seek changes in the laws in Georgia, Mississippi, Louisiana, or Texas. The results were unnecessary complications resolving losses in 2005, when hurricanes damaged property in those states.
A second Hurricane Andrew story reveals another flaw in sharing data. It involves the role of an actuary, a mathematician who determines the rate charged for insurance coverage. Actuaries work with historical data to make estimates of the frequency and severity of loss.
In 1992, the data for Florida hurricanes was taken from the Okeechobee hurricane in 1928. It killed 2,500 people in South Florida when a storm surge breached the dike surrounding Lake Okeechobee. It also did serious wind damage to houses.
In the 1920s, houses had been built with masonry walls and clay tile roofs. Both withstood wind damage very well. Still, 5 percent of roofs were lifted from their connections to homes. This was the damage level used in actuarial projections of property damage in the 1980s.
The problem was that houses built in Florida in the 1980s had shingled roofs connected to the walls with nails or staples. A person visiting Miami in the months after the storm could drive on an overpass and see subdivisions where all the homes were covered with blue tarpaulins. Every single roof had been removed by the storm. The actuarial data failed to provide sufficient funds to pay the claims. It is not a surprise that 11 insurance companies were forced into bankruptcy.
Definitions of Risk
When someone tells us to take a risk or not to take a risk, what is the message? In most cases, āriskā has one of three meanings:
1. Possibility of Loss or Injury. This is the most common. We have something to lose, and we might lose it through an accident or misfortune.
2. Potential for a Negative Impact. This is generic. Something could go wrong. What could go wrong? We might face a decline in the value of a brand, or competitors might penetrate our markets. The negative impact may be vague and unknown.
3. Likelihood of an Undesirable Event. This moves us into the world of quantitative analysis. We see a risk on the horizon. What is the likelihood that it will materialize? What will be the impact if it occurs? Can we quantify the damage? What will be our best case if it occurs? Our worst case?
Hazard Risk
This includes exposures that cause loss without the possibility of gain. A company may suffer physical damage to assets, as when fire destroys a building. Physical injury may occur when accidents, injuries, or disease strike employees or customers. Lawsuits can be the outcome of contractual or liability claims.
Hazard risk can be broader than the direct damage it causes. An explosion at a refinery requires repair and renovation directly. Indirectly, the waiting period until the refinery is repaired causes an immediate loss of sales and may cause future business and financial losses.
Insurable Risk
An insurable risk is a form of hazard risk that meets specific criteria.
Definite Loss. We can identify the cause, time, place, and extent of damage.
Monetary Decline. If an exposure has no financial impact, it is not an insurable risk.
Contingent Loss. The exposure must be fortuitous, covering only losses not certain to happen.
HARTFORD STEAM BOILER
The development of new tools to manage hazard losses was accelerated by a single innovative company. It was The Hartford Steam Boiler Inspection and Insurance Company (HSB), founded in 1866 in Connecticut. Prior to the 1850s, small companies conducted most manufacturing in the United States using small plants in rural areas. Waterpower was the source of power. The number of factories with steam boilers and engines grew, and so did industrial hazards. Disastrous boiler explosions caused the loss of life and property.
Hartford Steam Boiler became an inspection company first and an insurance company second. It specified rigorous requirements for shutting down boilers to allow preventative maintenance and repair. If a manufacturer f...