Outsourcing risk
May 2010 supplement
Risk management and insurance go hand in hand, but you need to know what your insurable risks are to identify the right sort of protection for your organisation, says Peter Heap
I never ceased to be amazed that so many charities with which I work do not link their risk management efforts to their insurance buying process. As I will demonstrate in
this article, the two issues are part of the same process and it is vital that time is spent on getting them right to ensure that the organisation is properly protected at all levels. My overall message is that you cannot buy adequate insurance without carrying out a full analysis of your insurable risks. This merits an exercise separate from the main risk management process but following the same steps of identification, measurement and control.
I firmly believe that the time and effort spent on this will be rewarded by an insurance programme that truly represents the risks and will enable trustees and management to satisfy themselves that the charity has proper risk controls in place. The basic steps of the risk management process are well known:
1) Identify.
2) Measure for impact and likelihood.
3) Action to control risks.
4) Monitor and review.
I would like to focus on step 3 – action to control risks, since it is here that the insurance link becomes evident. There are a number of possible actions that can be undertaken to control a risk and these are summarised as follows:
- Avoid. If a risk presents a serious threat to an organisation and it cannot be economically reduced, it may be preferable to avoid it, for example, by stopping a service.
- Reduce. Action can be taken to reduce either or both the impact and likelihood of an event. Implementation of a sound health and safety plan is a classic example of this.
- Accept. A risk is so low in both impact and likelihood that it presents no material effect on operations and can be accepted without further action.
- Contingency planning. This is an essential element of risk management. A sound business recovery plan will ensure that should an event occur, the organisation can minimise impact and return to full operations quickly. There is an important link to insurance that I will detail later in this article.
- Transfer. The risk is transferred to an insurance provider by payment of a premium or to a third party by way of contract. Clearly, it is this last action that is so material in linking risk management to insurance. Hence the key message of this article is that you cannot buy adequate insurance unless you have identified and quantified your insurable risks.
The risk matrix
Many organisations map their risks onto the standard risk matrix that shows impact and likelihood and this same matrix is useful in mapping insurable risks. An insurance premium is calculated on these two elements i.e:
- impact, that is to say the sum insured or limit of liability; and
- likelihood, that is the insurance company’s assessment of the likely frequency of occurrence.
Of these two, likelihood has the greater influence on the premium. Hence most insurable risks will be in the high impact, low likelihood quadrant. A classic example is fire insurance. If an insurable risk is in the high likelihood quadrant, the premium will be high in relation to the sum insured. This underlines the vital importance of controlling claims frequency by active risk management.
What is an insurable risk?
The next question is ‘what risks are insurable?’ Many are obvious such as fire, flood, third party liability etc. However many are less obvious and examples are:
The next question is ‘what risks are insurable?’ Many are obvious such as fire, flood, third party liability etc. However many are less obvious and examples are:
Non appearance insurance where a celebrity is booked for a major event.
Defective title insurance where title may be in doubt on a legacy property
Key person insurance for example for the costs of finding a new CEO.
Key person insurance for example for the costs of finding a new CEO.
For a risk to be insurable, it must meet a number of criteria as follows:
1) It must be random or fortuitous.
2) It must be capable of financial assessment.
3) It must be similar to other known risks.
4) The insurance company must be able to calculate an adequate but reasonable premium.
Insurable risks will also normally fall into one of three categories:
- assets, for example physical property;
- liabilities to other people; and
- people risks such as life assurance, pensions, personal accident and travel.
It is important to recognise that your risk may be unique or different to another charity in a similar area of operation and so may need a special insurance policy. This should be negotiable with your insurer. The important fact is to identify and quantify the precise type of risk.
Identification of insurable risks
Most charities now have in place a risk management process that identifies and measures risks and maintain a risk register to monitor these risks. However the principal focus of boards is to identify and control the major risks to which the charity is exposed and this is reflected in the risk register. The majority of major risks tend to be strategic in nature and most strategic risks are uninsurable. Hence few risk registers will include insurable risks.
I believe that it is necessary to carry out a separate exercise that will identify and measure all insurable risks to ensure that the insurance programme is designed accordingly. The process is the same as for the main risk management process and every area of the organisation’s operations should be examined and the insurable risks listed.This can be done in a number of ways:
internal workshops;
interviews with relevant staff and volunteers;
working in conjunction with your insurance broker or insurer; and
using external consultants.
Measurement of insurable risks
After the risks have been identified, they need to be measured for impact and likelihood. However the way that this is done is different from the main risk management process where a risk will be measured for both impact and likelihood and a score calculated.
For insurable risks, the impact still needs to be estimated since this will form the basis of the insurance policy in terms of the sum insured or limit of liability as follows:
- Assets. This is straightforward and will normally be replacement value or rebuild value in the case of buildings.
- Liabilities. This is more complicated and is always a discussion point for charities when deciding what limit of liability needs to be bought. I believe that potential impact can only be assessed through use of ‘what if’ scenarios.
- People. The impact will be the perceived value of the people to the organisation and the amount of compensation for their injury or loss.
Business continuity planning
Business continuity planning is an essential part of the risk management process[1]. There will be a number of risks that cannot be eliminated and whose occurrence could cause serious problems for the charity. For these, a continuity plan should be put in place to ensure that the disruption is minimised both in terms of physical risks such as fire, flood, IT breakdown etc but also in terms of reputation risk with pre-prepared media statements.
Many charities buy business interruption insurance for increased costs of working and/or loss of profit on trading revenue. These policies have an indemnity period that represents the estimated maximum time to return to normal working. A sound and tested business continuity plan can materially reduce this down time and hence enable the charity to reduce the indemnity period and the premium.
Professional indemnity insurance
A public liability policy will normally only cover injury or property damage to a third party. It will not normally cover financial loss suffered by a third party as a result of negligence or error or omission. These are risks covered by a professional indemnity policy. Many charities offer advice, help lines, counselling and signposting and are concerned as to whether they have any exposure for professional liability. In the case of a professional firm such as a lawyer or accountant that charges a fee for advice, there is clear liability when that advice is wrong. For a charity that provides advice and other services free, the legal position is much less clear and often your solicitor’s advice should be sought.
However, it is important to look at the true level of risk by analysing the activities or services for impact and likelihood of something going wrong. What is the actual exposure to risk and possibility of a third party suffering financial loss?
Many charities are involved in providing residential care. Three types of insurance policy can potentially cover care risks as follows:
- public liability for injury suffered by care recipients;
- professional liability for negligence or error; and
- medical malpractice for medical negligence.
- These policies can overlap and risk analysis is crucial to establish exactly what risks are involved and to make sure that the insurance policies dovetail and do not overlap or leave gaps.
Trustee indemnity insurance
Many charities question whether they should buy this cover. Again I would argue that an analysis needs to be done of the actual level of risk to assess the possibility that any external organisation could sue the trustees.
Boards of trustees have a duty of care and breach of this duty may give rise to a possible claim against them. Failure to put in place a
sound risk management process or failure to buy adequate insurance could well be deemed a breach of this duty of care. This underlines again the importance of getting them right.
Claims
The risk management process establishes an estimated impact and likelihood for each risk. However, insurance claims represent a true picture and hence it is vital to have up to date accurate information to enable the charity to spot trends and causes to be able to put in place suitable controls. If claims are allowed to go unchecked, premiums may rise without the charity understanding why.Claims monitoring and management are crucial services of the insurance broker and insurance company but, in my view, are often not given sufficient attention.
The risk management process establishes an estimated impact and likelihood for each risk. However, insurance claims represent a true picture and hence it is vital to have up to date accurate information to enable the charity to spot trends and causes to be able to put in place suitable controls. If claims are allowed to go unchecked, premiums may rise without the charity understanding why.Claims monitoring and management are crucial services of the insurance broker and insurance company but, in my view, are often not given sufficient attention.
Your insurance advisors
I have set out above the principles for carrying out a full risk identification and measurement process for insurable risks but I recognise that in many cases, charities do not have the necessary internal expertise or insurance knowledge to be able to do this fully on their own. This underlines the importance of using a broker or insurance company that provides the right level of support. When I manage broker tenders for charities, I agree a set of criteria that is individual for that charity but there are some criteria that are common for all. These are:
I have set out above the principles for carrying out a full risk identification and measurement process for insurable risks but I recognise that in many cases, charities do not have the necessary internal expertise or insurance knowledge to be able to do this fully on their own. This underlines the importance of using a broker or insurance company that provides the right level of support. When I manage broker tenders for charities, I agree a set of criteria that is individual for that charity but there are some criteria that are common for all. These are:
Expertise not only in third sector risks but in the specific activity of that charity. For example, a broker may have extensive experience of UK care risks but no experience of international NGOs. Does the broker really understand what you do?
- Full claims service that will deliver effective management of claims and also provide statistics to enable the charity to monitor trends and causes.
- Regular communication with the insurance company so that the company can understand the exact activities of the charity and risk management controls in place.
- Regular updates on charity insurance issues and changes in the insurance market.
Your organisation is unique and you deserve a service that meets your precise needs.
[1] See ‘When the unthinkable happens’ by Robert McKenzie in Caritas, issue 29, April 2010, pages 13 to 16
Author: Peter Heap
Peter Heap has worked as an independent consultant for Ark Risk Consulting since 2004, advising charities on all aspects of insurance and risk management. Prior to that, he spent over 35 years in the risk and insurance business and in 1997 set up and ran the Charity Practice for insurance brokers Marsh UK. www.arkriskconsulting.co.uk
There are no comments on this article. Be the first to comment.