Over the past few decades we have seen a steady movement towards a more managerial response to these forms of risk. What has emerged is the discipline of risk management. We could define risk management as "the identification, analysis and economic control of those risks which can threaten the assets or earning capacity of an enterprise."
This definition is valuable because it highlights the structured approach which is called for if risks to the business environment are to be managed.
The three-fold nature of risk management is highlighted in the definition. Risks must be identified before they can be measured, and only after their impact has been evaluated can we decide on the most effective method of control.
However we decide to control risk, it must be "economic." There is no point in spending ten pounds to control a risk which can only ever cost five pounds. There will always be a point where spending on risk control has stop.
The definition mentions the assets and earning capacity of an organization. These assets can be physical or human; they are both important and risk management must be seen to have a part to play in both. However, risks do not only strike at assets directly and for this reason the definition also mentions the earning capacity of an enterprise.
Note that the definition uses the word "enterprise" rather than a more restrictive word such as "company" or "manufacturer". The principles of risk management are just as applicable in the service sectors as they are in the manufacturing sectors, and are of equal importance in the public and private sectors of the economy.
When considering risk identification we must remember to take the broad view. We are not solely concerned with what can be insured, or even with what can be controlled. We start from the very basic question, "How can the assets or earning capacity of the enterprise be threatened?" Starting from this position does not place any constraint on us as to what kind of risks we are looking for. We must begin the task in an unblinking manner and identify the whole host of ways in which an organization may be impeded from achieving its objectives.
We could say that there are at least two essentials if risk identification is to be effective.
Firstly, risk identification must be importantly recognized within an enterprise. When this is case, it is often marked down as a task within the job descriptions of a particular manager.
Secondly, the person responsible for risk identification must be armed with the relevant "tools of the trade" and must make use of them.
Once it has been identified that there is a risk, steps have to be taken to measure the potential impact of that risk on the organization. In a practical sense the measurement of risk starts with the gathering of information, followed by tile analysis of past experience, and then moves on to see what the data tells us about the level of frequency and severity of the risk
to which an organization is exposed.
We can split the whole area of risk control into physical and financial control. Physical risk control
We are concerned here with physical steps which can be taken in order to control risk. The first step must be to reduce the level of the risk as far as possible. This means both the chance that something will happen and the severity of the incident, should it occur. There are at least two ways in which we could understand risk reduction. Pre-loss risk reduction
It is possible to take steps before any event has occurred to minimize risk. The essence of pre-loss reduction of risk is that the effects of the loss are anticipated and steps are taken to ensure that they are kept to a minimum.
Wearing a car seatbelt is a good, personal example. There has been no loss, but the possible effect of a loss has been anticipated and the pre-loss risk reduction step of wearing a belt has been taken.
The use of safety guards on machinery, is an industrial equivalent. There has been no injury, but steps have been taken to reduce the risk of injury. Post-loss risk control
This form of risk control imagines that the risk has occurred and takes steps to minimize the effect of the loss. The use of automatic fire sprinkler systems fits into this category. Once the fire has started, the sprinklers operate to reduce the impact of the fire.
We now turn our attention to financial mechanisms which can be used to control risk. These can be divided into two categories.
Once the risk has been identified and controlled in some physical way, it will be necessary to consider how the effects are to be financed, should the worst happen.
In certain situations, it may be wise to retain the risk rather than to seek another form of protection, such as insurance. We have already mentioned the problems associated with insuring high frequency, low severity events and they certainly fall into the self-retention category. The cost of these events could be paid for out of current income and passed on to the customer via the price of the product (or service) , which is offered by the organization. Alternatively a fund could be established, out of which the losses are to be paid.
Insurance is a risk transfer mechanism by which an organization can exchange its uncertainty for certainty. The uncertainty experienced would include whether a loss will occur, when it will take place, how severe it will be and how frequent there might be in a year. This uncertainty makes it very difficult to budget and so the organization seeks ways of controlling the financial effect of the risk. Insurance offers the opportunity to exchange this uncertain loss for a certain loss: the insurance premium. The organization agrees to pay a fixed premium, inreturn, the insurance company agrees to meet any losses which fall within the terms of the policy. This is a risk transfer mechanism which is of immense value not only to industry, but also to individuals.