Why Just Insure When You Can Ensure?

If the only tool you have is a hammer, every problem looks like a nail. The wisdom of this old adage is just as applicable in risk management as it is in life where the tool that organizations fixate most on is insurance. Once this fixation sets in, every risk issue (right or wrong) begins to look like it is best addressed with an insurance policy. There is no doubt that insurance is powerful, but is it so powerful that it can address all your risks?

Focusing solely on insurance as the primary approach to risk management has a downside. An insurance-centric focus likely means your organization is not taking full advantage of the whole risk management toolbox. It also reflects a static approach to risk management, leaving you waiting for a loss event to occur rather than proactively trying to identify and manage your risk. 

Instead of taking a myopic position, we suggest taking a holistic view by embracing all the risk management tools at your disposal (including insurance) to more effectively manage your organization’s risks.  

From Insurance to Holistic, Dynamic Risk Management If you currently have an insurance-centric approach to risk management, you are likely underestimating (or not addressing) many risks your organization faces that are not insurable. Start thinking holistically and acting dynamically. Being holistic and dynamic about risk management requires setting objectives, understanding the risks you face, and using the full risk management toolbox to address all your risks. It does not mean abandoning insurance; it simply means you use insurance smarter and more effectively.  

The benefit of a holistic approach to risk management is that it allows you to proactively and more effectively manage all your risks, both insurable and uninsurable, including:

• Operations – The risk your people, processes, and technology will not work as planned 
• Reporting – The risk your external and internal financial and non-financial reporting will be misstated
• Compliance – The risk that applicable laws and regulations are violated
• Strategic – The risk that an organizational strategy will not work 
• Data – The risk of a data breach

Before You Can Be Holistic and Dynamic About Risk Management, You Must Know Your Risk Truly effective risk management is predicated on knowledge. It assumes you have considered the existing and emerging risks facing your organization. Knowing your risks means:

• Identifying risks to your organizational objectives.   
• Documenting the risks to the degree they can be shared and understood by others in the organization and other key stakeholders (e.g., regulators, analysts, key business partners).  
• Quantifying the risks so they can be prioritized by the likelihood and impact of occurrence.
• Assessing what level of risk (sometimes referred to as risk appetite) you are willing to allow for a given risk. 
• Mapping risks back to strategic objectives so you understand how their occurrence will impact your organization.
• Assigning ownership of risk for purposes of ongoing management.
• Developing monitoring mechanisms in the form of dashboards, reports, meetings, and ongoing governance so you can sustainably monitor the risk.

How you gain knowledge about your risks can take many approaches including questionnaires, cross-functional facilitated brainstorming sessions, review of loss reports, peer/competitor analysis, and/or performance of an annual risk assessment. Regardless of the technique(s) used to gain knowledge about the risks you face (your risk universe), the key is to get a wide and meaningful view. It is also important that this view and risk monitoring be ongoing and not just reflective of a snapshot in time.     

Why Holistic Risk Management Requires More Than Just Insurance When a risk event occurs, insurance will compensate you for only quantifiable monetary losses up to your policy limits. This assumes the loss or risk event was even insurable in the first place and that you had a policy in place. Since insurance cannot address all the risks your organization faces, you will have to look to additional strategies to achieve holistic and dynamic risk management. In military parlance this is sometimes called “defense in depth,” or relying on multiple strategies to defend yourself from risk.  

What does “defense in depth” look like in the risk management context? It is based on using multiple strategies like operational controls, segregation of duties, policies, reserves, automated controls, physical security, entity level controls, internal audit, monitoring, strategic partnering, and insurance. Multiple strategies like these are required so the organization can: 

• Mitigate the impact of risk events when they do occur.
• Slow the progression of unfolding risk events, sometimes referred to as velocity.
• Increase resiliency to risk events when they do occur.
• Build redundancy against risk events into the people, processes, and technology.
• Detect risk events sooner.
• Stop risk events from occurring.
• Defer risk events from occurring.

Adopting a “defense in depth” approach to risk management also means adopting a paradigm in how your organization views its role in dealing with risk. You become dynamic in addressing risk when you actively take steps to proactively prevent risk events, lessen their impact, and/or detect them sooner. This is in stark contrast to a static approach, which is based solely on using insurance recoveries reactively to deal with resulting damages. 

There is no doubt insurance is a powerful risk management tool, but insurance alone will not provide an organization with a holistic or dynamic approach to risk management.  

Be Effective at Managing Your Risk  A holistic and dynamic approach to risk management draws on all the tools in your risk management toolbox and reduces your reliance on insurance. It starts with awareness and acknowledgement of what your risks are and how those risks affect your business objectives. It means understanding what you are up against and using a “defense in depth” approach that relies on many risk management techniques, including insurance. And most importantly, it means being dynamic by trying to prevent and reduce the impact of risk events to your organization so you can be effective at winning the war on risk.