What is Risk Assessment? • A strategic approach to planning. • Occurs at all levels and across all functions of an organization. • Identifies exposures of activities. • Assists the organization in making risk-adjusted business decisions every day.
Why Do Risk Assessments? • Facilitates pre-planning, assessing and brainstorming about what can go wrong, resulting in mitigation strategies to manage what does go wrong. • Business decisions are made with eyes wide open. • Reaction time to an incident, disruptions in operations after an incident, and financial consequences arising from an incident may be mitigated or eliminated.
Where to Start? • What is the specific activity? • Who • What • When • Where • How • Why
The Million Dollar Question • What is your entity’s appetite for risk? • Low with little tolerance for the unexpected. • Medium with understanding that service delivery requirements come with risk. • High where agency mission and operations do not leave the agency a choice. • Extreme where agency mission and operations dictate the appetite, or where risks have not been assessed or addressed.
What is Risk? • Risk Management Textbook Definition- The danger or probability of loss. • Project Definition - There may be external circumstances or events that cannot occur for the project to be successful. If you believe such an event is likely to happen, then it would be a risk.
What is a Loss Exposure? • The possibility of financial loss as the result of a particular peril striking a thing of value. • Components: • The type of value exposed to loss. • The peril that caused the loss • The extent of the potential financial consequences of that loss.
What Values are Exposed to Loss? • People • Property • Freedom from liability (alleged wrong doing)
What Types of Perils Cause Loss? • Natural • Flood • Wind • Earthquake • Human • Arson • Vandalism • Graffiti • Economic • Changes in the stock market • War • Increases in material costs
What About the Financial Consequences? • The point – Making sure you don’t give away the farm.
How Can We Identify Exposures? • Previous activities of similar type and their outcomes – lessons learned • Standardized surveys and questionnaires • Financial statements • Records and files • Loss Reports and claims • Flowcharts • Personal inspections • Experts
What Questions Should Be Asked? • What is the overall service or activity? • Who, what, when, where, how and why will the service or activity be performed? • Who or what could be harmed? • What could go wrong? • Bodily injury • Property Damage • Liability • Impact on systems or workload
Rating the Risks of Loss • Rate the severity of the risk of each potential loss exposure • How bad can each loss be? • What could it cost?
Don’t Forget About the Value of Opportunities • What opportunities will be missed if the activity is not done? • What is the upside and downside of these opportunities. • By considering the full range of potential events – rather than just risks – the risk assessment process ensures that management can identify and take advantage of positive events quickly and efficiently.
Risk Rating = Level of Risk • E = EXTREME RISK - Involve senior management immediately, emergency situation, consider not doing the activity. • H = HIGH RISK - Management attention required for business and policy decisions, effective risk control, insurance types and limits, etc. • M = MODERATE RISK - Management should be kept informed of risk control, insurance types and limits, etc. • L = LOW RISK - Manage by routine procedures, insurance types and limits could be flexible.
What Tools Are Available to Manage the Risks? • Risk Control Methods: • Avoid the risk altogether. • Prevent the frequency of loss. • Reduce the severity or cost of loss. • Segregate to prevent one event from causing loss to the whole. • Contractually transfer the risk.
Risk Control Measures Must Be Specific to the Situation • Personal protective equipment. • Housekeeping, repair, and maintenance. • Inspections. • Tools and equipment. • Policies, procedures, and process. • Supervision. • Contract Management and Administration.
Risk Adjusted Business Decisions • Which measures best fit the mission, activity, and Risk Rating? • How can the measures be implemented? • Who will implement? • Who will be responsible for making sure the measures are followed? • Who will be responsible for ongoing monitoring?
Immunities & Coverage • Do any statutory immunities apply to the activity? • What are the limitations and/or exclusions? • Does your agency have a legal opinion on statutory immunities? • Does self-insurance cover the activity and/or people? • If not, does management want to buy commercial insurance coverage for the activity?
Evaluation of State Self-Insurance or Commercial Insurance Coverage • Which kinds of coverage apply and what are the limits? • What are the exclusions to the coverage? • Does the agency meet the reporting and loss control requirements of the coverage?
If Your Agency: • Has no statutory immunity for the activity. • Has not decided to use loss prevention/risk control measures to minimize or mitigate the risks. • Has not contractually transferred the liabilities associated with the activity to another party. • Does not have self-insurance coverage for the activity. • Has not purchased commercial insurance coverage for the activity.
What is the Point? • Knowing the risks associated with your entity’s operations that should be keeping you awake at night. • This insight provides your entity with the ability to plan for proactive loss prevention actions rather than just loss reduction reactions. • This process allows your agency to build a “big book of risks.”
One More Tool • Knowing the risks associated with your entity’s operations that should be keeping you awake at night. • This insight provides your entity with the ability to plan for proactive loss prevention actions rather than just reactive loss reduction reactions.