Risk management

From pyramids to mathematical equations, football formations, bridges and roofing structures, the strength of “triangulations” is tried, tested and proven through time. The same principle applies in risk management, in implementing and maintaining effective, resilient and efficient risk mitigation solutions, to the evolving exposures that threaten businesses. 

Craig Kent, head of risk consulting at Aon South Africa, advises on the trilogies of risk mitigation, to effectively manage the risks that a business may be exposed to. 

Risk exposure 

Risk management pivots around three considerations about the business and the potential risks it could face: 

  • Risk exposure identification: Risk awareness from the likely to the highly unlikely, which can threaten the business. 
  • Risk exposure quantification: Potential risk cost or inherent exposure such an event can have. 
  • Risk exposure mitigation: Elect, implement and manage suitable risk mitigation strategies to best counter the specific exposures. 

Each of these is explored below. 

Risk management

Risk identification 

The permutations and options for the process are vast, with these three salient classes of risk being the most prevalent: 

  1. Pure/tangible (for example, property loss).
  2. Latent/hidden (reputational/brand/market share/keyman). 
  3. Financial – upside or downside (Forex/shares), plain damage or non-damage business interruption losses. 

The tools and process to identify the risk can vary both on a macro and micro level, by department/division, or an entire operation or business. For example, fire is likely to be a tangible risk to a particular site, whereas Forex fluctuations can impact all operations of a group of companies. The tools used to identify different risks also differ, while both can have characteristics of one or all three of the different classes of risk. 

Exposure quantification 

This is driven by the same principle as that of risk identification, except that the inherent risk exposure value can be made up of both tangible and latent values (insurable and uninsurable costs). The hidden/latent and uninsurable costs are not that easily quantified. 

It gets tricky from a priority and treatment perspective, as a suitable action is based on the inherent risk, which serves to inform the treatment and/or extent thereof, based on the “three T’s”: 

  1. Tolerate: Based on the estimated quantum of potential exposure, you can “live with the event” – often characterised by frequent exposure/low value at risk. 
  2. Treat: Apply viable cost-efficient risk mitigation and reduction strategies by removing the risk, or reducing the frequency and the value, or both. 
  3. Transfer: Pass the risk to someone else by addressing it through a combination of treating and transfer – for example, buying insurance to cover the exposure. 

Risk management

Risk exposure mitigation 

Once the risks are identified and you have quantified the inherent exposure value, you can make an informed decision on the preferred risk mitigation strategies to deploy: 

  1. Self-retention of the exposure, with varying degrees of risk prevention or reduction strategies. 
  2. Risk transfer (insurance) strategy, coupled with expected degrees of risk prevention and reduction. 
  3. Get rid of the risk, which is easier said than done. 

Mitigation tools 

Risk mitigation doesn’t end here. While these three risk mitigation tools, alone or in combination, are the mechanisms to mitigate all the risks of a business, these tools are only sustainable when the treatment thereof is constantly managed. 

To achieve the best efficiency for the management of each risk, consider the “three E’s” of treatment, namely: 
  1. Engineer the solution in part or whole. 
  2. Educate on the risk treatment solution. 
  3. Enforce the application to maintain the engineering and education of the solution. 

“While many assume that engineering can only be applied to tangible risks, let’s explore some examples, and link in the education and enforcement thereof,” says Kent. 

Example 1: 

Sprinkler systems avoid the human element for detection and control of fire. This makes it a tangible solution that is essential for the risk carrier, where risk values and legal compliance dictate. However, without education, the engineered solution’s effectiveness can be compromised. 

Sprinkler systems are designed based on many dynamics. If these are in any way changed or compromised, so too is the effectiveness of the sprinkler system – hence the absolute need for continual education/training, self-inspections, checklists and maintenance. In turn, it leads to the enforcement of the treatment, by way of strict maintenance and third-party inspection regimes. 

Example 2: 

Protocols for consistent and reliable financial reporting centre around the implementation of International Financial Reporting Standards (IFRS) and individuals who have completed a chartered accountant degree. This lays the foundation for a combination of internal and external audit mechanisms for enforcement. 

Example 3: 

Antivirus software or password protection is not a tangible solution, but if an employee does not follow protocol, the process and/or engineered software can be compromised and the risk met in full force. Thus, both continual education and enforcement are required to realise the value of the mitigation strategy. 

Example 4: 

Buying insurance as a mitigation strategy serves to transfer the risk. But if the terms of the contract with the risk carrier are not observed and maintained, a claim can be repudiated or the risk can become uninsurable. For high catastrophe risks, this could be debilitating for any organisation. In this scenario, the insurance product is the engine, the training of the insured the education, and escalating rates, repudiations, punitive deductibles and so on serve as the enforcement. 

Cost of failure 

It is interesting to note that in all four examples, a failure of any one of the three E’s can lead to a failure of the risk mitigation strategy. In turn, the predicted residual risk that was anticipated based on the mitigation plan is far greater. 

There are many other examples that can be cited where the same principles apply, to make sure the treatment is: 

  • Equitable/viable to the inherent value at risk – don’t spend R1 to protect R1. 
  • The cost to mitigate is viable to achieve. 
  • The resultant residual value of the risk is sustainable. 

There is little point in spending R1 million on the treatment of a R5 million potential loss exposure, unless there is a legal requirement, of course. Similarly, there is little point in spending R1 million on treatment to protect a R100 million exposure. Kent explains: “If the rules for the application of the three E’s treatment are broken, then you may have wasted R1 million and still have a potential R100 million loss exposure.” 

Value in trinity 

It makes sense that if various trilogies are not followed continually, it will not be possible to argue that an effective and efficient risk management programme is in place. “One of the biggest failures is the seemingly cheaper ‘DIY’ approach, rather than consulting a professional risk manager and investing in the process, to ultimately effectively and efficiently manage the organisation’s risks,” cautions Kent. 

Having regular, thorough risk assessments of a business is a good exercise to identify any possible red flags that need to be addressed before they have negative impacts on the business’ risk transfer requirements. It will also direct a business that has already fallen into a state of distress on how to best address the existing concerns and identify potential other risks that can be addressed to efficiently get the business back on track. 

A professional broker and his risk advisors will be able to provide an organisation with aligned services and solutions that businesses may need to identify and address any gaps in their risk management programmes, mediate a solution and provide the clarity and confidence to make better decisions when it comes to the risks that the business is faced with. 

“Get good risk management practices in early and strive to improve continually,” Kent concludes. 


Issue: How to effectively manage the risks that a business may be exposed to. 

Solution: The strength of “triangulations” is tried, tested and proven through time, including the trilogies of risk management. 


For more information, contact Aon Consulting: 

Tel: +27 860 100 404 

Website: www.aon.co.za 

Subscribe to our Community👇

Stay Inspired, Stay Educated, Stay Informed

By subscribing you agree to receive our promotional marketing materials. You may unsubscribe at any time.

We keep your data private.