Skip to Content
Risk Management

Planning: An Overlooked Risk Management Technique

William Austin | October 4, 2024

On This Page
A whiteboard showing a flowchart of boxes and arrows

Alice: "Would you tell me, please, which way I ought to go from here?"

The Cheshire Cat: "That depends a good deal on where you want to get to."

Alice: "I don't much care where."

The Cheshire Cat: "Then it doesn't much matter which way you go."

Excerpt from Alice's Adventures in Wonderland, an 1865 English children's novel written by Lewis Carroll, an English author, poet, mathematician, and photographer

My property and casualty (P&C) risk management career spans more than 40 years and includes contact with hundreds of individuals responsible for insurance risk management for their employers. As a long-term member of this risk management community, I believe adequate planning—a critical risk management technique—is often overlooked by risk managers. Proactive planning activities should precede all aspects of the risk management process.

Too often a risk manager's focus is narrowed to solely managing the organization's insurance program without regard for the complete risk management process, with the only planning tool essentially a schedule of insurance and a time line of 60–90 days prior to a policy expiration date. What gets overlooked? Essentially the complete risk management process.

  • Identify exposures
  • Determine risk management techniques
  • Select appropriate techniques
  • Implement techniques
  • Monitor and improve each component of the overall risk management program as needed

Why reference an encounter between Alice and the Cheshire Cat from Alice's Adventures in Wonderland? Unless one's risk management program is on a clearly defined path, the risk management professional will be like Alice at the fork: Either turn will take this person to a destination that may not meet the short- or long-term risk management needs of their organization. Planned objectives, coupled with managed implementation, allows the risk manager and the organization to jointly strive to achieve risk management goals holistically for the betterment of the whole organization.

I was hired in 1994 to be the corporate insurance risk manager for a publicly held Fortune 70 bank, the seventh largest in the United States at the time, that was to embark on a corporate-wide multiyear plan to grow not only organically but also by acquisition such that the CEO wanted the bank to literally recreate itself every 2 years in terms of employee count, number of locations, global focus, and new and/or improved client facing services. The organization at that time employed more than 25,000 people in at least a dozen states working at more than 2,000 locations, a US presence with a limited-service office in London, nearly $50 billion in assets, and an annual income in excess of $3 billion.

I was a new risk manager and had never been one before this opportunity. I learned quickly I had to build a transmission to get my internal unit of eight coworkers to move forward at a pace equal to that of the whole organization: speed of light comes to operational risk. These are the lessons and successes I learned. I am confident the following suggestions can be helpful to any risk manager in any industry even after more than 30 years after my initial learning curve.

Begin with the Basics

To effectively implement an improved risk management program for my employer, I had to be in lockstep with executive management and their goals and objectives: to take the internal risk management process from what had been more of an anemic academic exercise to a practical, timely, and efficient operation that could respond quickly to loss exposures and address any rapid change for my employer. This led to my first eureka moment as a risk manager; risk management has two essential beginning key steps: manage people and manage activities. Only by managing the people responsible for the planned activities, internal and external, will any risk management program be implemented in a timely manner and successful on day one for the organization, no matter what industry the risk manager works in. These activities sound obvious, but I found that "hands-on" activities of most risk managers to be lacking in actually managing the process whether using their internal resources (i.e., staff and in-house colleagues) or external resources (e.g., brokers or third-party administrators (TPAs)).

Risk can only be managed if people involved in the process fully understand what they need to accomplish (i.e., activities) as part of the overall risk management process, especially if portions of their job responsibilities will likely change during this process as the organization changes due to size, complexity, facilities, and customer services. This means not only my internal staff but also our internal customers and our third-party service providers. All risk activities must be understood and completed in unison to achieve each risk management goal or objective.

What does this mean? Activities can only be managed effectively when each human component (internal and external) understands their role in the whole process, even if their part is only 1 percent of the total. Even a person with only 1 percent personal contribution in the process can stop all further movement toward a completion date if that 1 percent is a linchpin to subsequent activities. (Think in terms of the adage "a chain is only as strong as its weakest link.")

People and Activity Planning—A Strategic Process

Without a master plan, people will likely concentrate on the immediate issues presented to them, commonly referred to as "putting out fires." I have heard countless times, "Who has time to plan for tomorrow!" It is not always human nature to take the time to determine where we have to be individually and/or as a department at the end of the day, week, month, quarter, or even year. This is where the "manager" aspect of "risk manager" comes into play and as the key person to effect change for the organization.

Risk management is not a static process, especially if one works within a dynamic organization and change occurs fast and frequently. A risk manager needs to think in terms of what may happen tomorrow and what people, internal and external, need to accomplish each day to support risk management endeavors for the future, whether tomorrow or 6 months from now.

Relying on an insurance renewal schedule is rarely, if ever, a sufficient planning tool to manage a risk management program. Why? It is rooted in the past! Insurance should be one aspect, not the sole focus, of the risk manager's attention. A broad view of risk management and critical dates needs to be maintained to ensure that the overall risk model used by the risk manager is appropriate and timely for the organization of tomorrow. Risk evolves and so must your organization.

Manage Activities by Management of People Responsible for an Activity

Risk management is a team sport—it cannot be done alone. A risk manager needs to share all expectations (timetable, goals, objectives, work product, etc.) with stakeholders that should include the risk manager's supervisory personnel, peer manager(s) in other key functions, their staff at all levels, other coworkers, internal customers, and external service providers. This step should include involvement by senior management to obtain and ensure their approval for planned risk management objectives for a given time frame, especially if critical costs need to be expended and are necessary but currently unbudgeted. I did find that on occasion I could get a significant variance for my financial plan if I could demonstrate adequate cost/benefit of the cost in terms of ultimate savings whether in restructure dollars or enhanced safety of employees and the public.

Implementing the Planning Process

Identify Stakeholders

Determine the people that need to be involved in the risk management process by looking at any information that will allow you to see the organization as it is today and what is planned for the future. The following table provides a general sense of obtainable information from each stakeholder group and lists what risk events may be concluded from available information. Contact with stakeholders and review of information need to take place frequently, even daily for some and especially at onset of the plan, as an initial risk identification process and then at intervals sufficient for risk manager to stay current on potential risks of loss to the whole enterprise.

The stakeholders listed are general in nature but are a good beginning for any risk manager: Each may lead upward in the organization to a supporting top-level stakeholder. These examples may not be exactly what risk managers will find in their organizations, but some self-study of the organization and overall organizational networking will assist in success for this step.

Stakeholders-Internal Information Sources

Networking with all levels of the organization

Gossip at the water cooler and everything below

Executive management

Profit and loss (P&L): sales/income, notes by internal and external audit, public companies' annual reports, 10k reports, 8k after material events, 10Q, etc.

Business continuity/disaster recovery—general operations.

Hard copy plans and online access

Sales/marketing

Catalogs, brochures, and organization's website(s)

Manufacturing/assembly

P&L: sales/income/expense and items to point out/identify bottlenecks/supply chain issues

Business continuity/disaster recovery—technology operations

Hard copy plans and online access and cyber applications completed by senior IT stakeholders

Communications/public relations

Press releases of new endeavors

Facilities

Any of the above

Legal

Any of the above

Human resources

Any of the above

Understanding the C-suite plan will allow the risk manager to determine what status quo must be maintained and what changes should be made to support the overall organizational plan. This can become the long view of where the risk management program should be in 1–5 years and is the first step of the planning process. It may include strategic plans to increase the risk manager's ability to determine insurable exposures in near real time, identify how to reduce workers compensation losses, strengthen overall employee and customer safety initiatives, or implement a captive insurer when a specific type of claims and/or losses reach a forecastable level each year.

Risk managers need to think in terms of an organizational business plan created at the top of the house, such as the C-suite, then scaled down to include all employees. This plan could be for several time periods, as in 1–5 years. The actual time period will depend on your organization, its industry, its customers, its suppliers, and even the nation's economic scenarios.

Macroplan Development

Macroplanning for the risk manager lends itself to a business plan approach as overall risk management needs are identified and evaluated and plans based on the results are enacted. Business plans are used throughout progressive organizations to plot income streams (current and new), identify and consider how to reduce fixed and variable operational expenses, and plot product and services development. Risk management activities can be effectively identified through business planning much like your coworkers do in other disciplines in your organization: finance, product development, facilities for new locations, etc. The risk manager must consider both goals and objectives and understand the differences of these two terms.

  • Goals. Final outcomes that the risk manager must achieve by a date consistent with demands of immediate supervisor and on up in the organization.
  • Objectives. The tactics (e.g., specific actions) and measurable steps that the risk manager must take to achieve a specific goal.

A risk manager's ongoing macroplanning focus needs must include a continual test of their knowledge of all of the organization's activities as activities generate risk of any kind—insurable or not. This is the identification step, which is a key first step of the five-step risk management process. A risk manager cannot manage risk that is not identified. All other steps of the risk management process are driven by step one, risk identification. If an exposure is missed, it cannot be treated effectively. In many ways, "monitoring," which is the last step of this process, is essentially a restart of the identification process.

The macroplan activities are broken down in the microplanning phase to ensure that each identified macroactivity interim steps are identified, managed, and executed so that overall completion meets the macroplan due dates.

Discuss with internal staff as the plan is being drafted, review with external service providers, and get feedback during the draft stage. Once final, it can become an ongoing agenda for regular meetings with stakeholders, internal and external, to measure where the risk manager stands with his macroplan in terms of the organization and its changes.

This is the short-term/present view and can start with a weekly meeting with internal staff to assess what needs to be done for the week (i.e., projects or other work due to others for the week) and status checks of work due to the risk manager by subordinates, internal and external. This type of planning becomes an inventory process to identify all open items and where the item(s) are in terms of progress toward the planned completion date. It is essential to know at all times that all the microplan components are moving ahead on schedule. Obtaining status reports of open items can limit surprises such as missed deadlines and point out issues in advance of problems. A master open items database is an invaluable tool and becomes an excellent time saving tool in its own right.

Planning should occur during meetings with outside service providers such as brokers, TPAs, and other critical vendors. Regular meetings—weekly, monthly, or quarterly—should be held with critical service providers to ensure their work product is consistent with proposals, contracts, and overall needs and that all their deadlines and other service issues are being completed in a timely basis and continue to support the macroplan.

Service providers need to be managed just like an internal direct report, and many risk managers fail to understand this dynamic: A risk manager can delegate an activity but does not delegate full responsibility or accountability for the activity. A critical step missed by any internal or external stakeholder can put the risk manager on the hot seat with those in the organization calling for termination of the risk manager. All the people involved in an organization's risk management process and related activities need to support each other's objectives to achieve the macroplan within the desired time frame.

Create the Plan

A business plan does not need to be complex to be effective. In fact, the less complex the plan, the easier it will be to sell and implement its goals and objectives to risk management staff and both internal and external stakeholders. A business plan template can start as simply as that shown below.

Macroplan overall goal. Reduce workers compensation (WC) cost in order to take control of risk financing, including the use of a group or single parent captive.

Table 1. Macroactivities
Risk Identification Risk Control Risk Treatment Risk Financing Admin/Efficiencies
Analyze WC claim costs Determine means to reduce individual and overall claim costs Determine if change to a TPA can improve claim costs Meet with WC group captives to understand what risk profile will be acceptable in 24 months Budget in the next financial plan for an internal resource (employee) as a companywide WC resource
Table 2. Action Plan: Risk Identification
Risk Identification Responsibility/Resources Time Line
Analyze WC claim costs

Primary: risk manager

Secondary: human resources

External: insurer claims staff

Completion target:

Interim status check date:

Interim status check date:

Interim status check date:

Interim status check date:

Table 3. Action Plan: Risk Control
Risk Control Responsibility/Resources Timeline
Determine means to reduce individual and overall claim costs

Primary: risk manager

Secondary: human resources

External: insurer loss prevention staff

Completion target:

Interim status check date:

Interim status check date:

Interim status check date:

Interim status check date:

Table 4. Action Plan: Risk Treatment
Risk Treatment Responsibility/Resources Timeline
Determine if change to TPA can improve claim costs

Primary: risk manager

Secondary:

External: TPA candidates

Completion target:

Interim status check date:

Interim status check date:

Interim status check date:

Interim status check date:

Table 5. Action Plan: Risk Financing
Risk Financing Responsibility/Resources Timeline
Meet with WC group captives to understand what risk profile will be acceptable in 24 months

Primary: risk manager

Secondary: risk management insurance manager

External: captive administrator

Completion target:

Interim status check date::

Interim status check date:

Interim status check date:

Interim status check date:

Table 6. Action Plan: Admin/Efficiencies
Admin/Efficiencies Responsibility/Resources Timeline
Budget in next financial plan for an internal resource (employee) as a companywide WC resource costs

Primary: risk manager

Secondary: supervisor/risk manager

External:

Completion target:

Interim status check date:

Interim status check date:

Interim status check date:

Interim status check date:

Conclusion

Risk management planning is a must to do using macro- and microplanning steps for the risk manager to be proactive and decisive and to deliver additional value to the organization.

By early 2002, my employer had acquired, outright or through merger, 14 other major financial institutions, now employed 50,000 people, had total assets in excess of $200 billion, operated 4,000 global locations, and became a worldwide financial institution as operations now included not just the United States and England but 20 other counties throughout Europe, Asia, Latin America, and South America.

All insurance programs, including external resources (i.e., TPAs and brokers), were implemented on legal day one in terms of when my organization started the day as the new and improved financial institution: Cost savings were maximized as of that date, consistent with the corporate macroplan.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.