UNCOVERING THE HIDDEN COST AND IMPACT OF RISK MANAGEMENT FAILURE
Reasons why risk management can go wrong despite best intentions
By Randy Boss, CRM, MWCA, SHRM-SCP
Risk management is a necessary process that businesses and organizations undertake to identify, assess, and mitigate risks that can potentially harm their operations, assets, or reputation. Risk management’s goal is to minimize the likelihood and impact of adverse events. But despite the best intentions, it can fail. Here are the reasons behind risk management failures and their consequences.
- Failure to identify. The first step in risk management is identifying potential risks that could impact a business because you can’t manage what you do not know. This step involves reviewing business processes, the external environment, and other factors that could put operations at risk. A business must identify internal and external dangers, such as financial risks, natural disasters, cybersecurity threats, and market competition.
As insurance and risk advisors, we can assist in using different methods to identify risk, such as checklists, employee interviews, walkarounds, industry experts, looking at past incident and near-miss reports, and conducting job safety analyses (or similar task evaluation processes). I recently conducted a walkthrough and discovered an opening in a mezzanine without a gate or safety chain. Also, during a round of employee risk interviews, somebody noted that some employees were overriding safety features to speed up machines to add to their “per piece” work pay. - Failure to analyze. The second step in risk management is to analyze data. Failure to do so can have serious consequences that can negatively impact a business in several ways. With data analysis, companies may clearly understand the risks they face, making it easier to develop effective strategies to mitigate or manage those risks.
For example, a business that needs to analyze safety records may be able to establish effective safety policies and procedures to prevent workplace accidents. Failure to analyze data can also increase a business’s exposure to liability. With data analysis, companies may be aware of compliance risks related to legal and regulatory requirements. These gaps in compliance can lead to violations that can result in fines, penalties, and legal action. - Failure to control. The third step in risk management is controlling risk. This is critical to the success and sustainability of any business. Each step builds to the next, so failure to correctly identify and analyze efforts leads to a “shot in the dark” control strategy. An effective control strategy protects a business’s finances from potential risks. It minimizes legal and regulatory risk, improves business continuity, and protects the company’s reputation in order to support growth and expansion.
For example, implementing financial controls can prevent fraud and financial mismanagement, thus reducing the risk of financial losses. It’s essential to recognize that an insurance policy cannot cover all risks and that risk control protects the ability to get insurance at an affordable rate. - Failure to finance. The fourth step of risk management is financing risk, often with insurance policies. Another method often overlooked is to transfer risk by contract. This method is used frequently between owners, general contractors, and sub-contractors in the construction industry. The problem is that many in our industry often start and stop with insurance and miss the opportunity to protect a business in ways that insurance can’t.
No amount of insurance can replace an injured worker’s ability to provide for their family if injured or killed on the job. Businesses often need to be more accurate when insuring their operations. Things to avoid include underestimating the value of their business assets, failing to review and update insurance policies, not understanding the scope of their coverage, and not considering specialized coverage. - Failure to monitor. Monitoring risk management results is essential for ensuring that the risk management process is effective and that the business is protected from potential risks. By monitoring risk management, a company can identify potential gaps in risk management strategies, evaluate the effectiveness of risk management strategies, adapt to changing risk, demonstrate compliance, and make informed business decisions.
[E]ffective risk management is both science and art. All the knowledge in the world
means nothing until it is applied.
Consequences and reasons
The consequences of risk management failures can be significant and costly, resulting in:
- Financial loss. A failure to identify and manage risks can lead to financial losses due to operational disruptions, legal liabilities, or reputational damage. For example, a cyberattack can lead to data breaches and significant financial losses for the organization.
- Reputation damage. Risk management failures can harm an organization’s reputation, leading to a loss of trust among customers, employees, and other stakeholders. A tarnished reputation can have long-term consequences, leading to decreased sales, lower employee morale, and difficulty in attracting new customers or investors.
- Legal consequences. Failing to comply with legal regulations and standards can lead to legal consequences, such as fines or legal action. For example, a healthcare organization that fails to protect patient data may face legal action and penalties.
- Operational disruption. Risk management failures can cause operational disruption, leading to delays, downtime, or even failure of critical business functions. This failure can impact the organization’s ability to deliver products or services, leading to lost revenue and customer dissatisfaction.
- What are some reasons behind risk management failures? Some include:
- Inadequate risk assessment. One of the primary reasons risk management fails is insufficient risk assessment. This can happen when the risk assessment process needs to be completed or is done superficially by jumping ahead to step three (finance with insurance) before risks are identified, analyzed, and controlled.
- Lack of ownership and accountability. In such a scenario, nobody takes responsibility for managing risks and the organization doesn’t assign specific roles and responsibilities to manage them. As a result, the risk management process becomes fragmented and risks need to be adequately addressed. I know this from experience, having conduct-ed hundreds of employee interviews with one of the questions being: “Who in your organization is responsible for managing risk?” The answers are all over the place 90% of the time.
- Insufficient resources. Another reason for risk management failure is a need for more resources. Loss can happen when the organization needs to provide adequate funding or staff for the risk management function. In such a case, the risk management team may need the tools, technologies, or expertise to identify, assess, and mitigate risks effectively. Lack of expertise is often the case in middle market companies where they do not have the luxury of a full-time risk manager.
- Misaligned risk management strategy. Risk management failure can occur when the risk management strategy is not aligned with the business objectives. For example, the organization may prioritize short-term gains over long-term sustainability, leading to a failure to identify and mitigate long-term risks. A good example is production over safety. A plumbing contractor digs a hole for a quick connection instead of providing shoring protection. A cave-in occurs resulting in one employee dead, an OSHA visit, and a hefty fine.
- Overreliance on technology. While technology can improve the risk management process, it can also lead to failure. Organizations that rely too heavily on automated systems to manage risks may miss out on critical insights and data that human intuition and experience can provide. Case in point: An Alabama automotive parts supplier was forced to pay $1.3 million in penalties for the death of a worker back in 2016. The decision came about after OSHA undertook an investigation of how an employee at the supplier’s Cusseta facility suffered fatal crushing injuries in June 2016 in a robotic machine. OSHA inspectors learned that the machine operator and three co-workers entered a robotic cell on the assembly line to clear a sensor fault when a robot inside the cell restarted abruptly, crushing a young woman inside.
Its inspection led OSHA to cite the company for 51 safety violations, including 48 willful violations. On Feb. 10, 2023, an administrative law judge upheld the majority of the violations that OSHA issued. That company will now pay more than $1.3 million in penalties to address the violations.
Risk management is just excellent management. Failure results in fines and other regulatory or legal action, elevated employee turnover, customer dissatisfaction, negative or damaged reputation, missed opportunities, product or project failure, decreased market share, financial loss, and even business failure.
The lesson I’ve learned over my career is that effective risk management is both science and art. All the knowledge in the world means nothing until it is applied.
The author
Randy Boss is a Certified Risk Manager at Ottawa Kent in Jenison, Michigan. As a Risk Manager, he designs, builds and implements risk management and insurance plans for middle-market companies in the areas of safety, work comp, human resources, property/casualty and benefits. He has over 40 years’ experience and has been at Ottawa Kent for 40 years. He is the co-founder of emergeapps.com, web apps for insurance agents to share with employers. Randy can be reached at rboss@ottawakent.com.