Non-profit Risk Management Center
For the past six years I've had the privilege of serving on the Board of Washington' Nonprofit Risk Management Center, watching it blossom into a remarkable resource. I attended my final Board meeting in October (it's time for a fresh face), following the Center's annual Institutes, on which this report is based. It was a valuable two days.
The Center deserves high praise for its decision to continue its scheduled sessions in Washington despite the events of September 11 and the nationwide hesitancy to travel by air. Over 350 attended with only a few cancellations.
The content was a rich mixture of broad as well as practical risk management topics, ranging from the risk vagaries of volunteers and managing investments in an uncertain economy to creating a risk management committee, auto fleet risks, fraud prevention, emerging legal problems, handling partnerships, managing people internationally, protecting young people, dealing with the elderly, and the expected panels on crisis management. Purely insurance topics were limited to an introduction to the basics, workers' compensation and sophisticated trends in self-insurance and financing alternatives. The exhibit hall was modest in size and scope, not detracting from the sessions and their content. Of the 21 exhibitors, 17 were insurance-oriented.
The second day luncheon speaker was a serendipitous choice. Mary Stewart, now with Aon, had earlier this year been the risk manager for the Washington Metropolitan Airports Authority (which includes both Dulles and National). She spoke of the recent crises and then suggested five critical attributes for a successful risk manager, in reverse order:
I particularly like her first criterion: risk management often requires non-focused thought!
I was also fascinated by a presentation on using waiver and indemnity agreements as liability shields. Elizabeth Sarah Gere, a partner in the Washington law firm of Ross, Dixon & Bell, described waivers as a balance between two competing principles, an individual's personal freedom to enter into a voluntary contract and the social policy of requiring responsibility for the results of negligence, protecting persons from unreasonable risks. Liability waivers generally involve a "surrender of the right to sue," shifting the risk of damages from one party to another before the injury happens. They come in different forms: waiver/release, exculpatory, indemnification, dispute resolution and hold harmless agreements, plus covenants not to sue and informed consents (in the medical arena). Ms. Gere emphasized the importance of using clear language, the relative equality of the signing parties, providing sufficient information, and careful consideration of applicable statute and case law (local, state and national).
Her comments forced me to reconsider the objective of these agreements. Too often they appear to be attempts to shift, improperly, the burden of responsibility for negligence to another party. They are frequently the knee-jerk reactions of legal counsel that fail to consider the implications that they give to other parties. Like much of risk management, they over-focus on the pitfalls rather than the benefits of an agreement. Shouldn't waivers should be, first and foremost, a form of risk communication?
Start with the possible benefits that will occur, and then follow with possible downside results. Citing both plusses and minuses reminds both parties of their mutual obligations. Each should take responsibility for its own negligence, rather than trying to pass part of the buck. Excessive reliance on waivers will send the wrong message at the outset and can later create the wrong response if and when something does go wrong. I think the medical profession comes closest to meeting this objective with its use of informed consent agreements, in which the medical professional communicates the desirable outcome - a return to good health - with the possible downside outcomes, before starting treatment. These are generally one-on-one discussion. Considering both sides of possibility creates mutual understanding and confidence. It also sustains the reputation of the major party in any agreement. Don't hide behind a waiver ; use it as a communication tool.
The exhibit area of the Center's Institutes featured one of its most effective tools for nonprofits, CARES (Computer Assisted Risk Evaluation System), a CD-ROM that helps smaller nonprofits undertake their own risk analyses, producing a report with specific action steps. CARES has six interactive modules: an introduction to risk management, employment practices, contracts, possible harm to clients, special events, and transportation, each with approximately 250 detailed questions. Three more modules will be offered in early 2002: internal controls, technology risks, and facility risks. A new 2.0 on-line version is due next April. The Center advertises CARES as having “a professional risk manager on your desktop.I found it thorough and practical. It is a particularly valuable resource for preparing a summary report to a Board on a nonprofit's major risks and responses. At $89 for the CD-ROM it is a wise investment.
The Center also publishes a wide range of risk management booklets. They are uniformly well-written, clear and practical. Some of the most recent include:
These booklets, the CARES CD-ROM, and other publications have value for nonprofits and profit-making organizations alike. Being an ex-director, I can shamelessly encourage their purchase! They are available from the Nonprofit Risk Management Center, Melanie Herman, Executive Director, 1001 Connecticut Avenue, NW, Suite 410, Washington, DC 20036. The telephone is 202-785-3891 and the website is www.nonprofitrisk.org.
Comments on Defining "Risk"
My loyal reader and ever-ready commentator, Dr. David Block, from Milledgeville, Georgia, took the time to read my article Four Cubed (see RMR October 2001 and the Useful Information page of the website) and sent the following:
A Poem on "Four Cubed" or, On First Looking Into Felix's Homer, or, The Old Ones Define "Risk"
. "'Risk is variation from the expected' is simply the last sentence of its own few volumes! (You are a good filler of buckets.) Risk is without dimension - it is a pure number - but not therefore without value just because it is domain-specific and context-bound: the variation is abstract, but it is variation (contextual definition of a repeating and identifiable process) from a mean (a value within a domain) assigned a value in a social schema. Do we manage risk? Do we minimize variation in a certain process of assembly (whether it be the making of information or real property - as if you could have one without the other - is of no import) deemed 'critical' for the organization such that the probability of a variant event will be <.05? Or is it more like old Popeye the Sailorman: he didn't really calculate the mean and standard deviation of the magnitude of Bluto's excesses measured in terms of 'contusions to my own body in visible areas'or 'stolen Olive Oyl 'kisses', but simply knew 'That's all I can stand, 'cause I can't stand no more.' He expected Blutiferous misfortune, but there's a timewhen..... Ah, perhaps that's the key: what are the bounds of Blutiferous? No doubt there are many in the world for whom there is a calculus of hamburgers. They can manage all the contingencies of one meal: the standard hamburger as The Golden Rule. We ought to recognize, and applaud, that the standard burger makes it possible as well as safe for many Americans to travel around the world, even if less rewarding in a culinary context. The risk manager demands zero degrees of freedom, for that's what management is. The CRO, as you point out, is a leader. She does not define the vision or the mission of the organization. But she enumerates, intuits, conjures, and creates those degrees of freedom which define permissible expectation in the outcome of the processes that allow the realization of the mission. She is, I'm afraid, the Chief Risk Poet, but CRO might fly better in an MBA program. (This defines one of the central risks of having an MBA program rather than learning the philosophy and skills of the MBA-person. Believe me, it ain't no different in Medicine)."
Insurance Claim Protocol
Mark Bailey, of AIG Europe, writing in the September 2001 issue of Global Reinsurance, describes a new "protocol" issued by a group of Lloyd's and London market insurers for "claims against professionals," such as lawyers, consultants, brokers, accountants and investment advisors. It purports to assist in "encouraging the full, frank and early disclosure of information" and"speedy and equitable settlements (hopefully without the need for litigation." It suggests, however, an absurd timetable of over four months that describes exactly what seems to be wrong with some much of insurance these days. It outlines an exercise in procrastination destined to produce the very litigation that it tries to avoid. It is a reason to wonder about the wisdom of buying any form of professional liability insurance underwritten by the conventional insurance market.
The protocol advises that a professional should acknowledge receipt of a preliminary notice of possible claim "within 21 days." This time delay is inexcusable. A claimant against any professional is almost always a customer or client. A delay of three weeks! That's tantamount to ignoring the claim. I'd advise a response of some sort within 24 hours. The protocol goes to suggest another 21 day waiting period before actually acknowledging a formal claim, plus a three month professional investigation (presumably by and with the insurance carrier) before sending a "reasoned answer to the claimant's allegation." Good grief! This is a catalyst for, not an eliminator of, litigation.
What is at stake is much more than monetary damages or legal fees. It is the reputation of the professional, his most important asset. To protect that asset requires an immediate and understanding response to any client that believes it is the recipient of some form of injury, even if the complaint is largely unfounded. To wait four and a half months for the "reasoned answer" is nonsensical.
I recall a situation many years ago involving a Boston-area hospital, physician and patient. The hospital and physician had just shifted their insurance from the commercial market (it declined to renew) to a captive insurer. An accident occurred and the patient died. Under its former insurance arrangement (and perhaps under the new London protocol) the hospital would have advised its insurer, and then waited for action. Under the new arrangement, the Chief Legal Officer (serving as risk manager) contact ed the patient's family in less than an hour, met them at the hospital, described the occurrence, offered immediate condolences, and promised to investigate the accident and report to the family in full. He then talked with them daily, concluding with a full report on the circumstances and the steps the hospital took to prevent any recurrence. He continued his almost daily contacts and a financial settlement was reached within a month, to the satisfaction of all parties. Admittedly this was a medical occurrence but I suggest that the same approach should be taken with any "professional": claim. To wait, as this new protocol advises, is an invitation to disaster.
Perhaps claimants and the law move more glacially in the United Kingdom. This won"t work in the United States.
John Graham's move from Harvard's Center for Risk Analysis to the US Office of Management & Budget (OMB) as Director of the Office of Information & Regulatory Affairs has already produced his first directive, requiring strict adherence of government agencies to the Clinton Executive Order requiring cost-benefit studies for all rules that cost over $200 million.
This renewed emphasis on risk analysis in the US Federal Government will have repercussions in the private sector. Not only will new and existing regulations be forced to meet new risk standards but the idea of continuing analysis of both costs and benefits will begin to permeate private decision-making. Risk assessment, review by competent experts, and consultation with critical stakeholders will become key ingredients of corporate risk management.
Dr. Graham's office ask for upper, lower and central estimates of possible outcomes, for both costs and benefits. We need to see more than just "the expected." The range of possible outcomes, from favorable to unfavorable, is essential to prudent decision-making, in corporate decisions as well as in regulations. Keeping an eye on how the government manages its own risks.
Chief Risk Officer
Is the position "Chief Risk Officer" for real? Many are skeptical that a single officer, even reporting to the CEO and the Board, can coordinate an organization's multiple risk management functions. Yet the ranks of CROs are growing steadily. My informal research indicates more than 100 CROs worldwide with new ones being added every month. Even where the title is not evident, there are companies that have appointed a senior officer who wears an additional hat.
Confirmation of themagnitude of the CRO movement comes with the publication of A Composite Sketch of a Chief Risk Officer, by Karen Thiessen, of the Conference Board of Canada, Brian Merkley, of Tillinghast-Towers Perrin and Robert Hoyt, of the new Center for Enterprise Risk Management at the University of Georgia. The authors researched CROs through public filings and news reports and followed up with a survey questionnaire to 80 organizations in North America. While the response was limited (only 21 completed the survey), the authors report growing interest in the position. Most CROs are found in financial services, utilities and energy companies, although expansion into telecoms and multi-nationals is occurring.
Driving forces that create a CRO include demands of external stakeholders for more effective RM controls, recognition of the internal value of integrated RM, new technology to support this integrated approach, and the position's growing peer acceptance. Of the responding companies, 85% were financial services, utilities and energy. The CRO is generally charged with three major tasks: coordinating all RM activities, introducing an integrated framework and improving risk communication with insiders and outsiders. Key background skills center on math, finance, communication and accounting. Almost half (45%) report directly to the CEO. The top reported "risks" are, in order of priority, market, credit, regulatory, property/liability, and human capital.
I've harped on the importance of communications with all stakeholders. This CRO group stressed shareholders first on the list of their stakeholders but included many more. Curiously, "customers" did not appear on the list, although "clients" were mentioned! Based on this survey I continue to see communication as the weakest area in strategic or enterprise risk management. While 53% of the CROs see continued growth in the position, a strong minority (26%) believes that it will "fade into CFO responsibility".
For a copy please contact The Conference Board of Canada at 866-711-2262 or firstname.lastname@example.org.
Copyright H. Felix Kloman and Seawrack Press, Inc.
to RMR Table of Contents
RiskINFO Home Page
Additional Topics This Month and Archives