Bring together four people into one room. Make one an insurer, another a health and safety expert and the third a business consultant.
The final person is a manufacturer. The subject of their discussion is risk management. Like motherhood and apple pie, risk management is deemed to be 'a good thing'. But why? Each party will have their own view.
The insurer
The insurer is looking at risk management as an instrument that informs him as to the type of cover and premium required. The insurer is increasingly interested in developing individual risk profiles for key clients in specific areas, as a more effective method of both underwriting and supporting client needs. The more a client's business is understood, the more efficient the allocation of capital will be, against the understood risk. The insurer is working on the principle that the more he knows about the risk, the more informed the underwriting will be.
The question then arises, what is the most efficient way of gauging a business's risk culture? What systems and processes will demonstrate good risk management? How can the insurer be confident that such systems and processes will be executed faithfully and regularly within the business?
In principle, there are three key areas that would need to be examined: health and safety, environmental and management practices. Good strategies in these areas should bring down the incidence of accidents that could trigger claims. The casualty part of any insurance programme could be more confidently predicted, if these areas were certified in some way.
But the insurer is not in the business of assessment and certification.
His alternative, currently, is to work closely with the client's risk manager and broker so that there is a good level of information transfer - enabling a sound judgement to be made and the premiums to be decided accordingly.
Health and safety expert
The Health and Safety Executive confidently claims that health and safety should be the cornerstone of a civilised society. It is the job of our health and safety expert to make that a reality in daily business life.
He sees risk management programmes as the most effective way of ensuring health and safety matters are executed meaningfully within the work place.
However, a problem arises from the nature of the way businesses work in 2004.
At one time, health and safety regulations used to be prescriptive and based on tick lists. There was a comfort factor about this, in that so long as the boxes were ticked, companies felt that they had fulfilled their health and safety requirements. But there was a question as to whether this actually achieved successful health and safety management. It also left the responsibility for health and safety with the list makers, rather than the businesses.
In 1972, there was a change to broader, goal setting, health and safety regulations. A non-prescriptive model was used, based on the view that 'those that create risk are best place to manage it'. It created a flexible system whereby regulations express goals and principles and are supported by codes of practice and guidance.
But in today's business environment, risk management encompasses far more than health and safety assessments. A modern risk programme can include sophisticated analysis of what problems and issues a company might face that could interrupt the successful and profitable provision of its product or service. There will be financial projections; costed scenario-impact analysis and unit-based performance evaluation and measurement. Everything will be stripped back to its fundamentals and examined as to whether it contributes an opportunity or a risk to the business. Health and safety has to take its place alongside political, social, technical and environmental risk analysis.
Unlike some of these other areas, health and safety risk management is a basic discipline, executed day by day within the business. The practical implementation of good health and safety management operates a long way from the boardroom, and even further from the policy makers and government agencies. This is where the results are generated. The tables of statistics which reflect UK plc's performance are based on health and safety experts being able to produce good business reasons why a particular percentage of the corporate pound should be spent on health and safety. In the past, it has simply been enough to point at the regulatory environment and say 'we have to'. Now, within the overall context of risk management programmes, the argument must be more sophisticated.
The business consultant
It is the consultant's job partly to strip away all the vested interests, look through the platitudes and business cliches and try to see what is really critical to the bottom line. It may mean taking on some sacred cows. For instance, he may need to take on the entire concept of risk management. Does it deliver business benefits? How do you measure the real value to risk reduction?
His client is operating in a world where there is a paradox. Citizens are increasingly demanding a risk-free society. Most customers, however, choose to purchase products and services based on price, or consistent brand values. Risk measurement does not appear to sell more widgets. However, if a product suddenly appears to present a risk to consumers, then certainly that risk will inhibit sales.
The risk industry is predicated upon less risk being good and more risk being bad. But the consultant wants to be able to break this down into a statistical scale, and measure where within that scale the client should be ideally placed. It is not a black and white issue, nor will the profile of the scale necessarily stay still throughout a business cycle. However, it is useful for the business to be able to address and discuss risk in terms of scale. But how can this business imperative of risk reduction fit into the regulatory and statutory frame work? The consultant thinks that a sliding scale is in his client's best interest. But how can this be measured and evaluated?
The manufacturer
The manufacturer is feeling his cheque book. He has a basic business principle. He wants success. By which he means that he wants the business to make money, he wants people to buy his products, and ideally he wants this to happen without drama or delay. He knows that risk management plays some part in the third element of his wish list. He's not sure if or how it contributes to items one (money) and two (sales). However, he is pretty sure, at least in some areas, that it is 'a good thing'. For instance, his broker has identified some practical financial benefits of risk management.
The manufacturer would like to be able to better evaluate the business benefits of risk management. Too many of his suppliers use risk management claims as a sales panacea to cover all ills. From facilities management to engineering inspection, everyone claims to be reducing his risk. He thinks they probably do, but would like to be able to measure it more effectively. If there were tables which showed the correlation between share prices and risk management, that would be interesting. Or tables of sales figures that compared those companies with quality marks or standards to those without.
In the meantime, he hopes that the insurer will give him a better premium because of the risk culture his company has developed. He is buying into the idea that he should exercise good business practices because it lessens the threat of a consumer backlash. One thing that he does find irritating is the propensity of regulators to cascade information down upon his business, without having the courtesy of taking feedback from the coalface. He would like to be able to work within an environment where he is applying effective standards that satisfy consumer demands while also protecting his business assets. That would be the real business benefits to him of a risk management programme.
Evaluation
In all these cases UKAS is interested in demonstrating that objective independent evaluation can help evaluate and assess risk management programmes.
Internationally recognised standards already exist for the certification of environmental and quality management systems, the provision of which can be assessed by UKAS. In other areas of business, specific sector schemes can be developed to provide evaluation that will be internationally recognised.
The UKAS approach ensures that such schemes demonstrate competence and performance capability on an on-going basis.
We believe that there is a fit between risk management and the accreditation process; and together they deliver real business benefits.
Lord Jamie Lindsay is chairman of UKAS, UKAS
The United Kingdom Accreditation Service (UKAS) is the sole body recognised by the UK government to assess organisations that provide certification, testing, inspection and calibration. This accreditation is undertaken against internationally recognised standards and demonstrates the organisations' competence, impartiality and performance capability.
UKAS was formed in 1995 and is a non-profit-distributing company, limited by guarantee. It operates under a Memorandum of Understanding with the Secretary of State for Trade and Industry on behalf of government.
The Department of Trade and Industry (DTI) has licensed UKAS to use accreditation marks featuring the Royal Crown and to sub-license the use of these marks to UKAS accredited organisations.
UKAS investigation into the issues relating to risk management and accreditation includes work with a number of individuals and organisations, who contributed to a recent UKAS think tank on risk management. They include:
David Abrahams, senior vice president, Marsh Risk Consulting
Michael Mainelli, director, Z/Yen Limited
Mike Nichols, chairman, The Nichols Group
Nick Starling, policy director, Health and Safety Executive.
