Can risk management be outsourced?

Some 20 years ago, I formed a consultancy firm called RiskTrac, Inc. Together with two other friends, we launched TRIMAP, an acronym that stands for Total Risk Management Approach. Our vision was to promote the risk management process applications in as many fields possible such as financial, technical, legal, environment and people, and in all decision making processes. For our initial thrust, we zeroed in on environmental risk management – a hot topic at that time. We were threading on uncharted territory. We were not environmental specialists; we were insurance risk professionals. The only area that we could claim competence outside of insurance was on safety and loss control management. We knew we were opening a new window of opportunity to expand the risk management practice. We also knew we could not be experts on every risk issue. However, TRIMAP required multi-skilled professionals. There was no single person possessing all the qualifications. We had to engage specialists to form our resource panel. In the end, TRIMAP passed the test. The launch of the practice from an environmental perspective was a success. We realized that risk management has no boundaries. We just needed to open up the practice to other related disciplines. The only way to develop it is through inter-disciplinary cooperation.

In my long practice, I have seen how risk managers in many companies are tempted to assume an all-knowing attitude. Understandably, the position title projects them in that manner. It is a misnomer. Risk managers cannot own the risks. They are merely the organization’s third eye, an observer, coordinator, the devil’s advocate, the pessimist. Yet, to many, risk managers are seen as a super guy tasked to manage all the company’s risks; the persons pointed at when nobody owns up to the risks. When we launched TRIMAP, this view changed. However, since that time until today, risk managers seemed adamant to let go of their exclusive ownership of the practice. Following their western counterparts, local risk managers have become “chiefs” citing their strategic role in the organization. This upgrade projected an even more all knowing person. The term chief connotes full accountability and responsibility of the function. Risk managers, in many occasions, have insisted they are not accountable. The risk owners are. Even then, risk managers continue to face broad expectations to live up to their title.

Companies have searched endlessly for highly competent chief risk officers (CROs). In almost 30 years of my professional life, I have yet to see a CRO who has broad specialist skills, a multi-disciplined professional. There is really no one person with that qualification. Most of them that I know have come from the insurance practice. With years of honing up, they have evolved from being insurance managers to becoming CROs. In some companies that I have worked for, I have seen legal officers, internal auditors, finance officers and even Human Resource persons assuming risk management positions. They have been appointed by virtue of their companies risk priorities and attitudes. For example, a cargo handling company confronted with several claims from consignees may choose its chief legal officer to assume the risk officer function. Labor intensive operations like manning agencies may assign their recruitment officers to be also their risk officers. A company with heavy investment risks may find its treasury manager as the best fit to become its CRO. The reality remains. No one person would have the specialist skills in managing the wide range of risks his organization faces. He needs all the internal and external help that he can get to better understand the complexities of risks.

Chief risk officers (CROs) have two main tasks:

1)         Accessing specialist resources to help his organization in understanding the behavior of the risks that it confronts

2)         Championing the cause of risk management across all levels of the organizational structure through discipline-setting and culture-building programs

The CROs are not all knowing. While they would have specialist view of the enterprise risk management frameworks and processes, providing the content and substance would come from industry risk specialists. For example, oil, gas and petrochemical companies would have technical risks that may be alien to the CRO whose experience comes from a cargo handling company. A smart CRO however will seek technical specialists to help him understand the risk characteristics, either internally or externally. An attempt to study the risk technicalities is a good idea too but not practical. The CRO would probably need to complete a five-year degree to have a full grasp of the technical risks. I once was asked this question: What is the rationale of prohibiting cellular phones inside a petrochemical plant? I said cellular phones emit electromagnetic waves that might ignite the hydrocarbon gas inside the plant. This is the best answer my engineering mind could give. The next question was: Can you give me a specific case to support that? I could not talk any further. I was talking to a German petrochemical engineer. Now even gasoline stations prohibit the use of cellular phones while filling up. Is there really a risk of explosion from the phone? I have not received as yet any convincing answer to this question.

The whole point is – companies need external help on risk management. They need a broad range of specialist skills to manage their risks better. The first step is to understand the complex behavior of risks. If one company is having high workmen’s compensation benefit claims because its employees and laborers are frequently getting injured and production is declining due to lost time, this might just not be a problem of safe working conditions. It might be a behavior risk. There are statistics that would support this view. About 80 to 90 percent of accidents are behavior based. If you want to avoid accidents, you must change the behavior of people. There are behavior change specialists that can help. If a power generation company believes its insurance cost is taking its toll on its bottom line and wants to know whether it can trim it down without exposing it to unwanted risks, then risk management consultants with power plant track record can help do comprehensive risk assessments and do a cost of risk survey to find a right balance of risk taking and risk transfer. Squeezing the neck of its insurance brokers and insurers or changing them might not be the right thing to do to save on premiums. This will not get the reinsurance markets’ favor. They want companies to have more risk sharing initiatives to minimize premiums and not just arbitrarily ask for premium cuts.

The truth is that risk management may be outsourced – in part. This important strategic function resides in companies and its stakeholders. However, the skills and specialists inputs are better off sourced outside to access industry best practices. A CRO’s inputs are valuable but their inputs are limited to their lifelong experience. If a company can access more specialists, it can have a hundredfold CROs working for it.

(Daniel Z. Barlicos is a Senior Manager for Risk Advisory Services of Manabat Sanagustin & Co., CPAs, a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.

The views and opinions expressed herein are those of Daniel Z. Barlicos and do not necessarily represent the views and opinions of KPMG in the Philippines. For comments or inquiries, please email [email protected] or [email protected]).