risk management david hornby

RISK MANAGEMENT
david hornby

Generally, Risk Management is the process of measuring, or assessing risk and then developing strategies to manage the risk. In general, the strategies employed include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk.

Traditional risk management focuses on risks stemming from physical or legal causes (eg fires, accidents and lawsuits). In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled later. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss vs a risk with high loss but lower probability of occurrence can often be mishandled.

Risk management also faces a difficulty in allocating resources properly. This is the idea of opportunity cost. Resources spent on risk management could be instead spent on more profitable activities. Again, ideal risk management spends the least amount of resources in the process while reducing the negative effects of risks as much as possible.

STEPS IN THE RISK MANAGEMENT PROCESS

A definitive generic description of risk management that originated in Australia and New Zealand, now being taken up in many other countries, is set out in the Australian & New Zealand Standard 4360:2004. The core of the process is a series of five steps:

Establish the context
Identify risks
Analyse risks
Evaluate risks
Treat risks

In parallel with the core process, communication & consultation is required to ensure adequate information is provided and conclusions are disseminated. Monitoring and review is an intrinsic part of the process required to ensure that the process is executed in a timely fashion and the identification, analysis, evaluation and treatment are kept up to date.
The standard can be found at www.standards.com.au and simple guidance on its application can be found at
www.broadleaf.com.au/tutorials/Default.htm

ESTABLISH THE CONTEXT

Establishing the context includes planning the remainder of the process and mapping out the scope of the exercise, the identity and objectives of stakeholders, the basis upon which risks will be evaluated and defining a framework for the process, and agenda for identification and analysis.

IDENTIFICATION

After establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, will cause problems. Hence, risk identification can start with the source of problems, or with the problem itself.

Source analysis Risk sources may be internal or external to the system that is the target of risk management. Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.
Problem analysis Risks are related to identified threats. For example: the threat of losing money, the threat of abuse of privacy information or the threat of accidents and casualties. The threats may exist with various entities, most important with shareholder, customers and legislative bodies such as the government.

When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated.

EXAMPLES

Partners withdrawing during a building project may endanger funding of the project.

Project ideas may be stolen by employees and used to set up a competing development.

The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed by templates or the development of templates for identifying source, problem or event. Common risk identification methods are:

Objectives-based Risk Identification Organizations and project teams have objectives. Any event that may endanger achieving an objective partly or completely is identified as risk. Objective-based risk identification is at the basis of COSO's Enterprise Risk Management - Integrated Framework
Scenario-based Risk Identification In scenario analysis different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk.
Taxonomy-based Risk Identification The taxonomy in taxonomy-based risk identification is a breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is compiled. The answers to the questions reveal risks.
Common-risk Checking In several industries lists with known risks are available. Each risk in the list can be checked for application to a particular situation. An example of known risks in property.

ASSESSMENT

Once risks have been identified, they must then be assessed as to their potential severity of loss and to the probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring eg a shopper suing a shopping centre for an accident caused by a slippery floor. Therefore, in the assessment process it is critical to make the best educated guesses possible in order to properly prioritize the implementation of the risk management plan.

The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of past incidents. Furthermore, evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets.
Asset valuation is another question that needs to be addressed. Thus, best educated opinions and available statistics are the primary sources of information. Nevertheless, risk assessment should produce such information for the management of the organisation that the primary risks are easy to understand and that the risk management decisions may be prioritized. Thus, there have been several theories and attempts to quantify risks. Numerous different risk formulae exist, but perhaps the most widely accepted formula for risk quantification is:
Rate of occurrence multiplied by the impact of the event equals risk
Later research has shown that the financial benefits of risk management are not so much dependent on the formulae used. The most significant factor in risk management seems to be:

risk assessment is performed frequently
it is done using as simple methods as possible.

In business it is imperative to be able to present the findings of risk assessments in financial terms.

POTENTIAL RISK TREATMENTS

Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:

Transfer
Avoidance
Reduction (aka Mitigation)
Acceptance (aka Retention)

Ideal use of these strategies may not be possible. Some of them may involve trade offs that are not acceptable to the organization or person making the risk management decisions.

RISK AVOIDANCE

Includes not performing an activity that could carry risk. An example would be not buying a property so as not take on the liability that comes with it.

EXAMPLE

Upon the investigation of the minutes of a strata title body corporate administrating the plan of an investment unit it is discovered that they have not insured the building as required under the act. Therefore, to avoid the possibility of the loss of the value of the investment asset by the body corporate being unable to rebuild after say, fire and any fines or legal consequences of not abiding by the act the investor has decide not to buy the unit.

Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed.

EXAMPLE

Old buildings in the inner suburbs of Sydney inevitably have had some “illegal” structures added over the years (such as a laundry attached to the rear of the house). The investor may wish to avoid the risk of buying a building with an illegal addition but in doing so will miss out on a number of profitable opportunities in the inner suburbs of Sydney.

Not entering an investment to avoid the risk of loss also avoids the possibility of earning the profits.

RISK REDUCTION

Risk reduction involves methods that reduce the severity of the loss. Examples include sprinklers designed to put out a fire to reduce the risk of loss by fire. This method may cause a greater loss by water damage and therefore may not be suitable. Halon fire suppression systems may mitigate that risk, but the cost may be prohibitive as a strategy.

RISK RETENTION

Involves accepting the loss when it occurs. True self insurance falls in this category. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained by default. This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible. War is an example since most property and risks are not insured against war, so the loss attributed by war is retained by the insured. Also any amounts of potential loss (risk) over the amount insured is retained risk. This may also be acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals of the organization too much.

RISK TRANSFER
Risk transfer causes another party to accept the risk. For an investment property insurance is risk transfer that using contracts. Other times it may involve contract language that transfers a risk to another party without the payment of an insurance premium. For example a tenant may accept the risk as part of the lease agreement. The rent review clause of a typical lease manages the risk of the rent falling below a market rent.

Some ways of managing risk fall into multiple categories. Risk retention pools are technically retaining the risk for the group, but spreading it over the whole group involves transfer among individual members of the group. This is different from traditional insurance, in that no premium is exchanged between members of the group up front, but instead losses are assessed to all members of the group.

CREATE THE PLAN

Decide on the combination of methods to be used for each risk. Each risk management decision should be recorded and approved by the investor. This is most likely to be carried out by the property manager. For example, the extent of the extensions over and above the basic fire policy should be the decision of the investor. For example, to include meltdown (as opposed to fire), flood or plate glass extensions. If the investment property is sited in a well behaved society the investor my prefer to carry the plate glass insurance themselves.
The risk management plan should propose applicable and effective security controls for managing the risks. For example, a yearly update of the building cover by having a replacement cost valuation carried out by the valuer. A good risk management plan should contain a schedule for control implementation and responsible persons for those actions. In the case of updating the cost of replacement, the employment of the valuer can be carried out done by the property manager at a certain date each year. However, the property manager would need instructions in writing to do this. The risk management concept is old but is still not very effectively measured

IMPLEMENTATION

Implementation is the following of all the above planned methods to mitigate or eliminate the effect of the risks. For example, purchase insurance policies for the risks that have been decided to be transferred to an insurer, avoid all risks that can be avoided without sacrificing the investment strategy, reduce others, and retain the rest.

REVIEW AND EVALUATION OF THE PLAN

Initial risk management plans will never be perfect. Practice, experience, and actual loss results, will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced.
Risk analysis results and management plans should be updated periodically. There are two primary reasons for this:

to evaluate whether the previously selected security controls are still applicable and effective, and
to evaluate the possible risk level changes in the investment environment. For example, rapidly increasing building costs are a good example of rapidly changing investment environment.

LIMITATIONS

If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses that are not likely to occur. For example, insuring against war. Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably. Unlikely events do occur, but if the risk is unlikely enough to occur, it may be better to simply retain the risk, and deal with the result if the loss does in fact occur.

Prioritizing too highly the risk management processes itself could potentially keep an organization from ever completing an investment project or even getting started. Delay while assessing risk will cost the investor through loss of interest and rising building costs.
It is also important to keep in mind the distinction between risk and uncertainty.

INVESTMENT PROJECT MANAGEMENT

In investment project management, a risk is more narrowly defined as a possible event or circumstance that can have negative influences on a project. Its influence can be on the schedule, the resources, the scope and/or the quality.

In project management when a risk escalates, it becomes a liability. A liability is a negative event or circumstance that is hindering the project.
Some of the processes for assessing risk include the following (the parentheses contain some of the jargon used to refer to them).

Choosing unique identifiers for referring to the same risk in company or project documents (identification).
Describing the risk and how it could become a liability (description).
Assessing the consequences of that (effect).
Considering what precautions could be taken to prevent it (precaution).
Drawing up contingency plans or procedures for handling it (contingency).
Categorizing the risk as new, ongoing or closed (risk status)
Estimating the probability of the risk becoming a liability (Risk escalation probability, P)
Estimating the consequences in terms of time for the project (Schedule impact, S)

In addition, every probable risk can have a preformulated plan to deal with it and to deal with its possible consequences (to ensure contingency if the risk becomes a liability).

RISK MANAGEMENT ACTIVITIES AS APPLIED TO PROJECT MANAGEMENT

In project management, risk management includes the following activities:

Planning how risk management will be held in the particular project. Plan should include risk management tasks, responsibilities, activities and budget.
Assigning a risk officer. This should be a team member other than a project manager who is responsible for foreseeing potential project problems. Typical characteristic of the risk officer is a healthy scepticism.
Maintaining live project risk database. Each risk should have the following attributes: opening date, title, short description, probability and importance. Optionally risk can have assigned person responsible for its resolution and date till then risk still can be resolved.
Creating anonymous risk reporting channel. Each team member should have possibility to report risk that he foresees in the project.
Preparing mitigation plans for risks that are chosen to be mitigated. The purpose of the mitigation plan is to describe how this particular risk will be handled – what, when, by who and how will be done to avoid it or minimize consequences if it becomes a liability.
Summarizing planned and faced risks, effectiveness of mitigation activities and effort spend for the risk management.

RISK MANAGEMENT AND BUSINESS CONTINUITY

Risk management is simply a practice of systematically selecting cost effective approaches for minimising the effect of threat realisation to the investor. All risks can never be fully avoided or mitigated simply because of financial and practical limitations of the real world. Therefore all investors have to accept some level of residual risks which still may realise despite their efforts.

Whereas risk management tends to be preemptive, Business Continuity Planning (BCP) was invented to deal with the consequences of realised residual risks.

The necessity to have BCP in place is because even very unlikely events will occur if a necessarily long time is available. Risk management and BCP are often mistakenly seen as rivals or overlapping practices. In fact these processes are so tightly tied together that such separation seems artificial. For example, the risk management process creates important inputs for the BCP (assets, impact assessments, cost estimates etc). Risk management also proposes applicable controls for the observed risks. Therefore, risk management covers several areas that are vital for the BCP process. However, the BCP process goes beyond risk management's pre-emptive approach and moves on from the assumption that the disaster will realise at some point.

References:

Dorfman, Mark S. (1997). Introduction to Risk Management and Insurance (6th ed.), Prentice Hall. ISBN 0137521065.
Stulz, René M. (2003). Risk Management & Derivatives (1st ed.), Mason, Ohio: Thomson South-Western. ISBN 0-538-86101-0.
Alijoyo, Antonius (2004). Focused Enterprise Risk Management (1st ed.), PT Ray Indonesia, Jakarta. ISBN 979-9891818-1-7.

Further reading

U.S. EPA's General Risk Management Program Guidance (April 2004)
Risk Management Magazine
Alexander, Carol and Sheedy, Elizabeth (2004). The Professional Risk Managers' Handbook: A Comprehensive Guide to Current Theory and Best Practices (1st ed.), Wilmington, DE: PRMIA Publications. ISBN 0-9766097-0-3.Learn More
information risk premium (article)

RISK AND INVESTMENT PROPERTY

The property investors is investing for one clear reason: To make a profit. Poorly managed risks will have tangible and sometimes dramatic effects on that profit. For example, if the building is not adequately insured and burns down. Therefore, sound risk management is important to ensure that your investment strategy can overcome any problems and the investment to continue to grow.

Threats to a small investors or project can come from a variety of sources. Typically risk is categorized risks into four areas:

Financial. These risks hinge on the financial performance of the investment. This can be affected by for example, the rate of inflation and the cost of money.
Operational. Risks that affect how the investor operates internally. For example, the introduction of the GST resulted in new and costly accounting procedures.
Strategic: Risks emerging from competitors or markets of the investor. An investor in a preschool has found that the opening of a more modern preschool nearby has affected their investment.
Hazard. These risks can be the most damaging. Events like natural disasters, manmade disasters, and crime can permanently disable a company.

AN EFFECTIVE RISK MANAGEMENT STRATEGY

An effective risk management strategy must be systematic and robust. It also must be straight-forward, and simple to implement. There are three stages:

Identify. During this stage, the investor needs to thoroughly examine the investment from a number of different perspectives. All risks facing all areas of a company need to be identified. This should be done with as many people involved as realistically possible to give a complete picture.

Evaluate. Each risk is given a probability of occurrence and a severity of occurrence ranking. This can be done with a simple 1 to 5 scale; 1 being rarely occurring and minimal damage. This allows the investor to more clearly understand the extent of potential damage.
Mitigate. The resulting risks are controlled through a variety of methods. For example, traditional insurance is one way to remove hazard risk. Financial risks can also be managed through insurance eg landlords insurance against loss of rent.

Operational risks are minimized by clear check and balance procedures and management oversight within the company. Strategic risks can be minimized by better documentation, such as a good lease with modern plain english clauses.

RISK MANAGEMENT CASE STUDY

Jack and Jill two retirees have been looking around for a suitable investment for their retirement nest egg about $800 000. Nearby is an old service station that has been disused for 3 years. They make enquiries with the local council and find out that the site is suitable for the construction of 8* 2 bedroom strata units. The council is only too pleased to have the site developed as it is an eye sore next to the local hopping centre.

Jack and Jill make enquiries with the oil company that owns the service station and find that they are only to glad to get rid of it as there are too many service stations in the area. They are so pleased to sell that it is on the market for only $600 000.

You have been employed to advise them on their proposed investment.

1 WHAT ENQUIRIES DO YOU MAKE

When old service stations are mentioned immediately the “alarm bells ring”. Old service stations will be subject to severe oil contamination and this will have to be completely remedied before the units can be built.

Your enquiries with council show that yes indeed the site is contaminated and they will need an environmental engineer' report that the site has been decontaminated before approval will be given for a residential use. Jack and Jills' investment is looking much riskier now than when they first made enquiries.

HOW CAN YOU HELP REDUCE THEIR EXPOSURE TO RISK?

As mentioned the oil company is keen to sell the disused site so you begin negotiations with the company. You discover that it will take 12-18 months for the site to be decontaminated. Under these circumstances you successfully negotiate with the company that they carry out the decontamination process and obtain clearance to develop from the council. This way the risk of decontamination has been passed from Jack and Jill to the oil company. It also happens that they are experts in decontamination and can carry out the process more thoroughly and quicker than local contractors.

2 HOW CAN THE INVESTORS' INCREASED RISK CAUSED BY THE DELAY BE MITIGATED?

The risk can be mitigated by advising Jack and Jill to take up an option to purchase rather than buying outright. This will require the payment only of an option fee with the balance payable on the completion which is subject to council's approval to build. Their interests can be further reduced by having time limit on the option or the oil company will pay penalties or compensation for every month the decontamination process is behind schedule. A period of indemnity against any claim caused by the contamination has also been negotiated with the oil company.

You can also negotiate with the oil company for a discount in the purchase price as compensation for the extra costs incurred by the delay.

3 SEEKING COUNCIL APPROVAL FOR THE DEVELOPMENT

The oil company has decontaminated the site and during the 18month delay the investors have employed an architect to design the new 8*2 bedroom strata units. To reduce risk they have employed Council's pre planning enquiry and negotiation process. This is a free service and reduces the risk of the proposed development being rejected particularly on technical grounds. The architect is also there so that they know exactly what sort of development the council favours to mitigate risk of delay.

Risk is further reduced by a having a fixed process contract with the architect to obtain all council's approvals and supervise the building. Risk is further reduced by entering into a fixed price contract with the builder with penalties for any time overruns. The contract should have as long an indemnity period as possible (ie the period during which the builder will fix any faults). Further, it is checked with the builder that they are licensed, qualified and have made all insurance payments to the Board so that the investors can claim compensation if the builder does not complete for example, through bankruptcy.

You advise the investors that immediately upon completion (with council's and the architects certificates completion) take control of the building and insure it against loss through fire, storm and tempest. Since there is no plant and equipment, plate glass or the likelihood of water damage these extensions are not taken up and the investors take the risks themselves.

LETTING UP AND INCOME RISK

You have advised the investors that the highest and best use of the site is keep ownership and lease the units out. This is because of the property's location near a viable and popular shopping centre. Risk is reduced by the fallback or exit position which is selling the units off to owner occupiers. This safety option has been achieved by having the units strataed even though the investors' intentions were to lease the properties. Further, the fallback position has been strengthened by the fact that council would look favorably on a change of use of the lower units from residential to home office.

Risk is reduced by employing a reputable and experienced property manager. A professional property manager will have access to a database of “bad tenants” and expertise in vetting prospective tenant. This will reduce the risk of the tenants' not paying or causing damage. To further reduce risk the valuer/agent advises the investors to take out landlord's insurance which will indemnify the investors against loss of rent and damage caused by the tenants.

If a professional and thorough property manager has been employed then there should be little risk to income arising from the building during the investment period. The property manager has agreed to notify the investors not only their monthly statements but immediately any major problems arises during the investment period.

As the investment matures the property will be subject to appreciation in an expanding economy. This means that the investors' equity will increase over time. This will allowing the investors to negotiate for a new loan at a lower interest rate.