“Here is Edward Bear, coming downstairs now, bump, bump, bump, on the back of his head, behind Christopher Robin. It is, as far as he knows, the only way of coming downstairs, but sometimes he feels that there really is another way, if only he could stop bumping for a moment and think of it.”

— Opening lines of “Winnie-The-Pooh”

by A. A. Milne

There Really is Another Way

Winnie-the-Pooh may be a bear of very little brain, as he claims, but his simple common sense often cuts through to the essence of a problem. There really are better ways to do things if we only stop bumping long enough to think of them.

This is especially true of risk management because of its extensive scope and especially true now, when the world is changing at an ever-accelerating rate. It will therefore be the theme of this didscussion to focus on the essence of risk management, where it may be going, and what to do about it.

Though I’ll talk about the future, don’t expect prophecies. After 47 years in risk management (30 as a consultant) I am aware how wrong forecasts, especially from “experts,” can be. I’ll try to avoid the trap of thinking I know very much. All that I or anyone can do is look at fundamentals and try to escape past conditioning.

Thoreau once wrote that the old have very little to tell the young — but he was a young man when he wrote that. How would he know? He is right in the sense that time fixes most people in their prejudices, but wrong in the sense that he didn’t appreciate the value of perspective that time provides.

What is Risk Management?

Some people like to debate whether risk management is or is not a profession, but that is fruitless — like counting angels dancing on the head of a pin. It’s just part of management. And management, as Peter Drucker says, is a discipline, not just common sense or codified experience, but potentially at least, an organized body of knowledge.

Risk management (even more so than management) is still too young to have much of an organized body of knowledge. It has grown, Topsy-like, in a series of ad hoc insurance-buying maneuvers in response to the need to protect against catastrophic events.

Buyers of 40 years or more ago were pretty much at the mercy of insurance companies, who offered limited coverage and no deductibles to speak of. This changed, but in response to practical situations, not as a result of management theory.

Risk management, as we know it, started shortly after World War II, when risks multiplied and values rose. The first intellectual ferment was in the 1950s, the focus of which was American Management Association seminars spearheaded by Art Deric.

Insurance managers of the time who laid the groundwork for risk management included Doug Barlow (Massey Ferguson), Jim Cristy (Upjohn), Russ Gallagher (Philco/Ford), Fred Greenlaw (Kaiser), Joe Ruppel (Seagram), Ray Severin (American Metal Climax), and Roy Westran (Kaiser). There were more, but these are the ones that come immediately to mind.

Academic discipline was then added by Wayne Snider and Bob Hedges, both of Temple University. The first text which truly addressed risk management was Risk Management in the Business Enterprise by Mehr and Hedges. I don’t have a copy at hand, but think it came out about 1963. Later texts refined the subject a bit, but have not changed its essence. There are no texts, to my knowledge, that adequately cover the current risk management scene with all its risk financing options and global implications, though Practical Risk Management attempts it from a practical, rather than theoretical, basis.

As for risk management education, it was in the middle 1960s that RIMS had the Insurance Institute of America commence the Associate in Risk Management (ARM) program. Under the leadership of Dr. George Head, it has developed into an excellent resource. Most risk managers would be well advised to get their ARM, but as with all education, it is just a starting point, not a substitute for broad management knowledge and skill.

One characteristic of all this development stands out: it was derived from insurance and still has a strong insurance orientation. Intellectual direction comes from the Insurance Institute of America; RIMS is the Risk and Insurance Management Society; insurance brokers provide much leadership but (sensing the trends) are expanding in non-insurance directions.

Limitations of the Insurance Approach

But what, you might ask, is wrong with an insurance approach? The answer is that it structures thinking in a way that emphasizes insurance solutions and — much more important — overlooks important risks and aspects of risks for which there are no insurance treatments.

For example, some risks slighted by an insurance orientation include:

Access        Loss of        
denied,       market after   
bridge        shutdown       
failure       Nuclear        
Adverse       explosion      
publicity     Political      
Competitive   risks          
product       Pollution,     
Computer      sudden         
software      Pollution,     
failure       gradual        
Confiscation  Power failure  
Contamination Premature      
Contract      cancelation    
penalty       Processing     
clauses       errors         
Contractor    Radioactive    
delays        contamination  
Corrosion     Rapid          
Currency      obsolescence   
fluctuations  Spoilage       
Customer      Strikes        
failure to    Style changes  
accept        Takeover       
Discriminatio defense costs  
n             Tariff         
Drought       policies       
Economic      Tax policies,  
policies      domestic and   
Epidemics     foreign        
Foreign       Temperature    
corrupt       changes        
practices     Trade          
Inflation     secrets, loss  
Insolvent     of             
insurer       Unauthorized   
Inventory     computer       
shortages     access         
Key person,   War            

Are these risks any less important than fires, liability suits, etc.? Of course not. A buck is a buck, no matter how you lose it. These important risks are overlooked simply because the risk manager doesn’t know what to do about them, and insurance sources have no answer.

In addition to these neglected risks, many important indirect aspects of insured risks are also neglected; for example, considering only workers compensation, we have:

Administrative costs of claim

Damage to equipment involved

Disruption of schedules

Loss of efficiency with new worker

Loss of use of equipment involved

Possible insurance rate increase

Time at hearings and legal proceedings

Time of others who stop work to help

Training substitute worker

Liability suits probably have even greater indirect costs when you consider all costs plus the management time consumed.

Today’s Needs

Louis Drapeau, president of RIMS, gave a good summary of where we stand today in a paper you can download from the Arkwright Web site. He noted the four concerns today of (1) the global nature of business, (2) reengineering, (3) technological changes, and (4) the changing social environment. All contribute to a changing concept of risk management, and may be leading to a more holistic approach to risk.

Pure risk, speculative risk, and portfolio risk all pose a chance of loss. Why not treat them together? We don’t have the practical tools yet, but techniques of financial risk management are evolving and could engulf a more limited risk manager.

Drapeau brought out a significant point in his discussion of holistic approaches to risk when he said “If that is the approach senior management decides to take, you must be ready to run with it. There are other players in contention for the job. They live in your finance, legal, benefits, safety departments, etc., and all of them are managing risk in one way or another.”

Elements in Managing Risk

A risk manager’s job is to figuratively sit on a hill, look down at the company, visualize all activities, and try to think what could go wrong and what to do about it.

Just as nature is not separated into physics, chemistry, biology, etc., risks are not separated into insurable vs. uninsurable, pure vs. speculative, or fundamental vs. particular. Each is a way to understand a risk, just as physics lets us understand motion. Insurable risks are no more all of risk management than physics is all of nature.

The risk manager’s job is not just to handle risk, but simply to help the organization do its job. The way to do this is by the classic sequence of risk management actions, but they have been applied too narrowly. Let’s look at them this way:

1. Identify and measure risk. This is the key to good risk management, but is rarely, if ever, done completely. Risk measurement means assigning an estimated value to all aspects of risk, including indirect and unmeasurable factors. Yes, precision is impossible, but which is better: making an educated guess or ignoring the matter?

Risk measurement means assessing probabilities. Computer techniques, such as Monte Carlo simulations, are important tools.

If a risk manager does a conscientious job of analyzing all the risks and all their potentials, and bringing their potential impact to management’s attention regularly, chances are he or she will wind up in top management.

2. Control risk. Loss prevention takes many forms, most of them calling for special skills. The risk manager’s function is to see that they are performed by the best qualified people, but need not — in fact, can not — do them personally.

Loss control is often tied in to insurance underwriting and rating, but as firms assume increasing amounts of risk, they can become independent of insurers and engineer their loss control programs in conformity with cost-benefit analyses rather than standards of outside sources who have no concern for costs.

3. Assume risk. There has been a steady increase in the degree to which risk is assumed, but my observation is that most firms have much farther to go. We haven’t yet broken free from the insurance yoke.

Many firms don’t even realize the huge extent to which they already assume unidentified and intangible risks. The risk manager’s job is to see that the total retention, combining all types of risks, does not exceed the threshold of pain.

4. Transfer risk. The inadequate scope and cost of insurance mean that we need bold new techniques for risk transfer. Increasing worldwide exposures call for global plans, whether by hedging, finite risk insurance, or other carefully tailored plan. In this respect, some global insurers are developing useful approaches.

5. Administration. Administration includes important technical fields beyond the risk manager’s expertise, but which must be managed through knowledge and experience. They include claims adjusting, litigation control, rehabilitation, valuations, and others. In larger companies, their scope may be sufficient to call for staff specialists, but in smaller organizations, the risk manager must have the ability to oversee them.

Combining the Elements

Considering all these elements, we get to the crux of the issue. Should one risk manager oversee all, or can they be handled in different departments? Today it is a mix of both. Will the trend be to more centralization or more diversification?

I used to believe that one risk manager was needed because all aspects of risk inter-relate. Insurance costs are tied to loss prevention costs, and so on. Now I think this is less true as companies bring more losses in-house and depend less on external risk transfer.

The important issue is not centralization versus diversification, but whether each job is done well.

Malapropist Yogi Berra is reported to have said “When you come to a fork in the road, take it.” Risk management is now looking at such a fork, one branch leading simply to refining current techniques, the other to totally new management treatment of risk.

The New Risk Manager

Tomorrow’s risk manager must be a manager, a generalist, and a broadly educated person. Note that the dean of management consultants, Peter Drucker, is a well-rounded man, versed in history, economics, philosophy, and other liberal arts. Tom Peters, another respected management thinker, says you will get more useful management knowledge from classic novelists such as Chekhov than from business consultants.

Being a better risk manager is closely tied to being an educated, balanced human being, at home in both the liberal arts and science. General knowledge forms the latticework from which hang all risk management actions.

With that in mind, let me list two personal qualities which seem particularly important.


The first trait I commend is a healthy skepticism — not cynicism, which is subjective distortion — but thoughtful questioning of everything, combined with assessing the degree of credibility of each source.

Almost everything we know comes from others, so knowledge comes best from weighing each person’s degree of credibility. What is their source of knowledge? Their self-interest? Their clarity of thought?

Most, if not all, people are quite sincerely wrong in some respects. Every great thinker of the past has been found to be. We are no better. We have more accumulated knowledge, but knowledge is not wisdom.

In risk management, the quality of skepticism should appear most often when considering surveys, reports, and statistics.

In “Beyond Innumeracy,” professor John Allen Paulos says: “Many high school students can’t interpret graphs, don’t understand statistical notions, are unable to model situations mathematically, seldom estimate or compare magnitudes, never prove theorems, and most distressing of all, hardly ever develop a critical, skeptical attitude toward numeric, spatial, and quantitative data or conclusions.”

This unfortunate state of affairs extends to many practicing risk managers, as is only too graphically illustrated by the periodic “Cost of Risk” survey of Tillinghast and RIMS. It purports to allow firms to compare themselves to others by a single figure which does not include all costs of risk, uses poorly defined data, and is subject to hardly any critical analysis. Quite tellingly, it omits any mention of confidence levels.

An elementary course in statistics would laugh such a survey out of school, yet it has been widely and uncritically accepted by the risk management community for many years. Why? Pure innumeracy.

We must do better than this or risk management will be taken over by those who are better educated.


The second trait I commend to you is independent thinking — not an easy goal. After all, human beings are essentially pack animals; we instinctively follow a leader. That has survival value, but should be recognized and resisted to the extent possible.

For example, have you noticed that everyone in a particular insurance group sincerely believes the same things? Same underwriting standards, same loss prevention standards, etc. Your company or group has a culture which should be followed but recognized as just one of many possible approaches.

What You Can Do

So far, I have been more abstract than concrete, so let me end with what seem to me some practical thoughts.

1. Get a liberal education. This is a never-ending process. Read regularly in history, philosophy, economics, psychology, literature, science, semantics, and biography.

Take notes as you read. They can help you recall the book. I find it faster to take notes on a computer.

In addition to reading, try audiotapes from The Teaching Co. (Super Star Teacher series) and Books on Tape. This is a great way to salvage commuting and other driving time.

2. Subscribe to the New York Times. Expensive, but worth twice the cost. It tells you more about what goes on in our changing world than any other publication. It is also available on the World Wide Web at http://www.nytimes.com.

The reason this is important is because of the increasing rate of change. Responsible periodicals are becoming more important than scholarly examinations of the past.

3. Get on the Internet. Spend about half an hour a day —more is usually a waste of time — checking out its resources, which are limitless and expanding.

4. Study finance and statistics. Go to night school, find some good texts, or get a tutor.

5. Read Strunk & White. “The Elements of Style” will help you write better, and writing is the key to selling your ideas — or yourself. Omit needless words. Omit needless words. Omit needless words. [None of those words is needless] If you practice going back over your work and crossing out words and even whole phrases, you’ll be amazed how improved your writing will be.

6. Get an ARM and CPCU. I hesitate on CPCU because of its insurance orientation, but nothing at a comparable professional level (except possibly some university programs) in risk management is available.

RIMS will probably not create a professional level program. It is more a trade association than professional group (a statement, not a criticism), and is too beholden to the insurance community through sale of conference booths and advertising. It would therefore be useful for an ad hoc group of advanced risk managers to work with an educational institution to develop a broad management program for risk treatment.

Now I hope you will all go home and reread “Winnie the Pooh.”

* * * * * *