Risk assessment, compliance and the law of diminishing returns

We were talking a few days ago with the risk manager of a large national retailer. He told us his vendor contract insurance compliance rate was 97% but that senior management of the company demanded 100%. He wanted to know if we could help with the extraordinarily involved and byzantine conditions the company imposed on each contract, conditions so complex that it required research and the careful reading of the insured's legal documentataion and their insurance policies.

After about 45 minutes of discussion it was concluded he would need to build custom software to address all his criteria, and it would not be a trivial task. The logical question was – at what cost, and to what benefit? That got me to wonder, were we looking at best-practices risk management or something approaching perfectionism? In other words, where do you draw the line?

The law of diminishing returns says that at some point the benefits gained are less than the amount of energy and money invested in the effort. Was our friend reaching for an unreasonable ideal?

Maybe. Of course, the trick is defining where that point it.

One way forward can be found through the consistent and informed application of sound risk assessment principles. This involves both qualitative and quantitative estimates of risk and the impact of the potential hazard on the business. And as the probability and magnitude of the hazard are difficult to measure, there is a natural tendency to over-compensate on the insurance requirements asked of the insured.

Nevertheless, answering a few basic questions can help determine your strategy:

1. What is the context of the activity posing the risk?
2. What could happen?
3. How could it happen?
4. What can be done to mitigate the risk?
5. What is our past experience with this kind of risk?
6. Are there special considerations or local laws applicable to the risk?
7. How do my peers manage this situation?

After reviewing tens of thousands of certificates of insurance it has been our experience, not surprisingly, that the more extensive and complicated the insurance coverage requirements imposed on the insured the less likely of quickly attaining compliance. This seeming "everything-but-the-kitchen-sink" approach causes a ripple-effect of frustration in both directions – from the insured to the certificate holder and vice versa, with the insured's broker caught in the middle. In the meantime, projects get delayed and problems can mount.

Another approach toward resolution of contract compliance relates to having some acceptable degree of flexibility in your requirements. Ask for X but know you will settle for Y (the insured doesn't have to know that).

It is not uncommon for some element of contract insurance requirements to be waived if the coverage is deemed "close enough" to be treated as in compliance. However, should this practice be utilized be sure there is a mechanism in place to inform the appropriate party in your organization that an exception to the rules has been made - the consequences of error in overriding insurance requirements demand that a flag be raised at the time of the waiver.

Although there is no place for an "80/20" rule in risk assessment, the general concept of something less than absolute applies, just as it does in most everything in life. Those with deep pockets and high ideals might always be inclined to test the limits of what is attainable, and in so doing may ultimately show a path of benefit to others. For that we can all be grateful. In the meantime, 97% isn't so bad...