The challenge of operational risk classification

One of the most common strategies of risk management is through the imposition of insurance requirements on third-party contractual relationships, such as with tenants, vendors, suppliers and contractors. Although the practice of risk transfer is widely used, it can be difficult for the Risk Manager to know what is the right level of protection for a given risk, or to even be able to foresee all the potential risk events that could present a threat.

In a recent white paper from the Institute of Faculty and Actuaries, defining what is an actual operational risk to the organization was described as an area of considerable difficulty. It is no wonder many Risk Managers do not have a well-defined classification system and make guesstimates. It is a question we are routinely asked in our own interaction with clients. See what other Risk Managers are doing: Download examples of actual risk classifications.

In the insurance world, risk classification is used primarily to determine what the cost of insurance should be when there is not sufficient information to estimate the price for a given situation. In order to derive a price, events that are expected to have the same costs are grouped together. A price is calculated for the group with the assumption that it is applicable to all members of that group. In this way, insurance risk classifications are created.

Although not actuaries, Risk Managers can apply basic risk assessment procedures to build their own classification system. A good start is to inventory your organization’s exposure to third-party risk through identification of potential pitfalls that could negatively impact the enterprise. Spell out what those third parties are actually doing and how they are doing it. Clearly a locksmith doesn’t have the same exposure as that of a crane operator, but some activities are more nuanced, or subtle.

For example, technology continues to pervade enterprise businesses in myriad ways, much of it outsourced with close, often interconnected ties binding both supplier and client. Different kinds of insurance coverages are being imposed on these classifications apart from the usual CGL, Auto and WC. As underwriters continue to subdivide cyber and E&O risks it might be useful to study those categorizations when formulating your own classification system.

Unfortunately, there is little specific reference material available to assist the Risk Manager in the challenge of risk classification. Everyone seems to brew their own. And of course, events outside the bounds of conventional risk assessment - those dreaded Black Swans - are always a threat that is impossible to quantify. Uncertainty is, after all, the essential foundation for the entire insurance industry.

Nevertheless, combining risk assessment due diligence with risk management best-practices, such as verification and enforcement of contractual insurance coverage requirements, the assignation of being an Additional Insured and undertaking proper tenant/vendor pre-qualification will go a long way to ensure that your risk classification system, although never perfect, has at least been formulated and considered procedures are now in place.