Uncovering the hidden cost and impact of risk management failure
By Randy Boss, CRM, MWCA, SHRM-SCP

Risk management is a necessary process that businesses and organizations undertake to identify, assess, and mitigate risks that can potentially harm their operations, assets, or reputation. Risk management's goal is to minimize the likelihood and impact of adverse events. But despite the best intentions, it can fail. Here are the reasons behind risk management failures and their consequences.

Failure to IDENTIFY

The first step in risk management is identifying potential risks that could impact a business because you can't manage what you do not know. This step involves reviewing business processes, the external environment, and other factors that could put operations at risk. A business must identify internal and external dangers, such as financial risks, natural disasters, cybersecurity threats, and market competition. As insurance and risk advisors, we can assist in using different methods to identify risk, such as checklists, employee interviews, walkarounds, industry experts, looking at past incident and near-miss reports, and conducting job safety analyses (or similar task evaluation processes). I recently conducted a walkthrough and discovered an opening in a mezzanine without a gate or safety chain. During a round of employee risk interviews, somebody noted that some employees were overriding safety features to speed up machines to add to their piece work pay.

Failure to ANALYZE

The second step in risk management is to analyze data. Failure to do so can have serious consequences that can negatively impact a business in several ways. With data analysis, companies may clearly understand the risks they face, making it easier to develop effective strategies to mitigate or manage those risks. For example, a business that needs to analyze safety records may be able to establish effective safety policies and procedures to prevent workplace accidents. Failure to analyze data can also increase a business's exposure to liability. With data analysis, companies may be aware of compliance risks related to legal and regulatory requirements. These gaps in compliance can lead to violations that can result in fines, penalties, and legal action.

Failure to CONTROL

The third step in risk management is controlling risk. This is critical to the success and sustainability of any business. Each step builds to the next, so failure to correctly identify and analyze efforts leads to a "shot in the dark" control strategy. An effective control strategy protects a business's finances from potential risks. It minimizes legal and regulatory risk, improves business continuity, and protects the company's reputation to support growth and expansion.

For example, implementing financial controls can prevent fraud and financial mismanagement, thus reducing the risk of financial losses. It's essential to recognize that an insurance policy cannot cover all risks and that risk control protects the ability to get insurance at an affordable rate.

Failure to FINANCE

The fourth step of risk management is financing risk, often with insurance policies. Another method often overlooked is to transfer risk by contract. This method is used frequently between owners, general contractors, and sub-contractors in the construction industry. The problem is that many businesses stop with the insurance and don't protect themselves in ways insurance can't. No amount of insurance can replace an injured worker's ability to provide for their family if injured or killed on the job. Businesses often need to be more accurate when insuring their operations. Things to avoid include underestimating the value of their business assets, failing to review and update insurance policies, not understanding the scope of their coverage, and not considering specialized coverage.

Failure to MONITOR

Monitoring risk management results is essential for ensuring that the risk management process is effective and that the business is protected from potential risks. By monitoring risk management, a company can identify potential gaps in risk management strategies, evaluate the effectiveness of risk management strategies, adapt to changing risk, demonstrate compliance, and make informed business decisions.

The consequences of risk management failures can be significant and costly, resulting in:

• Financial Loss: A failure to identify and manage risks can lead to financial losses due to operational disruptions, legal liabilities, or reputational damage. For example, a cyber-attack can lead to data breaches and significant financial losses for the organization.
• Reputation Damage: Risk management failures can harm an organization's reputation, leading to a loss of trust among customers, employees, and other stakeholders. A tarnished reputation can have long-term consequences, leading to decreased sales, lower employee morale, and difficulty in attracting new customers or investors.
• Legal Consequences: Failing to comply with legal regulations and standards can lead to legal consequences, such as fines or legal action. For example, a healthcare organization that fails to protect patient data may face legal action and penalties.
• Operational Disruption: Risk management failures can cause operational disruption, leading to delays, downtime, or even failure of critical business functions. This failure can impact the organization's ability to deliver products or services, leading to lost revenue and customer dissatisfaction.

Reasons behind Risk Management Failures

• Inadequate Risk Assessment: One of the primary reasons risk management fails is insufficient risk assessment. This can happen when the risk assessment process needs to be completed or done superficially by jumping ahead to finance with insurance before it is identified, analyzed, and controlled.
• Lack of Ownership and Accountability: In such a scenario, nobody takes responsibility for managing the risks, and the organization doesn't assign specific roles and responsibilities to manage risks. As a result, the risk management process becomes fragmented and risks need to be adequately addressed. I know this from experience, having conducted hundreds of employee interviews with one of the questions being: "Who in your organization is responsible for managing risk?" The answers are all over the place 90% of the time.
• Insufficient Resources: Another reason for risk management failure is a need for more resources. Loss can happen when the organization needs to provide adequate funding or staff for the risk management function. In such a case, the risk management team may need the tools, technologies, or expertise to identify, assess, and mitigate risks effectively. Lack of expertise is often the case in middle market companies where they do not have the luxury of a full-time risk manager.
• Misaligned Risk Management Strategy: Risk management failure can occur when the risk management strategy is not aligned with the business objectives. For example, the organization may prioritize short-term gains over long-term sustainability, leading to a failure to identify and mitigate long-term risks. A good example is production over safety. A plumbing contractor digs a hole for a quick connection instead of providing shoring protection. A cave-in occurs, resulting in one employee dead, an OSHA visit, and a hefty fine.
• Overreliance on Technology: While technology can improve the risk management process, it can also lead to failure. Organizations that rely too heavily on automated systems to manage risks may miss out on critical insights and data that human intuition and experience can provide. Case in point: an Alabama automotive parts supplier was forced to pay $1.3 million in penalties for the death of a worker back in 2016. The decision came about after OSHA investigated how an employee at its Cusseta facility suffered fatal crushing injuries in June 2016 in a robotic machine. OSHA inspectors learned that the machine operator and three co-workers entered a robotic cell on the assembly line to clear a sensor fault when a robot inside the cell restarted abruptly, crushing a young woman inside. Its inspection led OSHA to cite the company for 51 safety violations, including 48 willful violations. On Feb. 10, 2023, an administrative law judge upheld most of the violations that OSHA issued. That company will now pay more than $1.3 million in penalties to address the violations.

Risk management is just excellent management. Failure results in fines and other regulatory or legal action, elevated employee turnover, customer dissatisfaction, negative or damaged reputation, missed opportunities, product, or project failure, decreased market share, profit, financial loss, and even business failure. The lesson I've learned over my career is that effective risk management is both science and art. All the knowledge in the world means nothing until it is applied.

Randy Boss is a Certified Risk Architect at Ottawa Kent in Jenison, MI. He is a Master WorkComp Advisor (MWCA).