Corporate Risk Management

Before getting down to the practical method of personal risk management (PRM), it's necessary to explain the corporate risk management(CRM) because RPM is based on CRM. In addition, if your are managers who already know CRM or who are studying it, you can learn PRM in comparison with CRM. Comparison studies are sometimes helpful to the deep understanding of essences. If you are not interested in something about corporate, you can skip here.

Companies are run in principle on a profit base. If a company is in the red for some consecutive series of business years, it will be apparent to see what is going on with it. The company will go bankrupt in short of cash or if there are luckily good parts of business fields remained, the company can be on a purchase list for M&A. If any, the mission of companies is not achieved as going concerns. Although there are some exceptions like Amazon.com, which had seen no profits since the start-up(as of 2001), those companies have hopeful business models that retrieve all the investment in the future.

There have been big arguments over what is the primary purpose of running companies. The management king, Peter Drucker, for example, insists that the purpose of companies is to create customers. It seems to me that what he says puts focus on how to earn profits. This is a very simple indication for company's management in the general trends of high-advanced management technologies. Making profits is a matter of course, but what is more important is where companies have to focus on with limited resources. It's customers. Creating customers definitely leads to profits. Although there are different viewpoints in the definition of running companies, basically the purpose of companies to make profits.

Profits as important and tangible results of company's management will be in vain if something bad happens to companies such as explosions in factories, product liability, recalls or failures of new business. In complex and uncertain business environments, there are a lot of uncertain factors to affect company's profits. If a company deals with even one of them badly, it may lose not only much of the profit they struggle to earn but also the company itself. Actually There have been many companies that disappear without proper disposal of risks. As long as nothing wrong happens, it's OK. But just in the cases, companies have to come up with preventive management systems in terms of protecting precious profits. This is the CRM. Although CRM seems like defensive management, CRM is the same important management methods not to lose profits, compared with aggressive one such as strategy planning, marketing, IT investments and so on.

To introduce the outlines of CRM, there is a risk management cycle. The ways of thinking about CRM differ by scholars or the companies that adapt it. Basically, however, CRM consists of the following four steps, identifications, evaluation, control, and review. Since CRM is one of the company's management methods, it's based on the popular management cycle, plan-do-see.

Get down to the process. The first step of identification is to find out the risks companies are facing and will face. Companies are surrounded by much more risks that individuals because of a wider range of business activities. What companies have do first in CRM is identify not only tangible risks but also intangible ones that lurk in business activities. More practically companies proceed the work by listing up all thinkable risks with check sheets. It’s much easier to find out the former as you can guess partly since companies already learn from the past accidents or the risks competitors face, partly since companies know what may happen in the well-known domains. Although it can’t be called a risk, it’s still a risk in terms of not leading to actual damages.

But when it comes to the invisible risks, companies need thorough researching functions. There are mainly two categories in this type of risks for new and outside factors. For example, when a company adapts a new technology that is just developed in the industry the company belongs to, the company will face a new risk because no one experiences that. Although the company has difficulties to cope with the risk, it’s still important just to identify the risk at this stage. As for outside factors, there are fast-changing business environments such as currency fluctuations, sudden changes of foreign laws or trade partner’s stances and so on. Companies can’t often cope with many of them quickly. In this type of risk it’s also necessary to prepare for them in usual times with close monitoring functions and simulation systems.

Secondly companies go to the next step of evaluation in CRM. At this stage companies evaluate the risks after identifying thoroughly the ones the companies face. As I repeatedly insist, companies do business in principle on a profit base. Putting in another way, companies are evaluated by monetary values. So here is a necessity to consider how the risks affect the profits of companies. Idealistically, any risks can be evaluated in money. It’s comparatively easy to evaluate the risk of properties damages such as factories, equipment, cars or trucks. If a company gets damaged some of the properties in accidents, depending on the damages, the risk is at most the replacement costs. There are, however, a lot of risks that are difficult to be evaluated in money. The risk of losing brands, for example, is one of them. It’s very difficult even to evaluate the asset of company’s brand itself. Even though all the risks can't be evaluated in money, there is such a wide range of risks from property damages to new product developments or any legal risks, which CRM can end up in the work of calculating the amount of risks. If a company succeeds in evaluating all the risks on a monetary base, the next subject is to recognize how the risks affect the company. There are a lot of thinkable hazards and perils leading to actual losses. The company has to simulate how those factors affect the profits despite there are uncountable scenarios. Of course there are companies that put thorough evaluation into practice sometimes with CRM programs, but it needs highly advanced financial technologies.

More practically for in particular, small businesses or the companies that can't adapt highly advanced CRM programs, all-checked risks are given priority by frequency and severity according to the impacts as the chart below. The highest risk A with high frequency and high severity is the most prior for the disposal to any other risks. And as the rating goes down, the priories are behind. This evaluation method focuses on rating risks to give priorities rather than evaluating on a monetary base how much the risks are exposed to.

For the third step, risks through the process of identification and evaluation should be controlled. There are several ways of controlling the risks. If a company finds a big risk with less benefits, the company is supposed to avoid it. As long as business is concerned, there are few occasions where companies can avoid any risks. Conversely, the companies that always avoid any risks don't deserve being companies. Therefore companies have to prevent risks from leading to actual damages such as strengthening the fire prevention systems, hiring lawyers to prevent from legal troubles. Any companies, however, could get damaged regardless of bigger or not while they are doing business for a long run. What’s important is to recognize that something happens. Even though a company can avoid some of the risks and take all preventive measures for them, it’s necessary for the company to consider what it would do just after something happens. So a company has to take out insurance to cover monetary losses. Furthermore, if a big incident affecting a company heavily occurs, the company needs to control the damage soon after the incident. In professional terms as I mention afterward, this is the field of crisis management.

A Japanese food company, for example, incurred almost unretrievable damages because of the food poisoning (June 2000). In the business year, the sales of the company dropped to nearly two-third of the previous year and its profits plummeted to almost the half. The food poisoning itself is not forgivable. What's worse in the case was the bad reaction the company did after the incident. The disclosures were not enough. The president gave the impression that he was a victim by the ill-management of the factory. Even if a company adapts a well-established risk/crisis management method, it needs to consider not only pre-incident measures but also post-incident actions.

The final stage of the CRM process is review. The review includes two phases. One is that a company reviews CRM at regular intervals although there is no incident. In the first changing environments, the nature of risks always changes. Furthermore, companies constantly cope with newly-born risks especially in the field of IT. CRM should also be reviewed for any risks. For the other phase, companies review the existing CRM after some incidents happen. There are many cases in which insurance coverage is not enough or CRM manuals don’t work in the actual incident.

To carry out reviews, it’s very effective to study the cases of other companies regardless of the company belongs to the same industry or not. Companies can learn what kind of risks there are and how other companies cope with risks or accidents. Although companies recognize any kinds of risks, there are very thin possibilities of leading to actual damages in many of the risks. Especially in post-accident reactions, it’s very difficult to review whether or not CRM works. By learning from case studies, companies can review their own CRM.

CRM has so deep contents that if you want to study further, you have to read professional books in this field. There are many books about it on the shelves in bookstores. What’s lesson in this chapter for PRM is to understand fundamental steps of risk management methods. PRM is base on CRM whose theories have been already established to some extent.