Just a little more than a year after the September 11, 2001, terrorist attacks, Congress passed the Terrorism Risk Insurance Act (TRIA) to provide $100 billion in federal backing for terrorism insurance. After the devastating attacks in New York and Washington, DC, insurers had begun excluding terrorism from their coverage. It was argued that a government backstop was needed to provide businesses with the coverage they needed. (This debate continues with the renewal of TRIA, set to expire in December 2005, under consideration by Congress.)

Yet even with this government backing, the market for this insurance has not been as robust as had been anticipated. "The takeup of terrorist insurance is not all that big," said Neil Doherty, Frederick H. Ecker Professor of Insurance and Risk Management at Wharton and academic codirector of Wharton’s Enterprise Risk Management: Creating Corporate Value executive program. "The perception from the policy point of view is that everyone wants it, but not everyone wants it."

Many Tools, Diverse Risks

Does this mean that businesses are not concerned about terrorism? Hardly. Security continues to be a critical concern, but insurance is just one of the tools that companies can use to manage risks from terrorism or any other source. "There are many ways to hedge risk," said Doherty.

Among these strategies, companies can reduce their exposure to risk. "The first line of defense is to make the likelihood of the event as small as possible, and if the event occurs, to make the loss as small as possible," said Prakash A. Shimpi, president of Fraime, LLC, and academic co-director of the Wharton program. Sprinkler systems to prevent fires, improving security, and redesigning buildings to reduce risks of terrorism are examples of these preventive steps. On the other hand, companies may choose to do nothing about the risks today but purchase insurance or set aside funds to address them after the fact.

Sometimes strategies designed to deal with one risk can help with others. For example, business continuity systems that were designed for disruptions due to anticipated Y2K computer failures helped companies resume business quickly after the 9/11 attacks.

There are also various financial approaches to addressing risk. "Many companies are choosing to address risks by readjusting their financial leverage rather than hedging," said Doherty. Companies are also using access to cheap contingent capital such as convertible debt that can help them respond to sudden shocks or losses.

Enterprise Risk Management

In addressing security and other risks, companies increasingly are taking an enterprise view of risk management. "Risk is not something that can be parceled out to various parts of the firm," said Doherty. "We have to put it all together to look at the combined impact of risks on the firm."

This rising concern for understanding and addressing risks can be seen in the creation of Chief Risk Officers (CROs) at many top firms after governance failures and terrorist attacks raised awareness of financial and operational risks. A May 2004 survey by Ernst & Young, for example, found that a quarter of the top 100 global insurance companies had a full-time CRO, and most of these positions had been created in the past 3 years.

Other companies are adding CROs, sometimes only after a disaster makes them aware of the true risks they face. Fannie Mae, reeling from an accounting scandal that drained some $10 billion of market value from the company, announced at the end of September that it was adding a CRO. Many observers, and government regulators, criticized the company for not taking on this position sooner.

By looking at exposures across the organization, companies can develop more coherent strategies. The first step is to catalog all the risks that face the organization and quantify the damage that might be suffered if they occur. "For a firm facing a lot of diverse risks, it is not always easy to determine when you spend too little or too much," said Shimpi. "There is no magic formula."

Pass the Parcel

Once the risks are identified, the central decision is which ones to hold and which to move out of the firm. "There is what I call a law of conservation of risks," Shimpi said. "Once a risk is there, it is neither created nor destroyed, but it can be shifted."

These risks can be moved out by getting out of risky parts of the business or through insurance or other mechanisms. The important thing is that these decisions be conscious.

In some organizations, Shimpi said, risks are handled like the children’s game of "pass the parcel." In this game, the parcel is passed around among players until someone is caught holding it when the music stops. "Companies shouldn’t play pass the parcel," Shimpi said. "They need to decide which risks they want to hold."

Linking Risks to Financial Statements

To make a business case for addressing risks, companies need to link the consideration of risks directly to financial statements, Shimpi said. "Enterprise risk management needs to be part of the corporate planning process," he said. "We can’t think about risk management as an isolated subject. We need to look at risk critically, think about what drives the profitability of the firm and identify points of contact between the risks and financial statements. We then need to allocate enough coverage to mitigate the risks."

The assessment of risk can have a significant impact on decisions such as the allocation of capital within the company. For example, allocating capital on an incremental basis versus a total basis "is an apparently technical issue with massive consequences," Doherty said. The choice about how to allocate capital affects hurdle rates and could lead to decisions to reject projects or even close divisions that would otherwise be sustained.

There is no way for a business to completely avoid risks, said Shimpi — nor would it want to. Risks are an integral part of business, so they should be an integral part of strategic thinking about the business. "A business is a collection of activities that have risks, and that is what leads to returns," Shimpi said. "Risks and returns are so intertwined."

• Enterprise Risk Management: Creating Corporate Value

Related Articles

• CNN Video Interview Prakash Shimpi: Risk Management
  
  
• Global Finance article featuring Prakash Shimpi

• Wharton Executive Education
  
  
• The Wharton School

This month's articles:

• Thought Leaders
  A Q&A with Wharton's new Vice Dean offers new perspectives on executive development.
  
  
• In the Classroom
  How can companies best assess and manage security and other diverse risks?
  
  
• Custom Programs
  How have security careers and security organizations changed since 9/11?
  
  
• Education à la Carte
  New programs to increase your job security.