One common question we get when talking to business and nonprofit leaders is some version of the following:
“Of course I have a risk management program. I bought insurance. Isn’t that enough?”
The answer, emphatically, is no.
1. Insurance companies are not your friends. While some companies might profess to be like a good neighbor, to be on your side, or to place you in good hands, insurance companies are in the business to make money. They do not make money by paying claims without scrutiny. They make money by collecting premiums, investing that money, and avoiding the payment of claims to the greatest extent consistent with the law. This means that any insurance policy will be subject to certain exclusions. It also means that you, the “insured,” must carefully disclose all pertinent information in an insurance application. It is unsound business for an insurer to generously overlook exclusions or statements in an insurance application that could be read, in hindsight, to be less than fully candid. In other words, when the time comes to make a claim, never assume that an insurer is looking out for your organization.
2. Mitigation efforts can reduce the need for insurance and reduce its cost. The theory of risk management is to identify potential threats and take steps to reduce the likelihood or impact of those threats. Sound risk management can reduce the chances of identified risks coming to fruition. Risk management can reduce the magnitude of exposure. It can often reduce the speed at which potential problems turn into claims.
3. There are other ways to shift risk. An insurance policy is basically an agreement in which both sides are making a wager. You, as the insured, are hedging against the possibility that a claim will arise. The insurer is betting that, on average, few enough claims of the sort insured against will arise that the premiums, invested responsibly, will cover the company’s exposure while creating profits.
As the potential insured, there are other ways to hedge your risk. To the extent the risks involve business relationships (e.g., employment, purchase or sale of goods or services), much of the risk can be identified and addressed through sound contracting practices. Other risks may be reduced substantially by entering into joint venture, partnering, or consortium arrangements with others who have similar objectives. Still other risks may be reduced by seeking and employing expert counsel (e.g., law, accounting).
4. Insurance never covers all of a loss. There are usually deductibles, co-pays, damage caps, and other limitations that reduce the value of the insurance relative to the claim presented. Furthermore, to the extent that a claim results in litigation, the out-of-pocket costs of that litigation may not be covered by an insurance policy. Even if the litigation attorney’s fees and costs are covered, an insured faces substantial costs in terms of business disruption. And rarely does any form of insurance cover the reputational cost of claims against an organization. To paraphrase Warren Buffett, it takes a long time to build a reputation, but only a single incident to destroy it.
Without a doubt, insurance may be one aspect of a sound overall risk management strategy. But as noted above, insurance is not a complete answer to an organization’s risk management.
Please share this post if you found it useful. We are out to change how organizations think about risk management, and we need your help.