An organisation may reduce its exposure to loss events by lowering the probability that a given event will occur or by mitigating the impact of any event that does occur

Loss prevention tools: reduce the probability of a loss event by targeting its causes. The causes of a loss event are usually linked to the actions or inactions of people, failures in processes and systems or external events. Loss events often require more than one cause to occur

Loss reduction tools target the effect of loss events. Loss events may have financial and non financial effects. In financial terms, they can affect the resources (physical assets and cash assets) of an organisation

Loss reduction tools reduce the financial effects of loss events by limiting the physical damage that is caused (such as by having a sprinkler system to put out a fire as quickly as possible), or by helping to fund the repair or replacement of lost assets, compensation payments or legal liability claims as cost effectively as possible. Insurance is one way in which the repair or replacement of lost assets and compensation and liability claims can be funded

In non financial terms, loss events may cause death and injury. Loss events may also affect the reputation of an organisation via lost customer goodwill or adverse media coverage - these can have an indirect financial value

The non-financial effects of loss events may be mitigated by shortening the duration of a loss event or by helping an organisation to recover quickly from events. Loss reduction tools may also help to prevent death or injury, such as the use of evacuation arrangements in the event of a fire

An organisation will employ a range of loss prevention and loss reduction tools to control particular loss events - in part this is due to the fact that events are the result of multiple causes and have multiple effects - it is rare for any one risk control tool to combine probability and impact reduction

From a risk management perspective, risk control is focused on preventing the causes and reducing the effects of loss events

From a wider strategic management perspective, risk control may help an organisation to seize opportunities for higher levels of financial and non-financial performance, allowing it to achieve and sometimes exceed its objectives

Traditional loss prevention and loss reduction tools can help an organisation to seize opportunities by protecting its cash flows - an organisation needs cash to help it to exploit opportunities such as exploiting new technologies, markets or opportunities to develop new products

Mechanisms such as market research and strategic investments such as flexible manufacturing systems or IT systems can help organisations to seize new opportunities

To tolerate a risk exposure means to take no formal action to control it

Risks may be tolerated where are they known and accepted by an organisation - this may be where a risk exposure is considered to be within an organisation's appetite for risk

An organisation may tolerate a risk where active controls are considered uneconomic or impractical or where the risk is necessary to support the achievement of organisational objectives - objectives such as the development of new products, process change or the implementation of new technology systems will always require a degree of risk

The issue is that risk should be accepted on an informed basis

Where risk exposures are tolerated, it is good practice for senior management to approve and periodically review the decision.

Risk treatments are actions taken to manipulate an organisation's exposure to one or more risks, either to mitigate threats or to exploit opportunities.

Risk treatments include many of the loss prevention and loss reduction tools that can be used by an organisation

It can also mean the increase of risk by increasing exposure or lowering controls

Passing on only the financial impacts of a loss event is achieved via insurance or equivalent risk taking contracts. Insurance contracts provide either full or partial indemnity against pre-speciifed loss events in return for the payment of a consideration or premium

Passing on the financial and non-financial impacts of a loss event involves a contract with a different type of third party, usually a supplier or outsourced service provider.

Whenever an organisation uses an external supplier to provide goods and services, it is effectively transferring the risks associated with the production and supply of these goods and services to the third party

Remembering that risks represent both opportunities and threats, the final option involves taking the available opportunity or opportunities

When taking an opportunity an organisation may still implement other types of controls (eg risk treatments and transfers) either to mitigate any associated threats or to increase the potential to exploit the opportunity

The option to 'take the opportunity' is present in activities such as corporate mergers, new product development and research and development

Such activities are risky and may involve both positive and negative ones

These controls are almost never documented and they do not have a physical presence

The sanctions for informal control violations are intangible meaning that they are hard to define or quanitfy

Information controls include the culture and risk culture of an organisation - they relate to the social norms, beliefs, values and perceptions that staff members and other stakeholders have concerning the control of risk

Tend to be human oriented and social in nature - they relate to how people communicate, exert power and influence over each other and work together

Sanctions tend to be intangible - individuals who do not comply with informal controls may that their peers are unfriendly, non-communicative or unhelpful rather than imposing tangible sanctions like disciplinary arrangements although repeat violations of informal controls may lead to formal sanctions

Informal controls are an important complement to formal controls. Informal controls help to ensure compliance and correct implementation of formal controls

In addition informal controls can act as a substitute for formal controls where there are weaknesses in the formal control environment such as where formal controls are absent or they are not working effectively

Plans that are put in place to address identified weaknesses in the identification, assessment, monitoring or control of risk.

Internal audits and reviews designed to assess the effectiveness of an organisation's internal controls and its exposure to compliance risk

Mechanisms that help and encourage people to communicate with each other

These mechanisms may be formal (meetings and committees) and informal (a chat over lunch or coffee)

Communication helps people work together to identify and find ways to address the causes of loss events and their effects

A comprehensive appraisal of a business or third party prior to signing a contract. This almost always includes appraisal of financial performance and strength. It may also include reviewing business strategies and management capabilities

The words and expressions that are used by senior management and directors in relation to areas such as openness, honesty, integrity, tolerance, compliance and ethical conduct. The tone set and actual behaviour displayed by senior management and directors can have a significant impact on employee attitudes and behaviours in these areas

An organisation will normally use an insurance intermediary, known as an insurance broker, to help them to design an insurance program, purchase insurance and to process claims

Organisational insurance purchases are complicated and a broker can help the organisation to achieve the best possible combination of cover and premium cost

Large organisations may have an insurance professional to help support the purchase of insurance contracts and to process claims.

Alternatively, the risk function or company secretary or governance professional may be involved in purchasing insurance

It is rare for an organisation to purchase full idenmnity insurance cover. To help reduce premium costs and to ensure that insurance is available, cover is limited to a maximum loss amount, known as the limit of indemnity or indemnity limit

There will be a limit at which taking a deductible is not cost effective in terms of premium discount

Crisis management is the process by which an organisation deals with a disruptive and potentially unexpected event that threatens to harm the organisation, its stakeholders or the general public

The level of potential harm from a crisis is significant - examples of crisis events include major fires, chemical spills, death or injury of people, terrorist attacks, prolonged technology systems failures or data breaches

The process of crisis management is the same as for risk management. It involves the identification, assessment, monitoring and control of crisis risks

The tools used within the crisis management process are different

The fact that crisis events are rare and are more complex in terms of their causes and effects than most other loss events

To help identify and assess crisis events, an organisation can use information on crises that have been experienced by other organiations

1. Signal detection: looking for early warning signs that a crisis could occur. This includes investigating near misses, IA findings and risk monitoring reports. It may also include looking at operational performance reports and external events in the wider world

2. Preparation and prevention: where steps are taken to prepare for the occurrence of potential crisis events (often identified via scenario analysis) and to prevent these events by looking to control their causes

3. Containment and damage control: where a loss event occurs that may or does not evolve into a crisis, steps must be taken to limit the adverse effects of this event. This may include implementing business continuity plans, communicating with key staff and stakeholders, working with the emergency services, or implementing a public relations plan to deal with any media interest

4. Business recovery: it can take a long time to recover from a crisis but this duration can be reduced with effective recovery arrangements. These arrangements include quickly replacing lost assets and ensuring that funds are available to support the recovery

5. Learning from the crisis: assuming that an organisation recovers from a crisis, it is imperative that lesson are learned from the experience to help prevent or reduce the effects of future crises. This might include implementing a post-event review of how the crisis was managed or finding ways to improve effectiveness of pre-crisis controls

Helps with containment and damage control and support business recovery

Business continuity plans may be produced for a whole organisation but it is more common to develop plans for specific functions, systems or premises

A business continuity plan outlines the actions that should be taken to minimise business disruption and to help recover from a major loss event as quickly as possible

The plan will show the order in which systems need to be recovered first and how quickly they must be recovered

Business continuity plans should explain the roles and responsibilities that people have to support recovery efforts and reporting lines

Business contuinty plans should be tested, usually annually. Testing ay be desk basked (a review of the documentation to ensure it is up to date) or a live test may be performed