'Review of risk engineering approach needed'

Established and common concepts need to be challenged from time to time to see whether there is room for improvement. This also applies to the traditional approach to risk engineering requirements, which needs to be reviewed to ensure recommendations made to improve risks continue to add value, says Doede de Waij, risk engineer at Zurich Benelux.

Traditionally, risk engineers conduct site visits to assess a company’s risk profile. Based on meetings with management and their own observations, the risk engineers issue recommendations to improve the company’s risk profile. However, De Waij questions whether this approach needs to be extended to add value in terms of helping the insured achieve its company objectives and reduce loss ratios for both the insured as well as the insurance carriers.

Over the last ten years, the combined loss ratio of the global insurance companies was around 94%. Within property losses, the business interruption share has increased from 15% to about 40% over the past decade. Furthermore, over 80% of around 2,000 losses within Zurich’s loss database are related to human behaviour. These are typically human errors such as not following procedures, improper use of equipment, insufficient or postponed maintenance, miscommunication, and so on.

“Humans are fallible and errors are to be expected, even in the best organisations. This means that despite all physical and organisational prevention in place the influence of human behaviour continues to play an important role in the root cause of an incident. However, incidents do not only occur because of human failure but also because of failing processes and systems.” De Waij says.

“Within risk engineering, we look at whether physical prevention and procedures are in place, but the question how these procedures are carried out in practice and how they are embedded in the organisation is rarely asked. We need to put much more focus on ‘evidence-based auditing’. In other words, in what way can management show and proof that the procedures in place are practiced in real life?”

A key element within this approach is to get a better feeling about the company culture, their process landscape and even more specifically about the level of employee engagement. How and in what way are employees engaged, stimulated, coached, trained and held responsible when we talk about operational risk management?

De Waij recommends asking the following questions:

• Do we see evidence of how shared company values related to managing risks are carried within the organisation?
• Is the risk appetite defined?
• Is there an allocated CAPEX (capital expenditure) budget to manage risks?
• Does senior management take part in risk assessment workshops, site surveys and self-assessments?

How and in what way is risk and the risk function embedded within the organisational structure?

• How is the risk responsibility and accountability assigned within the organisation?
• Is there room for personal judgement in risk taking?
• Are people part of the decision-making process?
• Is there an open-door culture (no glass ceilings, no fear to report near-miss incidents, sharing risk management concerns, whistle-blowing, etc.)
• Do we allow room for personal judgement in risk taking?
• Is it allowed to express opinions freely based on personal interaction (constructive, respectful and aimed at mutual goals)

How and in what way is learning from mistakes stimulated?

• Are near-misses evaluated and are lessons learned implemented to avoid similar incidents?
• Are risk events within the branch monitored, evaluated and are lessons learned implemented within the own organisation?
• Is there a risk management dashboard?

How and in what way are risks communicated with the organisation?

• How is risk communicated within the company (risk communication plan)?
• Is everyone aware of the risk management strategy and objectives?
• How are the different perspectives managed to avoid miscommunication or friction?
• Is risk an agenda topic on routine project and other team meetings?
• Are there meetings to explore emerging risks and changes in risk profile?