12 Common Mistakes Risk Managers Make

Not all risk managers succeed at their jobs of identifying and addressing organizational risks. The external environment is a minefield of risks waiting to ensnare the vigilant and unwary alike. Departments get downsized; risk managers must do more with less. In addition, most risk managers occupy staff positions, making them vulnerable to changes in the prevailing corporate winds and whimsy. Top executives and even middle management may wonder just what a risk manager does all day. And when belts are being tightened, the risk management role appears to be one that could easily be consolidated with the functions of the CFO, vice president of Finance, Controller, or Assistant Treasurer.

This means that today’s risk managers must be quick, adept, and efficient. Management isn’t as forgiving as in years past. Mistakes by an errant risk manager can spell the end of the department. This article examines common mistakes made by risk managers and ways to avoid them.

Insufficient Attention to Loss Control

Many managers bemoan high insurance costs (particularly workers compensation). However, skimping on safety and loss control can result in higher-not lower-insurance costs. Investments in work hardening programs, ergonomic studies of job duties, safety rewards, and modified duty job programs can pay off in the long run. It’s the risk manager’s role to get the CEO to support safety in a visible way. After all, anyone can buy insurance. Safety and loss control, however, keep the costs down. And without safety and loss control, it can be argued that a risk manager is just a high-priced insurance buyer who can easily be replaced.

Often, a firm’s loss control program does not receive the attention it needs and deserves. Perhaps one reason is that it is not as glamorous as some of the other realms of risk management. With its emphasis on sprinkler heads, lifting belts, and materials, loss control may suffer from the perception that it is very pedestrian and mundane, like the boiler room in the bowels of a luxury cruise liner. Somehow the allure of risk financing techniques-cash flow management, retention levels, captives-seem ever so much more highbrow, analytical, and akin to what business schools teach.

In addition, many risk managers come from either the brokerage or finance side of the insurance business, not from safety or engineering. This may explain the preoccupation with risk financing, giving safety and loss control shorter shrift. The latter is somehow not quite as glamorous as flying to the Cayman Islands to explore that rent-a-captive! Could it be that loss control is just, well, not as sexy as the risk financing side of risk management? Maybe, but many organizations would be better off with the mundane and boring in lieu of the excitement of accidents, crises, and fire drills.

Examine your daily agenda and activity calendar. Does it reflect a clear commitment to loss control? Many folks talk the talk when it comes to loss control, but only their daily calendars and to-do lists show whether they walk the walk. In fact, it could be argued that the more risk managers invest in loss control, the less time and money they will need to devote to risk financing. The best way to manage risk is to prevent a loss so that risk-financing issues become moot! Risk managers should spend at least half their time on loss control and safety. It is truly a sound investment of time and resources.

Letting Inertia Drive Servicing Choices

Using the same service provider because it takes too much time or involves too much hassle to change vendors is another common mistake risk managers make. There may be many reasons for staying with the same provider: he or she is a personal friend or relative of a key person in the organization, there may be considerable panache associated with using a particular vendor, or simply historical inertia. In corporate risk management, tradition can substitute for thought. This can create situations where the same broker, actuary, insurer, and third-party administrator are used year after year, their performance notwithstanding. Complacent vendors may feel they have an institutional right to your account.

This is not to say that risk managers should continuously shop around their business or service needs. It does, however, imply that risk managers should periodically “stir the pot” regarding outside vendors, evaluating each on the criteria of (1) results, (2) service, and (3) cost.

Step back and objectively look at the service providers used. Ask, “Is my organization deriving full value from the gamut of service providers we use?” The answer may be, “Yes.” You may feel like you are receiving adequate or even superior service from your broker, safety engineer, actuary, or risk management consultant. But without staging ritualistic beauty contests, without testing the market periodically, how do you really know? Newer, more innovative service providers may be able to do the job better and cheaper.

Risk managers should be discriminating shoppers for risk-related services. This involves periodically reevaluating all relationships-even those that are long-term-and appraise each vendor in the cold light of day. This is not to suggest that risk managers pursue only short-term relationships with outside service providers. However, keep in mind that as a risk manager and company employee, you undergo an annual performance review. Why should outside vendors be any different, especially when their fees often dwarf a risk manager’s annual salary, bonus, and benefits combined? The question virtually answers itself.

Risk Management "Blind Spots"

Failing to recognize loss exposures is a third frequently made mistake. One way this can occur is by exclusively following “canned” exposure survey programs as the sole means of risk identification. The problem with prefabricated checklists is that they are not that helpful on an ongoing basis. As a result, there is a danger that loss exposures which develop with operational or organizational changes, new medical or scientific discoveries, legislative changes, new product or service introductions, mergers, acquisitions, and similar events will be overlooked until the next time the survey is updated. This often creates recognition “lag time” that delays proper evaluation and control.

Also, off-the-shelf risk identification products are not customized to the needs of your organization, which can lead to overlooked exposures. These tools represent a starting point-not a terminus-for any hazard identification process. Risk managers must develop their own methods for continuously monitoring changes in the organization and its environment to quickly identify new exposures or increases in the levels of existing exposures.

Inadequate Preparation for Consequential Losses

This mistake is related to the one above and involves the failure to consider and plan for the possible “ripple” effects of the loss events. This includes items such as hidden labor costs, loss of brand equity or reputation, market share loss, contingent business interruption, effects of laws and ordinances, and financial loss incurred from the death, disability, or departure of key employees.

Not all post-loss consequences are immediately apparent. For example, the cost of a claim-even one covered by insurance-can be extraordinary. Aside from retained claim costs via deductibles or self-insured retentions, there is the cost of management time that could otherwise go toward making products or delivering services. The hidden costs of a claim also involve the time wasted by management in communicating with legal counsel, collecting documents, answering interrogatories, preparing for and giving depositions, dealing with the insurer, preparing for and attending trial, etc.

If you calculate the value of management time per hour and multiply it by the number of hours a company may spend defending (or pursuing) a lawsuit, you might find that these costs exceed the amount at issue. This calculation places the wisdom of settling or perpetuating litigation in a different light. Such hidden costs-in management productivity and fruitless downtime-are uninsurable, but risk managers must assess and track them nonetheless. Failure to do so may spell short-term success in litigation, but long-run failure in business.

Avoiding Instead of Managing Risk

Since risk managers are paid and judged on their ability to identify risks, becoming a professional worrywart is an occupational hazard. The risk manager’s job involves looking at the darker side, to ask, “What if the following occurs…?” This practice causes many to view risk managers as negativists, as naysayers who always emphasize the downside of any proposed course of action. To an extent, this comes with the territory. However, risk managers must guard against the Chicken Little syndrome. If every new idea is greeted by the risk manager’s cry of “The sky is falling!” his or her credibility quickly erodes.

It is very easy for risk managers to become occupationally tunnel-visioned. However, the job is to manage risk, not to avoid it unnecessarily. Every business action involves risk. Even standing still and clinging to the status quo entails risk. Risk is inherent in business as in life. The risk manager can always find a risk-related reason to avoid undertaking some proposed organizational action, whether it is a possible merger or acquisition, introduction of a new product line, or revision of an employee handbook. The risk manager should identify the risks of any proposed course of action and-this is critical-develop an action plan to reduce or finance the chance of loss.

For example, when Eli Lilly, the pharmaceutical giant, began having lawsuits involving Prozac: many patients also sued the doctors who prescribed the medication. To prove, that it stood behind its product and behind its physicians, Lilly took the unprecedented step of offering to defend any doctor named in a lawsuit as a result of prescribing Prozac. Although few physicians actually took the manufacturers up on the offer, the goodwill engendered by this gesture paid dividends by physicians who saw that the company stood behind the product. In this case, the bigger business picture-retaining market share and customer/physician goodwill-overrode the risk and liability concerns.

A narrow risk management perspective would have argued against this course of action. Why embrace defense of the doctors and expand the company’s liability? But avoiding the risk is not managing the risk, and the ongoing popularity of Prozac reiterates the soundness of this risk management decision.

Failure to Communicate Effectively with Upper Management

Inability to be on the same wavelength as upper management is a career-killer and a common mistake for risk managers. Risk managers are seldom fired or “outsourced” because they are not up to speed on the latest commercial general liability (CGL) form or the most state-of-the-art policy wording. More commonly, risk management career longevity is abbreviated by communication-not competence-problems.

According to Jim Gunther of the Harvard Aimes Group, what gets most risk managers in trouble is their unwillingness to learn to speak the language of their boss and the language of the greater enterprise. Further, many risk managers insist on speaking “insurance-ese,” posturing behind the jargon of their craft. CFOs don’t compliment risk managers on their elegantly crafted manuscript policy, but rest assured, they will condemn the risk manager who is unable to explain basic concepts to front-line and middle managers (and, for that matter, top management) in language they can understand. Many risk managers might derive more benefit from Toastmasters or a Dale Carnegie course than a CPCU designation. This is not to suggest that technical competency isn’t important; just don’t expect a lot of recognition for these accomplishments.

Effective risk managers skillfully communicate their risk management goals, challenges, and accomplishments. The following are just a few examples:

Formal presentations to the board of directors
Fluency in written reports and in business correspondence
Deft use of the telephone and of voice mail, on both the giving and receiving side of messages
Proper observation of “netiquette” in communicating via E-mail
Questioning “facts,” particularly when presented by someone who has not questioned the source and asked for simple backup or reviewed the source for accuracy
Informal 5-minute hallway chats with the boss on a tough insurance renewal
Requesting and responding to an action plan or proposal from an outside service vendor
Don’t forget the personal touch; it is vital and should not be overlooked. Effective risk managers leave their workstations and offices to go eyeball-to-eyeball with folks outside their department and their organization. Becoming too insular is a career danger.
Having the technical excellence of a risk management Einstein will do little good without the ability to listen, empathize, and communicate effectively in a wide range of forums, contexts, and media. Note that listening is first on the list. As one pundit observed, “God gave us one mouth and two ears, and we should use them in just that proportion.” The moral of this lesson is to listen and hone your communication skills along with your technical risk management expertise!

Failure to Develop Computer Skills

Since risk management speaks the language of finance, a key financial tool is the computer and all of the nifty functions software can perform. Risk managers who resist learning and adding computer skills are not only Luddites, they flirt with becoming Neanderthals. One might as well travel to the annual RIMS Conference by horseback.

Increasingly, the risk manager’s function requires fluency in computer systems, particularly spreadsheet applications such as Lotus or Excel. It also helps if the risk manager has a working familiarity with databases, networks, and cruising the Internet and World Wide Web. Using computers should be second nature and hold no fear for current risk managers.

This does not mean that risk managers need programmer-level skills or be able to dissect and reassemble a computer’s internal circuitry. However, today’s risk manager should know the difference between Apple and IBM-compatibles, DOS versus Windows, and realize a Pentium is not a Satanic symbol. In his book, Empires of the Mind (William Morrow & Company, 1995), author Denis Waitley says that in the 1990s, “You are either on-line or you are in a bread line.” While that may be overblown, the core idea has merit. Risk managers who are “too busy” for computer training had better consider another line of work.

Inadequate People Skills

Risk managers cannot do their jobs alone. The Lone Ranger style of management is out; teams and consensus building are in. Risk management-like other forms of management-involves achieving results through the efforts of others. It is essential that risk managers harmonize with other departments, especially Finance, Safety, Legal, and Marketing, to execute their safety and loss control plans. Risk management is not a one-person show. This places a premium on people skills.

Look at the annual “Risk Manager of the Year” Award given by Business Insurance. The issue profiling the winners typically has at least one article and photo of the entire risk management staff, large or small. The message here is that while only one person’s face is on the cover, winning the recognition as “Risk Manager of the Year” requires an effective team effort. Players win MVP awards. Teams win Super Bowls.

Successful risk managers continually build “good karma” with other people and departments. This implies generating a steady stream of non-self-promotional communication to others about the activities, initiatives, and challenges of risk management. This has many implications for how risk managers conduct themselves on a daily basis. The following are some interaction suggestions.

Include other people and departments in risk management discussions which involve their functional areas.
Ask yourself how you can assist other people and departments within the organization.
Lunch with folks from other departments and solicit their input and opinions.
Build bridges with other departments.
Develop empathy.
In general, be a team player.
In most organizations, risk management is a staff, not a line, function. The risk manager does not make the goods or services on which the organization depends for profit and existence. It is the risk manager’s job to serve those who make the products and services. When the risk manager becomes more of a hindrance than a help toward the corporate mission, the pink slip may be forthcoming. No risk manager is an island. The most technically brilliant risk manager with six specialty designations after his or her name will be an abject failure unless he or she can relate to other people as people.

Superman/Woman Syndrome

This common risk management mistake involves trying to do it all yourself. Effective risk managers must learn to delegate, a tall order admittedly at a time when downsizing is rampant. A risk management career is more like a 26.2 mile marathon than a 1 00-yard sprint. Even the most talented and hardworking risk manager will burn out if he or she tries to do it all himself or herself.

To avoid risk management burnout, risk managers must:

Learn to delegate
Achieve a sense of balance and perspective
Possess a realistic view of their talents and limitations
Periodically “sharpen the saw” by getting away from the job and engaging in activities that provide a sense of self-renewal
As Clint Eastwood’s movie character Inspector “Dirty Harry” Callahan said, “A man has to know his limitations.” This holds true for risk managers. Don’t try to do it all yourself, and no matter how much you enjoy the job, get completely away from it for 2 weeks a year. You will return with a completely new perspective.

Failure To Document

One precept of medical malpractice risk management is to document everything; as the saying goes, “if it was not charted, it did not happen.” This axiom applies to non-medical settings as well. Risk managers need to remember that failure to document may get them into a bind from which they cannot recover. American coins may say, “In God we trust,” but for all other settings, get it in writing! This can include situations involving a side-deal or understanding with an insurer regarding claims-handling prerogatives, an understanding with the broker regarding annual compensation, and proof in an E&O dispute that a particular coverage or endorsement was requested.

It is always better to have this documentation and not need it than to need it and not have it. Insurance is no longer done on a handshake. When a loss strikes, the broker or underwriter may be long gone, transferred to some faraway branch office or with another company altogether. If you have any side-deals or understandings with your broker or underwriter regarding coverage, get them in writing! Better still, explore having them incorporated as manuscript endorsements to the insurance policy or at least incorporated by reference.

A related mistake is not documenting management’s approval of self-insurance or large retentions. Management loves to hear about the premium savings that higher retentions will capture, but corporate memories are notoriously short. If a big loss occurs, collective amnesia may arise. Indeed, top management may be shocked to find out how much loss the organization has retained, and demand to know what idiot arranged the scheme. Thus, at the risk of appearing to indulge in a C.Y.A. maneuver, document. Risk managers occasionally need such maneuvers. As one sage said, “Even the paranoid have enemies.”

Discarding old insurance policies in the belief that they will never be needed again is another common documentation-related mistake. Companies should keep their insurance policies forever (especially liability policies), and the risk manager should keep track of them. This is true for companies acquired by your firm as well.

Lack of Creativity

Highly effective risk managers must “think outside the box” occasionally. This means considering noninsurance, nontraditional options for treating risk exposures. Today’s risk manager must reach into every corner of the organization, seeking ways to improve safety, efficiency, and profitability. Risk managers work with legal, human resources, contracts, facilities, customer service, safety, security, workers compensation, accounting, finance, information systems, and senior management. The job is limited only by the risk manager’s appetite.

Creative solutions can be found by venturing into disciplines that pundits traditionally consider far afield from the risk manager’s conventional venue. This terra incognita includes human resources, safety, legal issues, and employee benefits. Looking outside the traditional boundaries of a corporate insurance buyer was the transitional wave of risk management during the 1980s. In the 1990s, however, the risk manager must think like a corporate officer, with or without that official designation. Creativity is key. Two examples follow of risk managers who dared to think outside the box.

Nancy Chambers is the risk and insurance manager at the University of Guelph in Ontario, Canada. For a campus open house, the student Outdoor Club wanted to rappel down a building. After hearing that it was too dangerous and could not be done, students showed up with ropes and pulleys to prove how it could be done safely. University engineers inspected the building, the participants’ equipment, and their qualifications. The result is that every year there has been a rappelling demonstration at the open house. Creativity has its limits, though. Other student-proposed events that were considered and rejected include fire walking and riding large ice-blocks down grassy hills!

Patrick Walker, risk manager of WatkinsJohnson Company of Palo Alto, California, once baby-sat a stack of files on a pending real estate deal for his company’s CFO while the latter was vacationing. His orders were clear: if a call came in, he should feel free to buy time and defer the topic for later action. Walker peeked at the top file, phoned the agent and attorney for a status update, and energized them to get moving. To his pleasant surprise, he got a call 2 days later with word of a potential buyer. Creativity is one quality that can quickly set risk managers apart and perhaps recession-proof their careers.

Inadequate Commitment to Continuous Learning

Highly effective risk managers regularly invest time to learn more about insurance, risk management techniques, and the operation of their organizations. This might involve formal education, such as for the CPCU and ARM designations, seminars on actuarial methods, or courses in teambuilding or some other specific management skill. This also means reading all you can about your industry, whether construction, health care, or retailing. It even means picking the brains of folks who know more about your specialty than you.

Risk managers err by thinking that they are too busy to pursue continuing professional education. Life is a classroom. Effective risk managers are always learning, continually supplementing their intellectual storehouse of knowledge, skills, and ideas. Continuing education is the risk manager’s own personal research and development program. Like any business, it takes ongoing R&D to avoid failure. Risk managers must find concrete ways to apply the knowledge they glean from these continuing education efforts.

Yesterday’s skill levels do not guarantee tomorrow’s success for risk managers. In fact, today’s skills do not guarantee tomorrow’s success. The learning process for risk managers never ends. Highly effective risk managers are like sharks: if they do not keep moving, they will-at least professionally-stagnate and die. Effective risk managers keep studying and finding ways to apply what they learn. For today’s state-of-the-art risk manager, class is always in session.


The 12 common mistakes discussed above are admittedly incomplete and subjective. To avoid most of these mistakes, risk managers must ask themselves each day, “What am I doing right now to add value to this organization/department/project or work team?” The list of career-killing minefields is daunting; Figure 1 provides a list of other common risk manager mistakes. Today’s risk manager has a tough job indeed!

As the philosopher George Santayana said, “Those who ignore the past are condemned to repeat it.” Examine risk manager mistakes, not out of voyeurism, morbid curiosity, or smug satisfaction over “the other guys” who blunder. Learn from these mistakes, if only to avoid them. The challenges of risk management have never been greater. Fortunately, though, never have the rewards been as promising.

Figure 1

More Risk Manager Mistakes: An Informal Poll

A recent informal poll on an Internet risk management discussion forum produced the following additional nominations for common risk management mistakes.

Not understanding the worst-case scenario of loss-sensitive rating plans or deductible plans or failing to communicate it to top management
Not fully understanding the difference between deposit and earned premiums or failing to determine how final premiums will be determined
Not understanding the entire insurance policy, particularly the application of the exclusions
Trusting blindly a broker’s understanding or representation as to what is and is not covered
Thinking that a broker will reverse an insurer’s coverage denial of a gray area loss
Failing to purchase adequate insurance limits
Not meeting face-to-face and in person periodically with primary and lead underwriters
Being afraid to use a consultant to validate your program
Taking credit for premium reductions in soft markets
Routinely shopping insurance programs every year or 2
Becoming a specialist rather than part of the management team
Believing you are indispensable
Spending too much time on professional organizations (e.g., RIMS, CPCU Society) at the expense of your job
Not realizing that insureds do have loss reporting duties under a self-insured retention

This piece was authored by:

Quinley Risk Associates

Mr. Quinley is Principal of his own consulting practice in Chesterfield. Virginia. Broadly experienced, he has written over 250 published articles and five books on claims and risk management, including Litigation Management, published by IRMI. He teaches classes in commercial risk management and insurance for The CPCU Society. Mr. Quinley received his B.A. degree from Wake Forest University and his master’s degree from the College of William and Mary.

We graciously acknowledge the cooperation of, the author, Mr. Quinley and Jack Gibson of International Risk Management Institute, Inc., the publisher. Permission has been granted by the copyright owner to Harvard Aimes Group to post this article. No further permission to post or re-transmit this item is given or implied by Harvard Aimes Group as such permission can only be given (in writing) by the Copyright holder.

THE RISK REPORT Copyright ~ 1996 by International Risk Management Institute, Inc. 12222 Merit Drive. Ste. 1660, Dallas. TX 75251-2217 214-960-7693. Jack P. Gibson, editor, Bonnie Rogers. assistant editor. ISSN 0197-7539. All quoted or reproduced only with permission in writing from the publisher. New subscription cost: $159/yr. Renewal: $149/yr. ALL RIGHTS RESERVED

An Invitation to Keep in Touch!

Harvard Aimes Group

6 Holcomb Street
West Haven, CT 06516

TEL: (203) 933-1976
 [email protected]

©1999, 2020 Harvard Aimes Group, All Rights Reserved