Organizational Risk Management and the Procurement Department
By Ken Rado and Bob Schneider
Procurement departments have had significant success in taking over purchasing for a wide range of functions. Could procurement bring value to risk management? Traditionally residing within finance departments, risk management is being considered as one function of the enterprise that might be absorbed into the procurement department — an area gaining greater prominence throughout the business world, including insurance companies.
Procurement departments offer the advantage of economies of scale to organizations that purchase large quantities of goods and services. They also develop a unified organizational approach to purchasing methods. All that has an appeal in terms of using organizational resources with greater efficiency.
The interest in additional functionality for the procurement department has been consistent and may be a testament that the trend may add value to the organizations employing it. However, as with any trend in organizational management, a significant factor in determining success is if the function is being applied in a manner that creates the most benefit.
Generally, the goods and services that most readily lend themselves to the efficiencies gained through procurement’s economies and uniform procedures are those viewed as commodities or near commodities. Certainly, few would argue with the value of purchasing copier paper or number 2 pencils through the economic scale that procurement provides.
Risk management is a widespread organizational function, deeply involved in the acquisition, utilization, and development of goods and services. The risk management department purchases a significant amount of risk transfer, risk mitigation, and other risk-related services on which the organization closely relies to support its various missions.
However, the efficacy of superimposing the practices of the procurement department onto the risk management function may largely center on the degree to which the purchases and services developed by risk managers are readily commoditized or, more important, if they should be commoditized.
To appreciate the nature of purchases and the decisions about purchasing from third parties that the typical risk management department makes, one must survey the functions and services that the department provides the organization. Risk management is frequently tasked with offering a high level of risk consultancy throughout the enterprise and beyond. These include customers, vendors, leasing companies, and other business partners ranging from banks to landlords. Additionally, risk management supports a wide range of organizational functions, including legal, accounting, human resources, supply chain, and logistics.
Effective risk management includes vital functions throughout the internal enterprise as well as a variety of external parties. Internal risk management consultancy involves advocacy, coordination, and leadership in claims and risk mitigation. How much of the consultancy function is outsourced and how much is handled by in-house staff varies from company to company. But deciding who performs what part of the risk management function must be specifically tailored to the culture and practical business requirements of the organization.
The challenge of achieving a value-added role for the procurement department within the risk management function lies in three areas:
The low-cost provider may not be the most efficient partner for the organization in terms of the total cost of risk to the organization. If the myriad roles delivered by an effective risk management department are properly considered (total cost of risk), overreliance on driving down cost may be dangerously misleading. That is where the procurement department’s strength in purchasing other goods and services may not translate well into risk management.
Too often, when the drivers of the total cost of organizational risk are not well understood, the true value of effective risk management is also not well understood. The use of premiums and other fees as a reliable measure of risk management costs may lead to erroneous conclusions about employing the techniques that work so well in the procurement of other goods or services where cost is the easily understood metric.
What is not measured is not managed. When an organization measures cost of risk — and the implied effectiveness of its risk management function simply as the cost resulting from the purchase of goods and services — it consequently begins to view those goods and services essentially as commodities. It is then potentially making a serious mistake.
Evaluating the effectiveness of the many enterprisewide touch points, services, and opportunities that risk management can bring to an organization — and thereby the true cost of mitigating organizational risk — requires a more sophisticated approach. Determining the cost of risk management demands the best data, metrics, benchmarking, predictive analytics, catastrophe assessment, claims mitigation, and management — as well as the efficient application of a variety of risk engineering and allied disciplines.
Once a risk measurement regimen is established, two significant benefits will accrue: uncertainty within the organization will be reduced by a meaningful degree and appreciation of risk management’s approach to improving the organization’s decision-making abilities will begin to emerge.
What procurement departments do best generally differs from the level of competence that contemporary risk management departments possess. Improving the effectiveness of risk management will increasingly demand both reliable analytic capabilities and effective risk partners who can tailor sophisticated risk services to fit specific client needs. Improving the management of risk demands skill sets that the commoditizing of risk-related goods and services and procurement departments cannot fully address.
The benefits of effective procurement strategies in various enterprise functions notwithstanding, risk management is ultimately best served by an independent department fully immersed in enterprise risk management techniques.
Kenneth R. Rado is director of risk management and planning at ISO. Robert J. Schneider is managing principal of the ISO risk management practice. Rado and Schneider manage ISO’s risk management development, solutions, and services group, which delivers leading-edge risk solutions, including analytics and data modeling, claims management, loss control, supply chain and business continuity, and property risk services, to a wide array of clients in numerous industries.