Every business should have a plan in place to mitigate the impact a potential incident could have on the company.

At the recent NRCA Legal Resource Center, NRCA Vice President Tom Shanahan presented a session on Enterprise Risk Management (ERM). He said that for a long time risk management was focused internally at things like safety, employee theft and financial controls; however, more recently, it has expanded to include external risks such as reputation, financial decisions, union relations, etc., hence the addition of “enterprise.”

So, what are the risks in your roofing business and how are you managing them? Dr. E.J. Leverett of the University of Georgia defines risk management as “pre-loss planning for post-loss delivery.” It is seeking to plan in advance for losses in order to protect the assets and financial viability of the company, while minimizing the cost of the risk, should it occur. The words sound a little intimidating and like something that might only apply to a large corporation. In fact, Shanahan said that the concept of ERM gained notoriety with the Enron fall.

Remember that debacle? Enron was a Houston-based energy company that collapsed following a massive accounting fraud scheme. Company executives were pocketing millions of dollars from complex off-the-books partnerships while reporting inflated profits to shareholders. Lower-level employees were encouraged to continue to invest in company stock for their retirement right up until the collapse. The company filed for bankruptcy in 2001. Shanahan argued that IF Enron had a dynamic risk management plan in place, its reputation and company might have been saved. Instead not only did the company fail, all of its stockholders paid the price.

However, over and over again small business owners, such as typical roofing contractors, face the potential for different, but equally as devastating consequences from a poorly handled risk incident. ERM is a strategic process where you develop a risk profile for your business to understand where the risks are, how much the company is exposed to them and the use of your vision and mission to determine what risks you will take and which ones you won’t.

There are five steps to the process:

Step 1 – Risk Identification
This is the most important part of the process where you examine the types of risk you might be subject to. Consider these four loss types: direct losses, indirect losses, liability losses, and injury to personnel.

Step 2 – Risk Analysis
This is the step where you estimate the impact of a loss potential. Review the impact on profitability, safety. Direct costs are relatively predictable, but indirect or consequential losses are tough to predict and quantify. It’s important to talk to your insurance brokers to help you rate the likelihood of a loss.

Using a Risk Matrix will help you categorize the different types of risk:

Step 3 – Design the Risk Management Strategy
This is a two-part step. The first part is to conduct trainings or audits to try to control the risk and also determine what risks you want to avoid, for instance, deciding not to do torch installations due to the risk.

The second part is to finance and/or transfer the risk. What are your insurance deductibles? Are you part of a captive? Can you transfer risk through insurance policies, hold harmless agreements or indemnification?

Step 4 – Implementation
Implementation is both company- and task-specific. Identify someone to own the risk and execute the plan of attack against the risk. A team might be established to help with the activities. A monitor or overseer should be appointed to keep tabs on the progress and help with decision making.

Step 5 – Follow up
Once the plan has been implemented the monitor or overseer needs to be responsible for assessing whether the process is complete, if it needs more attention or if new sources of risk have been created.

The process sounds like it could be a lot of work, but Tom was joined in his presentation by contractors who participated in the program and shared how it helped them. You can read Monica Cameron’s story on implementing ERM.