Monday, March 15, 2010

Managing Risk Through Acceptance and Assignment

Last week, we looked at risk mitigation. If you do something to reduce your vulnerability to a threat, or the impact of that threat, the risk goes down. Your personal firewall, your anti-virus system, the lock on your front door, and the umbrella you carry when it looks cloudy out are all examples of risk mitigation. It’s a very popular way to manage risk, and literal billions of dollars of the economy are people the world over mitigating trillions of dollars of risk. Mitigation very nearly always costs money, and frequently it’s the most cost effective way to manage one’s risk, but there are others. Today we’ll take a short look at two of them: Acceptance and Assignment.

Risk Acceptance is simply saying, “I can live with that.” It’s a perfectly valid choice to make, as long as you actually can live with it. One of the most common errors in business and in life is telling yourself “I can live with that” when you really mean “I don’t think this’ll actually happen to me.” If you think you can accept a hundred dollar loss, have three hundred in the bank.That’s not risk management; it’s ignoring one’s own risk assessment. It’s not even gambling: gamblers know the odds. It’s such a common pitfall that my sister was able to write her PhD thesis on how that error that gets lots of people into worlds of trouble. My advice is that if you think you can accept one hundred dollar loss per year, have three hundred dollars in the bank that you weren’t doing anything else with.

Risk Assignment reduces the impact of a threat by getting someone else to be impacted by it. When you buy insurance, the theory is that in exchange for a monthly payment the insurance company agrees to have certain of your risks assigned to them. If you buy auto insurance and get into a car accident, and they pay for the damages. If you were drunk when you got into the accident, they don’t pay because driving drunk is more risk than they agreed to accept. Unsurprisingly, risk assignment poses its own risks, as amply illustrated throughout the current national health care debate we’re having in the U.S.
Insurance isn’t the only form of risk assignment. In contract law there’s indemnification, where you agree to “hold someone harmless” – a fancy way of saying you’ll pay for any damages that arise. Of course, indemnification has its limits: You can’t do someone’s jail term for them. In business there’s also the principle of “externalization.” You may have heard the term “externality.” An externality is a cost that someone else has to pay. For example, credit card companies assign the risk that someone will use a stolen credit card fraudulently to buy merchandise by requiring merchants to agree to suffer the loss rather than the credit card company or the cardholder.

Are you using all these approaches to manage your risk today, whether you think about it or not? I bet so. How else do you manage your risks? Do you think you’ve got the right balance between the three approaches? What risks have you decided to accept? I’d love to hear about it.