On this page
- How does this link to the Victorian Government Risk Management Framework (VGRMF)?
- Assessing the financial consequences
- How does this help with your decision?
- What are your boundaries?
- What’s already covered by VMIA?
- What’s our responsible body’s appetite for risk?
- What is our organisation’s risk tolerance?
- What are the costs and benefits?
- How does this help with your decision?
- Decide on the optimal balance of risk retention and transfer
We recommend that you investigate ways to control the non-financial consequences of your risk at the same time as the financial ones. Whatever treatments you choose, they need to work together in a mutually reinforcing way.
When it comes to controlling the risks associated with the financial consequences, you have three basic options
- Fully retain the risk and bear the costs if the risk materialises
- Transfer part of the risk to another party with an agreement about how the costs will be covered if the risk materialises
- Fully transfer the risk to another party which will bear the costs if the risk materialises.
It’s up to each organisation to decide for itself what the best options are for it, given its internal and external context.
This flowchart shows what you’ll need to consider in making your decision. The guide takes you through each of these steps.
Don’t forget that it’s your risk
Your decision about what and whether to retain or transfer is a decision about how to control one aspect of a risk: the financial consequences if the event occurred.
You still own the risk of the event happening in the first place. As the owner of the risk, you need to control the likelihood of the event or change the consequences, as far as is reasonable or possible.
This guide is relevant to most of the insurance requirements in the VGRMF. The most direct link, though, is to these mandatory requirements
- Determine the most appropriate insurance products and levels of cover for the organisation ’s present and future risk exposures, in consultation with VMIA.
- Arrange all its insurance with VMIA, unless exempted by the responsible Minister or where VMIA cannot offer insurance for a specific risk.
- Maintain appropriate deductibles for each insurance product that reflects the organisation’s risk appetite and capability for retaining financial risk
Your first step, regardless of the option you choose, is to do a thorough assessment of your risks and a range of plausible scenarios that could produce risks to your objectives.
Bear in mind, that it can be difficult to identify, and therefore analyse, all the consequences you could be liable for if an event happened. For example, if one of your buildings burns down, you’ve lost that asset, but what about losses and harms to others who might make a claim? There are a range of scenarios to consider there, from the worst case but also incidents that are unlikely but still plausible.
Use the guide on minimising your insurable risk to take you through the analysis. This will help you quantify how likely a potential event is and how much it could cost to recover.
Our guide on describing a risk will also help you to capture the information you generate in a form that’s usable for others. This is important because insurable risk will involve consultation with a number of specialists and decision-makers across the organisation. Describing risks in precise and informative language will make your job a lot easier.
If you decide to transfer responsibility for the financial consequences of your risk, the party you transfer to will need to understand
- the likelihood of the loss or harm happening
- the nature of the loss or harm
- how much loss or harm could happen.
If you decide to retain the responsibility, then you’ll need the very same information so that you can work out frameworks, processes and culture you need to put in place to manage it—and what it’ll cost to do that.
Each organisation has its own boundaries around what it’s willing and able to do. Your responsible body and executive team, with the advice of the enterprise risk manager and insurance manager, will need to identify where those boundaries are.
Here are the questions you need to ask.
VMIA provides insurance to cover the financial consequences of many types of events your organisation might face. Find out more about whether your organisation is covered.
It’s one of the mandatory requirements of the VGRMF that your responsible body defines its risk appetite, so this may already be done. If not, take the opportunity to work it through with your responsible body. It’s crucial for a range of risk management work, so it’s worth investing the time.
Your organisation’s financial strategy will formalise one aspect of its appetite: its willingness to see unpredictable expenses on its balance sheet.
This risk can be controlled by deciding on the level of the ‘deductible’ associated with your insurance policy. The ‘deductible’ sets the upper limit of the financial consequences you’ll retain, if you suffer a loss or harm covered by the policy. If you face financial consequences above that line, you can make a claim to your insurer and if it’s paid, it won’t appear as an expense on your balance sheet.
If you don’t have much appetite for volatility, you can set the ‘deductible’ level of your insurance policy to low—you retain fewer of the financial consequences.
As you can see in this chart, more will be paid by the insurer. Note though, that you may also pay a higher premium if you choose this option.
If you have a higher appetite, you can set the deductible level higher and retain more of the financial consequences of potential loss and harm. As the chart shows, this means that more expenses will appear on your balance sheet and fewer will be paid by the insurer.
Your organisation’s risk tolerances are what risk it can safely bear before a risk becomes dangerous to the organisation. You can think of your risk appetite as what you’re willing to do and your risk tolerance as what you are able to do.
Working out your risk tolerances is a matter for the executive team with the support of risk leads and other specialists in the organisation. As well as working out your thresholds, you’ll also need to be able to observe when the likelihood of the potential event is changing or the consequences becoming more severe. These are your key risk indicators. Some of them will be financial.
How does this help with your decision?
This step is where you find out whether you’re willing or able to retain responsibility for the potential financial consequences of a risk, given what you know about
- the nature of the probable loss or harm
- how likely it is
- how much loss or harm could occur.
It may be too large for you to retain. For example, many environmental risks would cause large and complex loss and harm, if they materialised, and therefore significant financial consequences for your organisation.
If that’s the case, you’ll need to investigate your options for transferring it to another party if it’s not already covered by VMIA.
Share the information
Decision-makers need to know where the boundaries are when they are working out their objectives and developing strategies and plans.
Once you’ve identified them, you’ll need to share that information across the organisation.
If you decide to retain responsibility for potential financial consequences, you’ll need to manage claims relating to any incidents that happen.
This will involve a cost to your organisation. To work out whether, or to what degree, you’re willing to invest, your executive team will need to weigh up its costs of managing risk, and also its overall financial strategy, and ask these questions:
- How much do we want to invest in frameworks, processes and culture for managing claims relating to retained financial risk?
- How much do we want to invest in monitoring change and risk in the market, our partners and environment?
- What will we not be able to do if we spend our resources on this?
You might choose to retain responsibility too if you believe your organisation is the one that’s most capable of managing claims in a certain area of risk. For example, if your organisation has invested in capability for handling cyber threats and incidents.
To take responsibility for potential financial consequences of your risks, you need to
- build frameworks, design processes and create a positive risk culture
- set up governance
- monitor key risk indicators
- monitor performance
- manage information
- report to the responsible body and committees with responsibility for risk
If you don’t have the appetite or the resources to invest to the extent that you need to, then it’s a perfectly valid decision to take the option to transfer the risk of financial consequences to another party.
Working through these steps generates the information you need to make a decision about the best options for retaining and transferring responsibility for the potential financial consequences of specific risks.
These options are to
- Fully retain responsibility for the potential financial consequences and bear the costs if the risk materialises
- Transfer responsibility for part of the financial consequences to another party with an agreement about how the costs will be covered if the risk materialises
- Fully transfer the responsibility to another party which will bear the costs if the risk materialises.
VMIA will always be part of the answer to the last two options. That’s because your organisation is obliged to insure with us, except where there’s an exemption, or we don’t provide insurance for a particular type of insurable risk.
How much you transfer to us is where you have some decision-making to do though.
In transferring a risk to us, VMIA may recommend a further review based on what we know about the way risk is changing in your organisation’s insurance profile to ensure we can offer the right mix of insurance products.
A conscious decision
As a result of this process, your organisation will have made a conscious decision about how to transfer the risk associated with the financial consequences of events. It’ll also know what it’s decided to retain.
Whether the decision is to transfer or retain, it’ll be part of a treatment plan that addresses the whole risk and seeks to minimise it, either by controlling the likelihood of the event or its consequences.