Using Enterprise Risk Management to Protect Your Shop
It’s a simple distinction, but it makes all the difference. When addressing the audience at any of his half dozen or so risk management seminars each year, Laramie Sandquist likes to start with a couple of questions to his crowd of 25 auto service center owners and operators.
“We just ask how many accidents have occurred in their shops in the last year, two years, three years; how many legal issues?” he says. “You hope it’s not many, but there will be a number of them. Then, for all the people there, whether they’ve had issues or not, the question is: Well, was that from pure luck, or did you have a plan in place to prevent those incidents from happening?”
Tornadoes, hurricanes and fires, worker’s compensation issues and wrongful termination lawsuits: These are all “disasters” that can happen to a business—and they happen unexpectedly.
“There’s nothing you can do about it, right? It’s just bad luck, right?” Sandquist says. “Wrong.”
Not all potential risks to your business can be prevented, Sandquist says. But the impacts those events have on your business can be controlled through proper management of your shop’s risk.
Sandquist has specialized in risk management services for Federated Insurance for nearly 15 years, and is now in charge of the company’s Designated Risk Manager seminar series, which among other things, delivers educational sessions on risk management for the auto repair industry.
Building a business culture around the concepts of Enterprise Risk Management (ERM) is one of the best ways to ensure your shop is prepared for any possible legal or financial incident that comes your way.
“It’s the difference between being lucky and being protected,” he says.
What is ERM?
ERM refers to an all-encompassing risk management process to allow an enterprise—in this case, your shop—to push forward toward its goals and objectives while identifying, analyzing and protecting itself against potential risks that could knock the business off course.
More simply put, ERM is a system that helps a business create a culture that defends it against risk, Sandquist says.
And it comes two-fold: through gaining a full understanding of the risks in your business, and then properly managing those risks.
To help clients better understand the way potential risks affect a business, Sandquist often turns to a visual aid—a series of circles that demonstrate how risk management needs to be ingrained deeply into a shop’s culture in order to be successful.
“The visual just helps it all make sense,” he says. “[Shops] have a lot of bad things that can happen to them, and they have core operations they need to protect. So, what do we do to keep those risks outside? What are the precautions we should take?”
Again, it’s about overall, enterprise-wide culture. That starts at the top of the organization, Sandquist says, but it involves much more than a single leader.
Creating your own, specific version of the diagram allows you to analyze and understand the risks your business faces. Here is how it breaks down:
Risk Management Culture
A Vision for your culture
Move in one ring, and this is where your business’s culture comes in; it’s what is keeping those risks at bay. Only a constant focus on your core operations can do this, Sandquist says.
Employees, People, Community, Family, Customers, Vendors & Suppliers
The next ring is for those people who are affected by what your core operations are: employees, customers, family, friends, suppliers, vendors—everyone. Be specific; understand each person that is affected by the actions you and your employees take on a daily basis.
Mission Purpose, Culture Values, Profitability
This is the inner-most circle, and it represents the core of your business, Sandquist says, everything your business does and stands for. Your shop’s mission, values, culture and purpose need to be at the center of this entire process. This is what you are protecting. It’s what unites your team, encourages efficiency and, ultimately, leads to profitability. Those aspects of your business need to be clearly defined.
Business Continuity, Death, Disability, Auto Liability, Business Continuation, Liability, Workplace Violence, Property, Reputation, Employee Injuries on the Job
Skip to the outside of the circle, and this demonstrates the ways your core operations can be put in danger. For the most part, Sandquist says these risks will fall into the 10 categories listed above.
Standard Operating Procedures, Processes, Insurance
These are the measures put in place to eliminate risk in specific aspects of the business. In certain situations, such as business-continuation issues, simply having insurance can be the risk transfer. Other times, it can be specific standard operating procedures or shop processes.
There are plenty of schools of thought on the steps to take in implementing ERM in a business. Ultimately, Sandquist says, they all revolve around the same basic principles of mitigating risk.
“The bottom line is that, no matter what you’re doing, you should have a step-by-step process to evaluate each area of your business, down to specific tasks and procedures,” he says.
“This is enterprise wide, but what it boils down to is having controls in place throughout your organization to make sure you’re following your processes and eliminating the potential risks.”
And managing risk is a perpetual task, he adds. It should be a part of your yearly goal planning; it should be part of your quarterly meetings, your monthly meetings, your weekly meetings, your daily meetings.
Some will inevitably be big-picture items (e.g. a plan in place to push the business forward following a disaster like a fire or flood); some will be small, minute details (e.g. the process for cleaning spilled oil on the shop floor to prevent a potential accident). Regardless, Sandquist says you can follow these basic steps each time:
1. Identify the Risk. Evaluate the situation and look for any possible underlying risks associated with it.
2. Analyze the Risk. Why would it occur? How would it take place? Whom would it affect? What could prevent it?
3. Identify a Solution. Understanding the reasons the risk occurs; what procedures or safeguards can you put in place to prevent it or respond to it?
4. Decide on a Plan. Create a detailed, written process, procedure or system for the solution best suited to nullify the risk in that situation.
5. Implement the Plan. Carry the plan out, educating and training all necessary parties on the new procedures.
6. Evaluate the Results. The safeguards put in place need to work, and to ensure they do, regularly analyze the results of your business’s reactions to incidents, or how often incidents you were attempting to guard against still take place. How often these should be evaluated depends on the situation—some larger items may be tracked over the course of a month, quarter or year; smaller, daily procedures can be evaluated each time the task is carried out.
Tying It All Together
What separates the concept of ERM from other forms of risk management is that it encompasses the entire organization—and is put in place to allow the organization to achieve its central goals and mission.
“That’s why it really needs to be a part of everything you do,” Sandquist says. “It’s built into your process. It should be a part of all your planning sessions. If your team understands your core operations—what you stand for—and can clearly see how they need to push that forward and guard against these risks, you can build a business culture where risk management is a natural, necessary part of day-to-day operations.”