A broader approach

By widening the scope of risk management, contractors can run more professional, efficient and profitable companies

Running a business, any business, has its risks. Arguably, few businesses are riskier than roofing. The Occupational Safety and Health Administration (OSHA) recognized this fact when it declared roofing as one of its five "target industries" in 1970, the year the agency was formed.

The sobering reality is the risk profile of any roofing company is not limited to safety and health issues. It's extensive and overwhelming even to the most diligent company. The question is: Can a roofing business with all its inherent risks be approached in such a way that the vagaries of laws, regulations, human resources and installing effective roof systems are challenging, rewarding and fulfilling?

A bit of history

In 1988, NRCA created a new staff position, risk manager, to assist members with safety and insurance questions. By that time, the association's partnership with CNA Insurance Cos., Chicago, had grown to the point where having a full-time NRCA staff person assist members with understanding and, NRCA hoped, reducing claims was appropriate. Over time, the nature of assistance NRCA provided its members expanded to include regulatory and some legal assistance, but the focus remained on safety and insurance matters.

However, roofing contractors were realizing a need to look at risk in a much broader way. Five years ago, an OSHA grant aimed at teaching small-business owners how to implement effective safety programs was offered. NRCA won the grant and used it to develop a primer course addressing risk management. The course was used as a testing ground to show contractors and safety directors (the target audiences) how safety fits within the risk profile of a contractor's business. Members embraced this broader definition of risk and the concept that safety is just one of the many risks a contractor faces. To be effective, risk management needed to be addressed across an organization and managed in a measured, professional way.

Enterprise risk management

The evolution of NRCA's approach to risk management paralleled growth in the discipline as a whole. Now enjoying more than 30 years as a dedicated area of study and expertise, risk management was a formal effort initially focused internally on such things as efficiency, safety and quality efforts. But business leaders realized a need to manage external risks, such as financial matters (investments, securities, etc.), reputational risk (how decisions affect a company's reputation) and legal risk, to name a few. As a result, a new term, enterprise risk management, was born.

Enterprise risk management is premised on the idea that for organizations to be successful, business owners need to create frameworks that can effectively identify, assess and manage risk; this especially is true in roofing businesses where risk is great. The question now becomes: How does an organization balance adding value and maximizing profit with the important task of managing risk?

The answer lies in having a deliberate plan. Experts recommend using the following basic five-step protocol to build a framework for continuous risk identification and management:

Step 1—Risk identification: First, a company owner must conduct a comprehensive, vital and, sometimes, tedious analysis that identifies risks existing in the business. To be successful, the process must be thorough because risk that goes unidentified is, by default, unwittingly absorbed by the organization. This works against foundational value and profitability goals. Note that it is tempting to fix a risk once it is identified; however, this is not necessarily in an organization's best interest. Experts warn jumping from identification to solution often is costly, inefficient and distracting to overall value and profit goals.

Step 2—Risk assessment: This is when all identified risks are rated and prioritized.

Step 3—Risk treatment: Once risks are prioritized, they are matched with ways to treat or address them.

Step 4—Risk implementation: Here, treatment methods are applied.

Step 5—Risk review: Implementation is vigorously reviewed. Outcomes can include treatment reassessment, identification of new risks or resolution, and where the risk is properly managed, for example. Nevertheless, the process is continuous so even a resolved risk continues to be monitored.

For this process to work, enterprise risk management relies heavily on a business' strategic framework. A roofing company owner (through strategic planning) needs to establish a vision for the company and define the company's purpose (what does it offer in the marketplace?) and what he or she wants the company to be (where is it headed?) to set the stage for effective decision making. Enterprise risk management then evolves as a process that is integral to and supportive of strategic decision making. This, in turn, helps an owner assess priorities and balance competing economic forces.

Enterprise risk management implementation increases the professional standing of businesses because it provides owners with a comprehensive understanding of their risk profiles and, importantly, the ability to articulate, manage and leverage risk to enhance a business's image to internal stakeholders, such as employees, and external stakeholders, such as bankers, customers and suppliers. Roofing contractors who implement an enterprise risk management program set their businesses up to leverage risk with much more certainty, leading to greater profitability.

For example, though it has been well-known for years the implementation of a comprehensive safety program not only will save lives but also increase profits, the roofing industry has struggled to effectively adopt such initiatives typically because of competing priorities. But during the past five years I have seen a real shift; company owners have learned how to own their safety visions and gain employee support, reaping the benefits of improved safety.

Imagine how much more efficient a roofing company can be if it manages its accounts receivable and accounts payable risks in a formal way? Once the ability to manage risk grows and becomes more sophisticated, a business's risk appetite grows. As a result, it is able to seriously consider taking on new, more risk-intensive (and profitable) projects that previously would have been rejected because of the organization's inability to confidently execute the work.

NRCA'S approach

Because of interest in this subject area, former NRCA President Nelson Braddy formed a task force to determine whether NRCA could assist its members with addressing their enterprise risk management efforts. The initial task force discussions laid bare the temptation and desire to jump to conclusions once risks are identified.

What quickly became apparent is a need for foundational vision establishment to support strict adherence to the five-step process. The task force believes enterprise risk management is a worthy pursuit and will test its principles in their companies to see what works well and share those findings. Updates will follow in future Professional Roofing articles.

Shift in attitude

In just 25 years, the roofing industry has moved from a reactive to proactive approach to safety. This has created a shift in attitude toward enterprise risk management—it is possible the latest "horror story" soon will be vetted properly to determine whether it will fit within an organization's risk profile. It's even more possible to envision an organization where its risk appetite is robust because of the process and where the effects of incidents are minimized and those of productivity, investments and reputation are maximized, leading to professionalism and profitability for those who have adopted this approach.

Thomas R. Shanahan, CAE, is NRCA's associate executive director of enterprise risk management.

For an article related to this topic, see:
"Embracing safety," February 2011 issue


Be the first to comment. Please log in to leave a comment.