Risk management: Where does it belong?
Assuming a medical device company recognizes a need for a risk manager, other questions come into play. Among them: Where does risk management belong on the organizational chart?
Part of safety department?
With legal beagles?
With human resources?
Most risk managers seem to report to either a CFO, a treasurer, or a vice president of finance. Typically, the risk manager is lodged in the finance department. In a few organizations, the risk manager is part of the legal or safety departments. Which is best? In lawyerly fashion, the answer is probably: "It depends." What are some of the pros and cons of locating the risk management function in one area or another?
Regardless of where the risk manager is, one matter is clear. In virtually all medical device firms, risk managers hold staff -- not line -- positions. Medical device businesses exist, not to manage risks, but rather to make innovative technologies and earn a profit. The risk manager's role is to be an enabler and facilitator, to serve those who make products. The risk manager does not make products or services which the medical device firm sells in order to stay afloat. Nor is the medical design professional's goal to avoid all risk, but rather to manage it and take only smart, calculated risks.
Some feel that the risk manager should report directly to the chief financial officer, since the purpose of risk management is to protect the organization's financial assets from potential risks and losses. While this makes sense, it is hardly the only option. Let's look for some other suitable ports for the S.S. Risk Manager.
Part of safety department?
The risk management function (or department, if the organization is large enough) should include risk evaluation (identifying risks, determining the probability and severity of the risk, etc.), developing appropriate controls to reduce or eliminate risk (safety policies, engineering controls, transfer of risk to others, etc.), and risk financing (insurance, self-insurance, risk retention levels, decision not to finance risk at all, etc.).
As a result, many feel strongly that safety directors should report directly to the risk manager. If the medical device company is too small to support a safety director, the risk manager should have those responsibilities. Claims management can also be part of the risk manager's responsibilities, though the actual handling of the claims might be delegated to human resources, a third-party administrator, insurer, etc. You can't properly manage loss costs if you separate risk management, safety, and claims management. They are integral parts of controlling the ultimate cost of risk for an organization.
As for the scope of the risk management function, one could include usual property loss exposures, legal & liability exposures (including "newer" exposures such as employment related practices liability exposures), product liability, auto fleet exposures, and regulatory compliance (FDA, OSHA, EPA, etc.).
Regarding risk management's involvement in purchasing, many would have the safety director involved in the decision-making process for buying equipment, tools, and any changes or additions to buildings or facilities which impact on safety. The risk manager should be involved in all early discussions of any major changes in facilities, products or processes.
Risk management is a staff function. As such, the risk manager will develop plans to control and reduce risk, but the implementation of all risk control, safety and loss prevention actions remains a line management responsibility. Too often one sees line management trying to shift the ultimate responsibility to the risk manager or safety director. This must not be allowed to happen.
With legal beagles?
Some observers feel that the risk manager should be part of the legal department. There are strong arguments for this. Risk managers deal with liabilities, and the legal department is very concerned with these too. Further, there is a productive synergy that comes from having the risk manager an in-house legal counsel share ideas and team up on projects. Such cross-functional teamwork is more likely to occur if one institutionalizes and perpetuates it by welding the two functions together within the corporate legal department of office of the general counsel.
Of course, many of the exposures to be managed are first-party risks, such as buildings and business personal property. Lawyers can easily overlook these types of exposures, and the risk manager within the legal department must take care to rise above this orientation.
With human resources?
Others support the human resources approach since employees are the ones who have the biggest impact on a device company's cost of risk. If not through their own use of compensation and employee benefits, but also their actions/inactions which spawn liability or property damage claims. The bottom line is whatever works best for the medical device company in question based upon the personalities and resources available.
The risk management function is very diverse and depending on the corporation/institution philosophy can be located in any number of areas. Traditionally the risk management function was under the auspices of finance. That's where the insurance premiums, losses, etc., are paid. Through collaborative, ad hoc efforts of financial services, security and environmental health and safety decisions were made.
In addition to insurance-buying, many view the risk management function as an audit role. There is much expertise within a medical device firm which should be tapped. By asking the right questions of the right people at the right time (and listening to the answers/advice) the risk manager can assess loss control and liability issues, etc. By having employees aware of risk management policies and procedures and getting them thinking about safety, liability issues, etc. they buy into the idea of risk management. Who better to know what the risks are (and how best to deal with them) than those who are faced with them daily?
Risk management also has a strong marketing component. Unless the program is understood by other departments, they'll just wonder "Why is she sticking her nose into my business?" Once they understand that this is not what the risk manager is doing, but rather that he or she is collaborating with them (as resident experts in their area) to reach workable solutions, they are terrific.
One area where you won't find the risk manager is at the CEO slot. It is safe to say that the road to the corner office does not run through the risk manager's cubicle. If the risk manager aspires to someday be the device firm's CEO, he or she must possess some extraordinary talents or work for an unusual company.
Another way for the risk manager to become CEO is to leave the corporate treadmill and put out his own shingle as a risk management consultant. Who knows, maybe one of your first consulting jobs can be advising medical device companies on where to fit risk management on the organizational chart!
Kevin M. Quinley, CPCU, ARM, AIC, AIM is senior VP, risk services, Hamilton Resources Corp. and MEDMARC Insurance Co., both of Fairfax, VA.