In the construction industry, risk is our business. You can take it, leave it, charge for it, or transfer it. Although we're proud to contribute to designing, building, and operating the most impressive structures in the world, none of this is done without significant risk.
For a mere 2–5 percent fee, world-class contractors are willing to assume multibillion-dollar project risk. And with such thin profit margins compared to other industries, the challenge becomes managing the risk so well as to preserve enough profit to stay in business to build the next amazing project.
The risk management measures that contractors employ for a $10 million project, a $100 million project, and a $1 billion project are vastly different. The same holds true for varying sizes and shapes of the contractors themselves. But how do we know what's reasonable and appropriate to best manage our risk while preserving our bottom line? To answer these questions, we must first look at risk holistically, then apply a scalable approach, customized to the various sizes and shapes of contractors and projects, and the teams that build them.
Organizations that invest in risk management, and specifically link risk management to the attainment of the most important strategic and financial goals, typically achieve higher relative growth. — Deloitte's 2019 Survey of Risk Management
Risk Is Our Business
A risk management rule of thumb is that the parties responsible for the risk ought to be afforded commensurate authority to manage that risk. In other words, it's not wise to make one person responsible for sweeping the floors if someone else controls the broom. In construction-speak, a party shouldn't be responsible for safety if they do not have stop-work authority.
Let's consider risk management as a three-legged stool. Given the aforementioned rule of thumb, contractors should seek to divide the risk responsibilities to the party in the best position to control it.
Risks under the control of the general contractor/construction manager should be managed by the general contractor/construction manager. Risks of the downstream parties should be contractually transferred as such. Risks falling outside of the contractor's specific risk tolerance can be protected with insurance products. Keep in mind that insurance products are designed to be the safety net beneath a company's risk management protocols. Given varying retentions and loss-sensitivity, insurance can help recover the economic loss of some claims. However, it is generally not designed or intended to be the first line of defense.
Contractual risk transfer offers a contractor a mechanism for transferring certain risks to the party who controls the risk such as the owner or the subcontractor. The contract's language provides a definition of authority and responsibility, which can help leverage enforceability in the field. But ultimately, if there is a conflict, the outcome will be left to the courts, and the only guaranteed winners in these cases are the attorneys and the experts who charge by the hour.
Who decides what a company's "risk tolerance" is? Which bucket does each of these risks fall? How do we manage the risks we retain? Your risk management team. The organizational structure of this team that supports your risk decisions can dramatically influence the outcome of those decisions and, by extension, your bottom line. In the current booming economy, I am frequently asked by clients at what point should they consider a dedicated risk manager, or a dedicated quality manager (also a risk manager of sorts), to whom that role should report, what roles should report through them, and so forth. The very unsatisfying answer is: it depends.
The Various Sizes and Shapes of US Construction Companies
As a friend and colleague often say, "Contractors are like snowflakes, all unique and beautiful in their own way." By way of context, when I reference contractor size, I would categorize smaller contractors as $100 million to $700 million annual revenue, midsized as $700 million to $2 billion, and larger as $2 billion and greater in annual revenue. When I reference shape, I would categorize "local" contractors as operating with a concerted focus in a small geographical area, regardless of revenue (e.g., a contractor who performs $100 million/year in Des Moines or $2 billion/year in New York City can both be considered "local"). "Regional" contractors are generally those with one main headquarter office; their staff travel for projects across the country. "National" contractors are those with many offices throughout the country who operate in concentrated areas where they have an established presence.
A company's unique blend of size, shape, and culture defines the risk management structure most practical and effective for your business, such as the following.
The lean team. Smaller companies often operate with a safety manager plus a prequalification admin or other support staff, and the major risk management decisions are made as a part of another function such as president or chief financial officer (CFO). This structure can be effective for a company with only a handful of projects in relatively finite geography (such as a metropolitan area) and a strong and tight-knit subcontractor pool. Checks and balances are still necessary, but the overall process is relatively uncomplicated. The safety team reports through the safety manager or director who may be beholden directly to operations. However, as a company of this size and shape expands in revenue or geography, they will begin to outgrow this model and will be best served by migrating toward a tiered structure, levels of authority, and more dedicated roles. The key here is recognizing the tipping point when a company is no longer "a small company that doesn't need all that fancy process." I've seen many companies fall behind the curve by refusing to recognize that they've outgrown their process.
The CFO risk manager. If a CFO is performing the functional role of risk manager, they may have controllers performing the roles of risk analysts, legal counsel performing contract review, and/or an insurance specialist assisting with policy renewals, claims, etc. The CFO is essentially wearing two hats, so it's important to note that company growth may eventually render this model burdensome for that individual and even more important to recognize when that begins to occur (similar to the example of the lean team). Additionally, the CFO and team can tend to view risk through a finance lens, not having the construction operations experience to see the field risks. For this model to be effective, it's essential that this team develop a process (with accountability) to involve project managers and superintendents in subcontractor selection and other operational risk decisions.
The deployment of troops. Many large contractors have an entire department dedicated to risk management, led by a director of risk management, and supported by regionalized teams of risk analysts and other support staff (e.g., legal, insurance coordinators, or admins). One large company that I've worked with has a risk management group that is led by a general manager, who oversees numerous corporate overhead departments including claims, legal, risk analysts, safety, procurement, wrap-up coordinators, etc. This is an effective deployment of specialized troops for large companies with wide footprints with regional risk nuances. In some situations, I've seen the regional analysts/managers report through the operations of the business unit in which they sit, rather than through the corporate risk management office. Both reporting structures work; however, it's important to recognize the alignment of interests of these decision-makers: whether they are beholden to the business unit's specific profitability or corporate risk management's risk tolerance, values, and goals.
While the deployment structure necessitates a framework of policies and procedures, chains of authority and approval/exception protocols due to all the moving parts, it is ESSENTIAL to still empower good decision-making by the humans in those roles. It is not enough to rely solely on a software platform, written mandated process, or authority matrix to do all the work. Good risk decisions are made by people, not processes.
Reporting Up the Chain
Having explored the downstream team's support, the director of Risk Management, Risk Management Department, or CFO, let's discuss how that chain of authority reports up to the top levels of a company. Consider that when an individual has chest discomfort, a pulmonologist is likely to suggest a lung problem, a cardiologist may say it's a heart problem, and a chiropractor suspects that ribs are out of alignment. When all you have is a hammer, everything tends to look like a nail. With that philosophy in mind, let's explore what happens when the risk management efforts report up through various chains and how that affects the risk decision-making process.
When risk management reports to the CFO (or when the risk manager is the CFO), there may be an overreliance on how risk appears on paper. A purely numbers-driven approach to risk assessment and management can paint an incomplete picture of risk without adequate consideration of the operational risks, potentially resulting in unintended risk-taking or risk-aversion. Although, generally speaking, I have found CFO risk managers to be more risk-averse than risk-takers.
When risk management reports to the CEO, they are motivated by big-picture company profitability but may be less in tune with day-to-day field operations. Therefore, it can be beneficial to home-grow this person/team so they remain rooted in the core business of construction operations.
When risk management reports to a legal officer, they may be overly conservative and keen to avoid all the risk through contractual risk transfer or aggressive/redundant use of insurance products as the first line of defense. Keep in mind—where there is risk potential, there is reward potential. If strict avoidance is your policy, you may be missing out on fee enhancement opportunities when you effectively manage calculated risk.
Finally, allow me to suggest the concept of a chief risk officer (CRO). Deloitte's 2019 Survey of Risk Management suggests that "[o]rganizations with a CRO [who reports to the CEO] are more likely to view risk management strategically." Deloitte suggests that by simply inviting the risk management team to a seat at the C-suite table (rather than an annexed department), a company is communicating to all levels of the organization (C-suite included!) that risk is a core value and vital to business operations. This is the concept of playing offense instead of defense and can produce very effective results.
Shifting a Culture
The last piece of the puzzle is how to implement and integrate your risk management team into your organization. The key to staying competitive and relevant, while adequately managing construction risk, starts with holding up a mirror. Reflect on your company's size, shape, risk tolerance, and growth potential. Next, consider how those factors align with your company's culture, values, and goals and envision your future 5 years, 10 years, and 20 years from now. Then, develop a system to continually evaluate and recognize the need for added resources, process, and infrastructure that supports the ever-changing dynamics of construction risk.
Risk managers are decision-makers, influencers, and resources all in one. And, just like each construction company, each risk management team is unique and varied. Cultural shifts take time and thought to build and run effectively, but it's well worth the effort.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI.
Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion.
If such advice is needed, consult with your attorney, accountant, or other qualified adviser.