Since the new system records loss events whether or not they're covered by insurance, it builds a database of such events for the company, which allows Microsoft to begin creating models based on its own experience. Admittedly, the accumulation of the loss event data by the system wasn't planned, but it has become a key benefit, Callinicos notes, since there is generally a dearth of data available on business risks, compared with data on financial risks. This is in part because many lawsuits are settled privately. Now, "there are areas on the business risk side where there's enough data to extrapolate from," Callinicos says.

Unfortunately, most companies' resources will not afford them that luxury any time soon, and Microsoft claims it has no immediate plans to bring to market its new system in its entirety. So what options are left for companies? AT&T Wireless, although $14.5 billion in revenues itself, followed an approach that many smaller companies might consider.

One Company's Approach

Bill Buchan, AT&T's executive director for risk strategy and administration, also chose to bring in outside help. The first step was hiring Deloitte & Touche to develop a methodical system for assessing company-wide risk. Risks were strategically broken down into four categories: strategic, operational, financial and hazard. Then, using a business risk assessment survey developed by the consulting firm, risks were further refined into 12 sub-categories. Next, Buchan harnessed an enterprise risk assessor software developed by Methodware. The software creates computer-generated risk models, aggregated by business line, geographical areas or other parameters. "It distills results into meaningful documents," he says.

Buchan acknowledges that the goal of pan-organizational risk assessment is by no means a snap. "If you haven't created the process, it's hard to extract information from different business areas," says Andrew Kuritzkes, managing director at Mercer Oliver Wyman in New York. "You need to create the organizational role and mandate in order to make progress." That means crafting an overall vision for the company to link various initiatives together.

That job falls to risk managers and treasury execs, in most cases. Already accustomed to the spotlight since 9/11 wreaked havoc on property and casualty premiums and Enron Corp. put directors and officers on the griddle, risk managers have been forced to explore the idea of retaining more risk and, as a result, have become much more diligent about the concept of risk mitigation. "Insurance transfer is that last thing we do," says AT&T Wireless' Buchan. "If we want it, we keep it. We operationalize the risk out."

Because of the pressures of the hard market, companies are also becoming more efficient in assessing risks and making their own calculations about how much they want to retain. "They come to us with much more carefully conceived programs," ACE's Ryan notes. "They are much more comfortable with retained risk and more willing to be a little creative."

But the road to identifying key risks is littered with failures, despite the fact that certain industries have some clear choices. "For a retailer, it might be weather in the spring and fall, combined with gross domestic product in the fourth quarter," says Robert Arvanitis, CEO of Risk Finance Advisors, a risk advisory firm in Westport, Conn. Though risks may not be bundled together holistically, two or three big things can be extracted. The problem is figuring out which two or three things matter most.

Mike Chagares, senior vice president in business risk consulting at Marsh Inc., tells the story of a company that identified 557 risks company-wide. The list was unwieldy. "I came up with 47 by having a consistent business process," he says. "Then, there needs to be a way of pulling it all together."

Energy and financial services companies have been using this approach for years since the interconnection between risks in these industries is more obvious and thus more quantifiable, says Robert Benvenuto, a managing director at Gallagher Financial Products in Chicago. "Outside those two sectors, there's more difficulty," he says. "It's all driven by a company's ability to quantify risk data."

Industry Hardliners

Working against risk managers like Buchan is foot-dragging by the insurance companies. Typically, insurers help companies with models for gauging risks and requirements for risk transfer. Most carriers, however, steer clear of corporate efforts to measure risks across the organization, reckoning their best financial interest lies in maintaining single-year coverage based on highly specific categories of risks, such as intellectual property.

"Right now, the insurance world isn't geared to manage large baskets of risk," says Carl Groth, a senior vice president at insurance broker Willis in New York. Groth says he gets inquiries about enterprise risk programs from companies almost monthly, but "there are only a handful of insurance companies willing to even entertain the context. They stick to what they're used to."

So companies are trapped: They don't get help from insurers in assessing enterprise risks, and they can't get policies to cover them either. This requires finance execs to think out of the box in terms of creating self-insurance through captives or alternative risk transfer or, better still, eliminating risk. For example, "companies are using captives to get more flexibility," says Risk Finance Advisors' Arvanitis. "You can use them as a platform to bundle risk yourself."

The conclusion of many risk managers: It's easier to think creatively without the limitations of a policy.