Analysis in the risk management cycle


This essay discusses risk management with particular reference to the Liebeck vs McDonald's (1994) lawsuit..

Risk management: Definition

Culp defines risk management as follows:

Risk management is a discipline that enables customers and organizations to cope with uncertainty by taking steps to protect its vital assets and resources (2001: 121).

Risk management as so defined involves two things: (a) insuring that the risks to which people and businesses expose themselves are the risks that they are prepared to take; and (b) such risks are minimized.

Culp (2001) argues that risk management is not necessarily the same as risk reduction. This is for two reasons. First, one cannot eliminate all risks. Second, some risks are greater than others. It is insufficientindeed, pointlessfor an individual or organization to make a "laundry list" of all conceivable risks and treat them as being the same. One has to prioritize risks, and take action accordingly. This brings one to the notion of key risk management decisions.

What are the key risk management decisions

These four decisions contain subtleties. There is a trade-off between probability and damage, for example. A risk that is highly probable of occurring but which causes little damage may be more important than a risk that is improbable of occurring but which may cause much damage.

There is also a subtlety in determining what is practicable. First, those risks that are impracticable to resolve may be so, not only because there might be nothing people can do to reduce them, but also because it might be too expensive to reduce them (i.e., the cost of risk-avoidance might be more expensive than the potential damage).

The need for a cost-benefit analysis relates to the precautionary principle. This is the principle that states that one should try to remove all risks. However, many argue that the precautionary principle is absurd, and counter-productive (see, e.g., Wildavsky, 1995). Such critics claim that the huge costs of some risk-management exercises are more harmfulin that they involve money that would be better spent elsewherethan the risks they are said to contain.

Risks to organizations

Risks to organizations are of four types: financial, strategic, operational, and hazard. Risks come from two sources: external and internal.

There may be much that organizations can do to manage some of these risks. Hedging operations, for example, may help diminish financial risks from currency violations, for example. Insurance and modern architecture can help diminish hazards such as earthquakes.

There are no internal hazardsindividuals do not cause earthquakes, but there are internal risks of the other three types. Many organizations must, for example, invest heavily in research and developmentitself a risky activity, because it is expensive and may yield no resultsand, having done so, protect their intellectual property rights. Whelan (1993) reports, for instance, that pharmaceutical companies invest heavily on researchwhich may take yearsand that the quality of the research is often better than that sponsored by government organizations.


The costs of risks are of two sorts: direct and indirect (Culp, 2002).

Direct costs

The direct costs of risks, realized or not, are those that can easily be entered into a organization's balance sheet. When risks are realized, for example, the costs include damage to property-the organization's or that of an injured third party-compensation to people injured by the organization's/products, legal fees to lawyers in fighting litigations, punitive damages awarded by courts of law, and so on. When risks are not realized, direct costs remain. Organizations bear the direct costs of paying insurance, and, in the case of larger organizations, of employing lawyers and risk avoidance experts, health and safety experts, and so on. In employing such experts, the organizations take the risk that the huge sums they pay in avoiding risk do not cost more than any damage caused by the putative risks. They also take the risk that such experts will correctly identify and mitigate putative risks.

Indirect costs

Indirect costs only come into play when risks are realized. In such cases, they may be vastly greater than direct costs. Thus, for example, when Gerald Ratner stated in public that the reason he could sell jewelry at low prices was that the jewelry was "crap", his business empire-comprising a nationwide chain of jewelry shopscollapsed. The cost of this gaffe was an estimated 500 million (The Sunday Times, 2007).

Managing risks

Organizations can do much to manage risks, and much is common sense. Hospitals, for example, can ensure standard procedures for the administration of drugs; banks can ensure cash is stored in secure vaults; institutions for the criminally insane can ensure that knives are kept away from inmates; governments can ensure that sensitive telephone conversations are encrypted ("scrambled"); and so on. Such obvious measures are standard, and doubtless ensure that many dangers are rarely, if ever, realized. Moreover, to a large extent, organizations can reduce risk of acts of God by taking out insurance.

Risk management cycle. The most important feature of the figure is its structure. Everything in the figure flows round the organizations strategic objectives. Thus risk management should be part of an organisation's strategic planning. From the organisation's strategy the subsidiary features of the figure flow downfrom risk assessment to monitoring. However, this does not imply risk management by management diktat. The figure shows that all stages of the cycle receive constant input from formal audits and all stages are constantly modified. Thus the risk management cycle involves all an organisation's employees, all the time. This implies that risk management evolves, and is holistic.

This is made plainer by the IRM's (2002) advice on management and employee responsibilities as regards risk.

The burden of responsibility on the directors reflects the strategic importance of managing risks. The responsibilities of business units and individual employees reflect the critical nature of risk identification and the need for all employees to be aware of it.

When one speaks of risks, one usually thinks of threats. However, it is clear from Figure 3 that risk analysis also involves identifying opportunities. These vary. A car manufacturer, for instance, that notices that its cars are more dangerous than those of its rivals could see this as an opportunity to improve its cars and then advertise them for their safety features.

Liebeck vs McDonald's

This case involved a Ms Liebeck, who, when aged 79, burned herself after spilling a beaker of coffee she had bought at a McDonald's takeaway. The spilled it while sitting in a car outside the fast-food chain. The burning was serious. The Consumer Attorneys of California (1995) report:

A vascular surgeon determined that Liebeck suffered full thickness burns (or third-degree burns) over 6 percent of her body, including her inner thighs, perineum, buttocks, and genital and groin areas. She was hospitalized for eight days, during which time she underwent skin grafting. (paragraph 4)

In the initial hearing the jury ordered McDonald's to pay almost $3 million to Ms Liebeck, of which $2.7million were in punitive damages. The judge at the hearing called McDonald's behavior "reckless, callous, and willful". The punitive damages were later reduced to $480,000.

Although the case received much media coverage concerning frivolous lawsuits, there can be little doubt that Ms Liebeck was seriously injured. Moreover, there can be little doubt that McDonald's was culpable. Five things stand out about this incident (Consumer Attorneys of California, 1995).

  • McDonald's at the time typically sold coffee at 180-190F. This was company policy. The temperature was substantially higher that coffee served in rival takeaways, and much higher than coffee served at home (about 135F).
  • McDonald's were aware at the time that any food served at over 140F constitutes a burn hazard.
  • In the period 1982-1992 more than 700 people complained to McDonald's of burns from its coffee.
  • McDonald's were aware that the majority of its takeaway customers wished to consume their coffee immediately on purchase.
  • Ms Liebeck initially offered to settle for $20,000, but McDonald's refused.

Notice that there were two risks to the company prior to the incident. There was a external strategic risk of changes in customer demand in the wake of any customer being harmed by McDonald's foodstuffs. There was an external operational risk of changes in culture in the wake of any such incident. The costs involved were both direct (punitive damages, court costs, etc.) and indirect (loss of public goodwill). The latter were plausibly much the higher.

The risks to the company were foreseeable. The company knew that the temperature at which it served its coffee was higher than industry standards. It knew the temperature was hot enough to cause severe burns. It knew that most of its takeaway customers consumed their coffee as soon as possible, and that many, as had Ms Lieback, had done so in a car. It is commonsense that old people, like Ms Liebeck, can easily spill drinks when sitting in a car. Worst of all, the company knew that hundreds of people were burning themselves with McDonald's coffee. One may surmise that the company's first error was not to instigate a culture of risk analysis. Any company employee could have reasoned that the coffee was too hot, but, if any brought this to senior management's attentionas indicated by the IRM's (2002) standardsnobody appears to have acted on it.

The company's next mistake was to proceed with the court case. It could have had a damage-limitation exercisepaid Ms Liebeck what she wanted (and more), announced an immediate cooling of their coffee, donated money to hospices, and so on. This was a lost opportunity for the company. McDonald's could have benefitted from the case, not lost it. Instead, it insisted on taking the case to court, with the consequent embarrassment.

In terms of the risk management cycle, McDonald's performed as follows:

  • Strategic objectives. The company failed to see where its interests lay.
  • Risk assessment. The company failed to properly evaluate and assess the risk.
  • Risk reporting. McDonald's knew of the risks.
  • Risk treatment and residual risk treatment. The company did nothing.
  • Monitoring. The company monitored the risk of customers being burned.
  • Decision. McDonald's made the wrong decision, twice: first by continuing to serve hot coffee, second by not settling out of court.

Most important, the company failed to modify its policy in the light of repeated incidents of customers burning themselves. This suggests a lack of risk awareness in the company.


Risk management is crucial to organisational performance. It involves monitoring all known risks and investigating potential ones. Most important, it involves all employees in a company, and therefore suggests companies employ a relatively holistic management structure.

The McDonald's case is especially illustrative. It took needless risks, even though it knew of them. It does not appear to had risk management, in the form of the risk management cycle, in operation at the time of the incident. The company then compounded its error by failing to see the additional risks involved in fighting the litigation. In this way, the case illustrates that, although nobody can avoid all risks, bad management compounds risks.


  • Consumer Attorneys of California (1995). The actual facts about the McDonalds' coffee case. Retrieved 10 December 2009 from
  • Culp, C. L. (2001). The risk management process: Business strategy and tactics: Wiley: New York.
  • IRM (2002). A risk management standard. Retrieved 2 December 2009 from
  • Sunday Times (2007, October 21). It still hurts 16 years on. Gerald Ratner reveals the pain of becoming a national laughing stock. Retrieved 2 December 2009 from
  • Whelan, E. H. (1993). Toxic terror: The truth about behind cancer scares. (2nd ed.). New York, NY: Prometheus.
  • Wildavsky, A. B. (1995). But is it true? : A citizen's guide to environmental health and safety issues. Cambridge, MA: Harvard University Press.

Please be aware that the free essay that you were just reading was not written by us. This essay, and all of the others available to view on the website, were provided to us by students in exchange for services that we offer. This relationship helps our students to get an even better deal while also contributing to the biggest free essay resource in the UK!