Total Cost of Risk (TCOR): Are you measuring it?

Published February 25th, 2022 by Kyle Langan

Focus of TCOR: Profitability

It is vital for the financial health and longevity of an entity to account for, and understand the effect of all expenses on its profitability.

Companies may assume they understand and measure their expenses and profitability correctly, right?  This is commonly untrue.

Learn How to Measure: TCOR explained

Inherent in all company’s operations are risks, and with risk comes cost.

Here’s what TCOR is and what you need to know about it in order to prevent lost profits within your company:

Total Cost of Risk (TCOR) is the cost of managing risks and incurring losses. [1] Total cost of risk is the sum of all aspects of an organization’s operations that relate to risk, including retained (uninsured) losses and related loss adjustment expenses, third party / administrative costs, transfer costs, risk control costs, and indirect costs. [2]

Third-Party Costs include the expenses associated with buying insurance (premiums, taxes, and fees). These costs are determined by your effective policy types and claims experience. [3]

Losses are the largest source of commercial profit erosion. They are controllable with the placement of proper risk control mechanisms. Direct costs stem from losses through retained costs, deductibles, and uninsured losses. [4]

Indirect loss costs are the unbudgeted expenses of loss events caused by business interruption, disruption and/or reputational loss. They are calculated through an indirect loss cost factor – specific to industry group and risk category. This part of the equation is the most challenging – it is not commonly measured.

With the right risk control plan in place, there are significant opportunities to reduce your TCOR by working to mitigate losses.

TCOR, an example:

Ransomware attacks increased in 2021; evolving tactics of cybercriminals demonstrated their growing sophistication and threat to organizations globally. [5] These criminals increasingly expanded methods to extort money from mid-sized businesses. They threaten to publicly release stolen information and/or disrupt victims’ internet access.

A commercial victim of a cyber extortion loss will incur significant indirect costs, thereby increasing its TCOR. This results from stolen money, access disruption, or loss of data, time, and human capital.

Scenario: Large Addiction Treatment Center Faces Cyber Extortion

2,500 records of Personal Health Information (PHI) are hacked. This was the only loss it faced in 2021. The treatment center has a cyber risk policy insured by Lloyd’s of London. It offers protection with a $1,000,000 aggregate limit and a $10,000 deductible.

Third Party Costs

  • Risk Financing Premiums, Taxes, Fees = $7,500

Losses (Paid by Lloyd’s of London) [6] 

  • 1st party crisis services median loss = $564,930
  • 1st party legal costs = $48,185
  • 1st party regulatory costs = $13,292
  • 3rd party costs = $74,770
  • 1st party business interruption = $126,279 (Lloyd’s of London will have a specific policy language regarding business interruption indemnity)

Direct Costs: Deductibles, Retention, Uninsured Losses

  • $10,000 deductible

Indirect Loss Cost Factor:

  • Indirect Loss Cost factor for cyber risk in this industry = 1.00
    • The indirect loss cost factor measures wasted time, energy, and resources spent on the claim process and recovery from the loss. Indirect losses erode EBITDA margins, which is why your risk manager should provide a strategy for how to measure, and ultimately recapture them.
  • Initial loss = $827,456

Theoretically, a factor of 1.00 would mean the indirect losses would total an additional $827,456, equating to a total impact of $1,654,912.

However, because this is a single large ‘shock’ loss, we would cap the indirect losses at perhaps $200,000. That way, the friction is conservatively limited to $200,000. Most experts agree that there is an amount involved with handling the claim and the frictional costs, but there is usually a cap.

In conclusion, the addiction treatment center has an $827,456 loss — $817,456 that is covered by Lloyd’s of London, and a $10,000 self-insured deductible.

Additionally, it faces $200,000 in indirect losses that are eroding its bottom-line profitability. This is unaccounted for on an income statement, unless it is measured and quantified by your risk manager. Although it is uncommon, Conrey has this capability – email me at to have this calculated for your business.

Total loss with indirect loss cost factor = $1,027,456 (only $817,456 is covered by Lloyd’s of London)

Total Cost of Cyber Risk for the Addiction Treatment Center in 2021:

  • $217,500: 2021’s total cost of cyber risk for this addiction treatment center. Keep in mind, this number only accounts for cyber risk, but it still serves as a useful demonstration for calculating TCOR.
    • Risk Financing Premium = $7,500
    • Deductible = $10,000
    • Indirect Losses = ~ $200,000

Note: Separate from TCOR, is Existential Cost of Risk (XCOR) — existential cost of risk is the “premium” that would be charged by an insurer if a company insured all of its risk exposures. This can be considered the cost a company incurs to finance the risk of its continued existence. Not all business risks can be reasonably called “insurable,” but XCOR provides a proxy for such a cost. [7]




Cost of risk. Cost of Risk | Insurance Glossary Definition | (n.d.). Retrieved February 28, 2022, from

[3] — [4]

Data-driven client outcomes for the insurance industry. TCORCalc. (2019, July 28). Retrieved February 28, 2022, from


Zank, A. (2022, February 11). Officials saw more ‘professional’ cybercriminals, more infrastructure attacks in 2021. Advisen – Risk Manager FPN. Retrieved February 28, 2022, from


Cyber overvue. (n.d.). Retrieved February 28, 2022, from

Existential cost of risk xcor. Existential Cost of Risk (XCOR) | Insurance Glossary Definition | (n.d.). Retrieved February 28, 2022, from