How to Calculate the Total Cost of Risk for Your Business: A Step-by-Step Guide

Total cost of risk (TCOR) is the complete measure of your business risk costs: insurance premiums, retained losses absorbed out of pocket, risk management and administrative costs, and indirect costs such as lost productivity and reputational damage. 

Most businesses track their insurance spend. Far fewer track all four components together. Understanding the full calculation changes how you allocate resources and evaluate your risk program.

What Is the Total Cost of Risk (TCOR)?

Total cost of risk (TCOR) is the only accepted measurement of an organization's total business risk costs. Unlike insurance spend, which reflects only the premiums you pay to transfer risk, TCOR accounts for every dollar your business expends or absorbs because of potential and actual loss events.

Risk managers, CFOs, and procurement leaders use TCOR as a single financial metric to evaluate risk programs, benchmark performance year over year, and justify investment in risk controls. 

What Counts as a Direct Business Risk Cost?

Direct business risk costs are the expenses your organization can trace to a specific loss event or the cost of protection against one. These include:

• Insurance premiums: The annual cost of transferring risk to an insurer across all covered lines, including general liability, commercial property, and workers' compensation.
  
• Deductibles: The out-of-pocket amount your business absorbs each time a covered claim occurs before the insurer pays.
  
• Retained losses: Losses your business pays in full because they fall below the deductible, exceed coverage limits, or are excluded from the policy entirely.
  

Direct costs are the starting point for any TCOR calculation. They are also the most straightforward to quantify because they appear as line items in insurance invoices and claims records.

Why Are Indirect Business Risk Costs the Hardest to Measure?

Indirect business risk costs are difficult to measure because they don't appear as discrete line items in financial records. They manifest as downstream consequences of a loss event: reduced output from injured or disrupted workers, time spent on claims administration, damage to your company's standing with clients, and increased employee turnover following a serious incident.

Despite being harder to quantify, indirect costs regularly exceed direct costs in total magnitude. A workplace injury generates direct costs in medical and legal expenses. The indirect costs, including productivity loss, overtime paid to cover the absence, and supervisory time spent on investigation, often run three to five times the direct cost of the claim. 

Any calculation that omits indirect costs systematically understates your actual business risk exposure.

What Is the Formula for Calculating Business Risk Costs?

The formula for calculating business risk costs is:

Risk Financing Costs + Retained Losses (Direct + Indirect) + Administrative Costs + Taxes and Fees = TCOR

Each component represents a distinct category of business risk cost:

• Risk financing costs: Premiums paid to transfer risk to an insurer, plus the cost of any alternative structures such as a captive insurance program or large-deductible arrangement.
  
• Retained losses (direct): Claims paid out of pocket, including deductibles and uninsured losses.
  
• Retained losses (indirect): Estimated costs of productivity loss, reputational damage, and operational disruption tied to loss events.
  
• Administrative costs: Internal expenses for running the risk management function: staff time, risk management information systems (RMIS), training, and outside consulting fees.‍
• Taxes and fees: Surplus lines taxes, state assessments, and brokerage fees that add to the total cost of your risk financing program.

How Do You Calculate Your Total Business Risk Costs? (Step by Step)

Calculating your total business risk costs requires gathering data from multiple departments: finance, operations, HR, and risk management. Work through the steps below in sequence to produce a complete and defensible figure.

Step 1: Add Up Insurance Premiums, Deductibles, and Retained Losses

Pull your insurance invoices for all active policies and total the annual premiums. Then retrieve your claims records for the same period and add:

• All deductibles paid per claim
• Losses paid in full because they were excluded from coverage or fell below the deductible threshold
• Any uninsured claims settled outside of insurance
  

The resulting number is your direct retained loss figure. Most risk managers hold this data in a claims management system or RMIS. If your organization tracks claims in a spreadsheet, consolidate all closed and open claims for the measurement period before moving forward.

Step 2: Total Your Risk Management and Administrative Costs

Risk management administrative costs include every internal expense associated with running your risk program. Common line items include:

• Salaries and benefits for dedicated risk management staff
• Risk management software and RMIS licensing fees
• Employee safety training programs
• Outside consulting fees, broker fees, and risk-related legal expenses
• Costs of risk assessments, audits, and compliance reviews
  

Tracking these costs as a TCOR component lets you evaluate whether prevention spending is reducing retained losses at a proportional or greater rate. Organizations that invest in risk management can save as much as 20% on potential claims due to the prevention of risks before they manifest.

Step 3: Estimate Indirect Costs Using a Loss Multiplier

To estimate indirect business risk costs, apply a loss multiplier to your direct retained losses from Step 1. The most widely used method applies a factor of three to five times the direct cost, depending on the nature and severity of the events in your claims history.

For example: if your direct retained losses for the year total $85,000, your indirect cost estimate would range from $255,000 to $425,000. A factor of four is a common middle estimate for businesses with a mix of property, liability, and workers compensation claims.

Calibrate the multiplier based on your industry and event type. Industries with high labor content, such as construction and logistics, typically carry higher indirect cost ratios because workforce disruptions compound quickly. Industries with primarily property-based claims may see lower ratios.

This step is where most TCOR calculations fall short. Skipping indirect costs understates your total business risk costs by a wide margin and distorts the return on any risk management investment.

Step 4: Add Taxes, Fees, and Risk Financing Costs

Beyond premiums, the cost of risk financing includes taxes, fees, and the cost of any alternative risk structures your business uses. Add:

• Surplus lines taxes applicable to specialty or non-admitted coverage
• State and local insurance assessments
• Brokerage and placement fees not included in the premium line
• Capital costs or administrative expenses associated with a captive insurance program, if applicable
  

Understanding the full cost of your current risk financing structure is the prerequisite for evaluating whether a different structure would produce a better outcome.

Step 5: Normalize Against Revenue to Enable Benchmarking

Divide your total TCOR by your gross revenue divided by 1,000 to produce your TCOR per $1,000 of revenue.

TCOR / (Gross Revenue / 1,000) = TCOR per $1,000 of Revenue

This normalization step allows you to compare risk costs year over year and benchmark against peers in your industry. A raw TCOR figure changes when your business grows or contracts. TCOR per $1,000 of revenue stays comparable across time periods and organizations of different sizes, making it the standard metric for evaluating risk program improvement.

What Does a Business Risk Cost Calculation Look Like in Practice?

The table below shows a TCOR calculation for a mid-sized construction contractor with $12 million in annual revenue.

In this example, insurance premiums represent 46% of total business risk costs. Indirect costs, estimated using a 4x multiplier, represent 37%. A risk manager who focuses on premium reduction alone would be addressing less than half of the actual cost picture.

Tracking TCOR per $1,000 of revenue over multiple years shows whether your risk program is improving. A declining figure year over year indicates that risk costs are growing more slowly than revenue, or that loss frequency and severity are decreasing.

How Do Vendor Compliance Gaps Add to Your Business Risk Costs?

Vendor and contractor compliance gaps add to your business risk costs by converting a transferred risk into an uninsured retained loss. When a vendor or contractor operates with an expired, insufficient, or unverified certificate of insurance (COI), any loss arising from their work may fall back on your organization. If the vendor's coverage doesn't respond to the claim, your business absorbs the loss out of pocket. That absorbed amount feeds directly into your retained losses figure and raises your TCOR.

To identify your current exposure, audit your vendor roster for:

1. Vendors with COIs that have expired or are within 30 days of expiration
2. Contractors carrying coverage limits below your contractual minimums
3. Vendors listed in your system without a verified COI on file
   

Each category represents an open retained loss liability. The financial impact of a single uninsured vendor event can equal or exceed years of premium savings from lower-cost risk financing. For a full breakdown of how hidden costs beyond insurance premiums accumulate in vendor relationships, TrustLayer's guide covers the full scope.

Automating COI collection and real-time monitoring through certificate of insurance tracking software closes this gap by verifying vendor coverage before work begins and flagging any lapses immediately.

How Often Should You Recalculate Your Business Risk Costs?

Recalculate your total business risk costs at minimum once per year, aligned with your insurance renewal cycle. Outside that annual cadence, recalculate when:

• A major loss event changes your retained loss total for the period
• Your risk financing program changes, such as moving to a new insurer, adjusting deductible levels, or entering a captive structure
• A new vendor class or project type is added that carries a different risk profile
• Your organization grows through acquisition, opens new locations, or adds new service lines
  

Each of these events shifts at least one component of your TCOR formula. Recalculating after each event keeps your risk cost baseline current and improves the accuracy of year-end reporting and board-level financial presentations.

What Gets the TCOR Calculation Wrong?

Treating Insurance Premiums as the Full Cost of Risk

Insurance premiums are one component of total business risk costs, not a proxy for the full number. For most businesses with an active risk program, premiums represent 40 to 60% of actual TCOR. 

Retained losses, administrative costs, and indirect costs make up the remainder, and they can match or exceed the premium total depending on loss frequency and the maturity of the risk management function.

Budgeting risk spend based on premiums alone creates a blind spot in the categories that are often the most controllable.

Using Unverified Benchmarks Instead of Your Own Data

Industry TCOR benchmarks are reference points, not substitutes for your own calculation. Benchmarks reflect averages across many organizations with different risk profiles, financing structures, and loss histories. A TCOR per $1,000 of revenue figure from an industry report tells you where comparable organizations land; it cannot tell you where your retained losses are concentrated or which administrative costs you can reduce.

Your TCOR baseline, calculated from your own premiums, claims records, and administrative costs, is the only figure that accurately reflects your organization's risk exposure. Use benchmarks to contextualize your result after you've calculated it.

For more on how to use your TCOR baseline to drive measurable program improvements, see the guide on how to cut your TCOR.

Calculating your total cost of risk is the foundation of a sound risk management strategy. With a complete TCOR figure in hand, your team can make informed decisions about where to invest in prevention, how to structure risk financing, and whether vendor compliance gaps are creating exposure that premiums won't cover.

TrustLayer's certificate of insurance tracking platform automates COI collection, verification, and real-time monitoring across your vendor portfolio, directly addressing the retained loss exposure that manual processes leave open. Set up a time to talk with our team and see how TrustLayer can help you manage every component of your business risk costs.