Risk retention explained: types, examples and when to self-insure

Most organizations retain more risk than they realize. This guide covers how to identify when retention is the right call and how to stay on top of risks you’ve chosen to keep.

Men discussing risk retention

Published 3 Jul 2026

Article by

What is risk retention?

R isk retention is a deliberate decision made when an organization has looked at a specific risk, weighed the cost of insuring it, and concluded that absorbing any losses internally is the better financial call. It’s also sometimes called self-insurance when a business formally sets aside funds to cover expected losses rather than paying premiums to an outside carrier.

The decision to retain isn’t right for every risk — only for ones where the math and the controls make it practical.

Types of risk retention

Risk retention falls into two categories: planned and unplanned. Both result in the organization absorbing a loss — but only one is a strategy.

Planned risk retention is a conscious choice. After comparing insurance premiums against the expected cost of claims, the organization decides to self-fund a specific risk category. A construction company might accept minor tool damage below its standard deductible rather than extend its coverage. A retailer might retain the risk of low-value stock shrinkage that would never trigger an insurance payout anyway. These decisions sit within the broader discipline of risk analysis — specifically the treatment step where organizations decide how to respond to each identified risk.

Unplanned risk retention happens by default. A risk gets overlooked, a policy lapses, or an incident occurs before new coverage renews. The financial exposure is identical to planned retention, but there’s no reserve and no plan to absorb it. Eliminating unplanned retention entirely is the baseline goal of any sound risk management program.

Improve your GRC management

Simplify risk management and compliance with our centralized platform, designed to integrate and automate processes for optimal governance.

Common methods for retaining risk

When an organization retains a risk deliberately, it uses one of several mechanisms:

  • Deductibles — The portion of any claim the organization pays before insurance coverage applies. This is the most common form of risk retention and appears in nearly every commercial policy.

  • Self-insurance funds — Dedicated reserves set aside to cover expected losses for a specific risk category. Used most often for workers’ compensation, property damage, or professional liability.

  • Captive insurance — An internal subsidiary created to insure the parent organization’s own risks. More common in large enterprises managing diverse risk portfolios.

  • Bare retention — Choosing not to insure a specific low-severity risk at all, relying on operational cash flow or a general contingency reserve if a loss occurs.

When to choose risk retention over insurance

Four conditions tend to make retention the better financial decision:

1. Premiums cost more than expected annual losses. For routine, predictable operational risks, cumulative premium payments often exceed total claim payouts over a three-to-five-year window. Self-funding those risks makes sense when the data supports it.

2. The risk sits below your deductible threshold. If a category of losses rarely exceeds what the organization already absorbs through its standard deductible, buying separate coverage for it adds cost without adding protection.

3. You have strong controls in place. Organizations that invest in inspections, safety programs, and corrective action processes can keep certain risk categories low enough that retention is the more economical option. RIMS, the professional body for risk and insurance managers, notes that retention encourages organizations to prioritize loss prevention, which lowers the total cost of risk over time.

4. No insurance product is available. Some operational exposures — particularly novel technology risks or highly specific liability scenarios — have no viable insurance market.

The non-negotiable guardrail is financial capacity. If the organization couldn’t absorb a materially worse-than-average year, transfer is the right call.

How to manage risk you’ve decided to retain

Deciding to retain a risk is the easy part. The harder work is making sure the business can actually absorb it — through proper reserve sizing, active monitoring, and a willingness to revisit the decision when conditions change.

Setting up financial reserves

A self-insurance reserve is only useful if it’s correctly sized. Start with historical loss data for the specific risk category — what has this exposure actually cost the organization over the past three to five years? Add a buffer for worse-than-average years and document the methodology clearly.

That documentation matters beyond internal governance. The ISO 31000 risk management framework requires that treatment decisions — including the decision to retain — be recorded as part of the organization’s formal risk management plan. Reserves should sit in a segregated account and be reviewed annually, with the calculation redone — not just topped up — after any significant loss event draws down the fund.

Monitoring retained risks and reviewing the decision

Retention is not a one-time call. Operations change, workforces change, and a risk profile that justified retention two years ago may look different today. Here are some best practices:

  • Logging every incident that touches the retained risk category, including near-misses that didn’t result in a claim

  • Running scheduled inspections to confirm that the controls keeping the risk low are still working

  • Assigning and closing corrective actions when inspections surface gaps

  • Reviewing the retention vs. transfer decision at least annually, or immediately after a significant loss event

BOS Solutions, a Canadian oil and gas services company, found that digitizing its QHSE inspections and closing corrective action loops gave risk managers data that had previously been trapped in paper files. That improved visibility reduced the company’s workers’ compensation premium by $80,000 in a single year — a direct financial benefit from the same controls that underpin a strong retention program.

Documenting these decisions in a risk register also serves a practical purpose: it gives auditors and insurers a clear record of what’s being managed and how, so a deliberate retention decision never looks like an unmanaged gap.

Why use SafetyCulture?

SafetyCulture is a workplace operations platform adopted across industries such as manufacturing, mining, construction, retail, and hospitality. It’s designed to equip leaders and working teams with the knowledge and tools to do their best work—to the safest and highest standard.

Promote a culture of accountability and transparency within your organization where every member takes ownership of their actions. Align governance practices, enhance risk management protocols, and ensure compliance with legal requirements and internal policies by streamlining and standardizing workflows through a unified platform.

✓ Save time and reduce costs
✓ Stay on top of risks and incidents
✓ Boost productivity and efficiency
✓ Enhance communication and collaboration
✓ Discover improvement opportunities
✓ Make data-driven business decisions

FAQs about risk retention

GC

Article by

Gabrielle Cayabyab

SafetyCulture Content Specialist, SafetyCulture

View author profile