Why do we need risk management? Health? Safety? Welfare? Continuity of business, operations, or government?  When should we reexamine risk information? Annually, quarterly, or daily? With the Introduction of new products, policies/regulations, training, or personnel?      

Risk management is accomplished by “Understanding the Situation.” Risk management is a process by which context is defined, risks are identified and assessed and courses of action for managing those risks are analyzed, decided upon, and implemented, monitored and evaluated. As part of the process, risk managers and disaster/emergency managers must use planning as a tool to systematically manage, reduce or eliminate future risks. Recently, we have seen large-scale emergencies involving a variety of hazards:

Ice and snow in southern cities

Crude oil train derailments

Chemical contamination of drinking water

Cruise line power loss and illness


Stolen personal credit information

Effective risk management depends on a consistent comparison of the threat/hazards faced by a particular department, facility, industry, or jurisdiction. This is typically performed through a threat/hazard identification and risk assessment process that collects information and assigns values to risk for the purposes of determining priorities, capabilities, developing or comparing courses of action and informing decision making. Depending on the resources available and leadership a department, facility, industry, or jurisdiction could conduct an in-depth process — cataloging everything from specific asset vulnerabilities to emergency personnel staffing levels. Often, however, this level of analysis is not possible or practical; in such cases, entities should conduct a risk assessment of achievable and appropriate scale and scope.

Risk assessment answers the fundamental question that fuels the threat/hazard mitigation planning process: "What would happen if a natural, manmade or technological incident occurred in close proximity to your facility, residential neighborhood or within your jurisdiction?" Risk assessment should measure the potential loss of life, personal injury, economic injury, environmental and property damage resulting from an incident by assessing the vulnerability of people, buildings, environment and infrastructure.

Risk assessment provides the foundation for the rest of the mitigation planning process. The risk assessment process focuses your attention on areas most in need by evaluating which populations and facilities are most vulnerable and to what extent injuries and damages may occur. It tells you:

The threat/hazard to which your facility, neighborhood or jurisdiction is susceptible;

What this threat/hazard can do to physical, social, environmental and economic assets;

Which areas are most vulnerable to damage from this threat/hazard; and

The resulting cost of damages or costs avoided through future mitigation projects.

In addition to benefiting mitigation planning, risk assessment information also allows risk managers and disaster/emergency managers to establish early response priorities, capabilities and identifying vulnerable assets.

When organizing threat/hazard information, risk managers should consider a usable format. One effective method for organizing threat/hazard information is to use a matrix based on dimensions used during the risk analysis process:

Probability or frequency of occurrence

Magnitude (the physical force associated with the hazard or threat)

Intensity/severity (the impact or damage expected)

Time available to warn

Location of the incident (an area of interest or a specific or indeterminate site or facility)

Potential size of the affected area

Speed of onset (how fast the threat/hazard can impact the public)

Duration (how long the threat/hazard will be active)

Cascading effects.

 Depending on the kinds of decisions and analyses the information is meant to support, risk managers and disaster/emergency managers might use other categories for data organization. For example, the decision that one hazard poses a greater threat than another may require only a qualitative estimate (e.g., high versus medium), whereas planning how to deal with health and medical needs caused by a particular hazard may require estimates of likely fatalities and injuries.

The assessment of risk helps a manager decide what threats or hazards merit special attention, what actions must be planned for and what capabilities or resources are likely to be needed. The analysis method inventories, evaluates and provides loss estimates for assets deemed critical during the response and recovery phases of an incident.

Risk managers and disaster/emergency managers need to review the assessment findings and analyze the quantity and types of capabilities or resources (including personnel) needed during different types of incidents. For example, a jurisdiction with a large number of limited English proficiency residents might need to identify methods by which language assistance will be provided (e.g., bilingual personnel, interpreters, translated documents) to support operations, such as evacuation, sheltering, and recovery.

 Threat and hazard analysis requires that the risk managers and disaster/emergency managers knows risks that have occurred or could occur in the jurisdiction. Risk managers and disaster/emergency managers must keep in mind that the threat or hazard lists that they develop pose two problems. The first is exclusion or omission. There is always a potential for new and unexpected risks (part of the reason why maintaining an all-threats, all-hazards capability is important). The second is that such lists involve groupings, which can affect subsequent analysis. A list may give the impression that threat or hazards are independent of one another, when in fact they are often related (e.g., a gas leak may cause an evacuation, a flood might include dam failure, cloudbursts, or heavy rain upstream, loss of a backup power generator may cause a wide-area outage).

 Using a risk analysis, risk managers and disaster/emergency managers must compare and prioritize risks to determine which threats/hazards merit special attention in planning (and other emergency and homeland security management efforts). Managers must consider the frequency of the threat or hazard and the likelihood or severity potential of its consequences in order to develop a single indicator of the risk to the department, facility, industry or jurisdiction. This effort allows for comparisons and the setting of priorities. While a mathematical approach is possible, it may be easier to manipulate qualitative ratings (e.g., high, medium, low) or index numbers (e.g., reducing quantitative information to a 1-to-3, 1-to-5, or 1-to-10 scale based on defined thresholds) for different categories of information used in the ranking scheme. Some approaches involve the consideration of only two categories—frequency and consequences—and treat them as equally important. In other approach potential consequences receive more weight than frequency. While it is important to have a sense of the magnitude involved (whether in regard to the single indicator used to rank hazards or to estimate the numbers of people affected), these indicators are static. Some hazards or threats may pose a risk to the community that is so limited that additional analysis is not necessary. Others might be dynamic, such as HAZMAT toxicity and transportation routes.

The analysis process produces facts and assumptions, which can be distinguished as follows:

Facts are verified pieces of information, such as laws, regulations, terrain maps, population statistics, resource inventories and prior occurrences.

Assumptions consist of information accepted by planners as being true in the absence of facts in order to provide a framework or establish expected conditions of an operational environment so that planning can proceed. Assumptions are used as facts only if they are considered valid (or likely to be true) and are necessary for solving the problem.

Incident managers replace assumptions with facts when they implement a plan. For example, when developing a flood annex, risk managers and disaster/emergency managers may assume the location of the water overflow, size of the flood hazard area and speed of the rise in water. When the plan is put into effect as the incident unfolds, operations personnel replace assumptions with the facts of the situation and modify the plan accordingly. Risk managers and disaster/emergency managers should use assumptions sparingly and put great effort into performing research and acquiring facts, including the use of historical precedent.

Risk management considers all threats and hazards. While the causes of emergencies can vary greatly, many of the effects do not. Risk managers and disaster/emergency managers can address common operational functions in their basic plans instead of having unique plans for every type of hazard or threat. For example, floods, wildfires, HAZMAT releases, and radiological dispersal devices may lead a department, facility, industry or jurisdiction to issue an evacuation order and open shelters. Even though each hazard’s characteristics (e.g., speed of onset, size of the affected area) are different, the general tasks for conducting an evacuation and shelter operations are the same. Assessment of risk for all threats and hazards ensures that, when addressing emergency functions, risk managers and disaster/emergency managers identify common tasks and those responsible for accomplishing the tasks.

By following a set of logical risk assessment steps, risk managers and disaster/emergency mangers can work through complex situations. Risk management helps a department, facility, industry, or jurisdiction to identify the capabilities or resources at its disposal to perform critical tasks and achieve desired outcomes/target levels of performance. Rather than concentrating on every detail of how to achieve the objective, an effective risk management process structures thinking and supports insight, creativity and initiative in the face of an uncertain and fluid environment. While using a prescribed planning process cannot guarantee success, inadequate risk management and insufficient planning are proven contributors to failure.