An Introduction to Risk Management

Every organization small or large, is susceptible to risk in many different areas: operational, market, legal, environmental, reputational, brand, liability, financial, and property losses. Any of these can impact (positively or negatively) every municipality. Most local government organizations are, of course, concerned primarily with the type of risk that may affect them in a negative way.

This blog will examine the basic elements of local government risk management, including the benefits of risk management, risk assessment, prioritization, and the adoption of risk management response strategies.

What is Risk Management?

“Risk management” helps an organization to identify, evaluate, analyze, monitor, and mitigate the risks that threaten the achievement of the organization’s strategic objectives in a disciplined and systematic way (note the words “disciplined” and “systematic”).

Risk management is intentionally proactive, not reactive. It can be as simple as one crew member mentioning that a coworker needs to wear her safety glasses, or it may involve something as complex as a full asset allocation modeling of all of your organization’s capital assets. Risk management practices can even be applied to events as broad and far-reaching as the loss of a major employer in the community.

Different situations and events can simultaneously result in both good and bad consequences. Each consequence may require a different risk management strategy. As an example, let’s say that a new 300-home subdivision is planned for your community. On the positive side, an event like this will likely be welcomed as it will mean more tax revenues, increased population to support local business, and vitality for the community. On the negative side, however, it may also result in increased traffic and added demands on law enforcement and fire services, and it may upset neighbors who are averse to change. Each issue will require a separate risk management strategy.

The Benefits of Risk Management

There are four major benefits of adopting a risk management system for your municipality.

First, risk management enhances management, both in day-to-day and long-term situations. Knowing what might go wrong and how to deal with a situation lets you control the outcome.

Second, risk management systems streamline day-to-day operations. Employees who know the proper procedures and policies are better able to do their jobs safely.

Third, risk management improves financial management. Losses, lawsuits, and injuries all cost money and risk management helps your agency avoid these costs.

Finally, risk management helps provide consistent and enhanced services. Every time a loss occurs or property is damaged, reports need to be written, depositions taken, and so on, activities that take time away from an employee’s ability to provide services to the public.

How Do You Manage Risk?

If your agency has a designated “risk manager” that person can be a valuable resource. Most organizations, however, do not have a full or even part-time risk manager, and thus, it falls to everyone in the organization, in one way or another, to become a risk manager. In any event, the actual implementation of your organization’s risk management strategies is the responsibility of all of your department directors, employees, volunteers, and elected officials.

When assessing risks, try to stay focused on risks over which your organization has some degree of control. For example, lightning striking and hurting someone  at a public park is possible but what control do you have over this event? You have no control over lightning strikes but you can control the likelihood of an injury by posting signs informing individuals to go inside if they hear thunder.

Don’t confuse an inability to control the risk with an unwillingness to address it.

What Is a Risk Assessment?

There are five steps in a risk assessment.

1. Identify Risks – If you can think of it, you can prevent it.
2. Prioritize Risks
3. Analyze Risk Response Strategies
4. Plan Risk Response
5. Monitor and Control Risks

Risk assessment is a subjective exercise. It’s common for two different groups to evaluate a risk and end up with a different assessment. The power of the risk assessment does not come from creating the “right” assessment or operating under the belief that all risks will be eliminated; The true value comes from gathering together those individuals involved with the program or activity, having group discussions about risk, and determining what can be done to address risks. Ultimately, it’s not about your municipality having “no risks,” it’s about managing the risks.

Probability and Severity Matrix

When prioritizing risks, developing policies, or beginning a new task, one helpful tool is a probability and severity matrix. The matrix helps determine if the risk of a particular event is acceptable or if changes need to be made. This tool helps your agency to focus on the likelihood of a particular event happening, and if it does, what the consequences might be if no action is taken.

There are several models available, but as the Gantt's Risk Assesment Matrix below demonstrates, the focus of the tool is to measure the probability (i.e., frequency/likelihood) and severity of the possible risk to determine where that risk sits on the model and how it should be prioritized as a result. 

Image: Gantt Risk Assessment Matrix

If an agency does nothing to prevent a risk and a negative event still does not occur, that’s simply luck. If the probability of an auto accident happening when a police officer is in pursuit of a suspected criminal is 25%, this means that 75% of the time the officer won’t be involved in an accident. If there is no accident, this doesn’t mean vehicle pursuits are less risky: You’ve just been lucky!

Risk Management Response Strategies

There are three strategies that you can employ to manage risks: risk reduction, risk prevention/control, and risk avoidance. Your risk assessment matrix will help guide your decisions as to which strategy is the most appropriate. I will discuss these risk management strategies in a future blog.