Incident Management and Emergency Management

Risk Management Insights for Emergency Managers

By Johannes Swanepoel

What is Risk Assessment and Emergency Management?


According to the international standards organization ANSI/ASSE/ISO Guide 73: Vocabulary for Risk Management, risk is defined as “effect of uncertainty on objectives” (2011, p. 8) and risk assessment is “overall process of risk identification, risk analysis and risk evaluation” (2011, p. 9).

The NFPA® 1600 defines risk assessment as “the process of hazard identification and the analysis of probabilities, vulnerabilities, and impacts” (2013, p. 7). I understand risk assessment to be the continuous and iterative process of understanding the level of risk by identifying sources of risk, hazards, analysis of event causes, likelihood, and the impacts that a risk may have on the ability of an entity to achieve its objectives.

An entity can be a community like the international community, a nation like the United States of America, a system like the National Preparedness System, profit or not for profit organizations, and even an individual can apply risk assessment to their own personal goals. It applies universally to all entities that are directed by goals and objectives, whatever they may be, even terrorist groups.

Risk assessments are by virtue designed to shape risk treatment and to understand the changing risk profile of an entity by estimating the future probability and consequence of risks. According to the NFPA® 1600 and in the context of crisis and emergency management, these hazards are either affected or induced by adversaries, occur naturally in the environment due to fluctuations in climate, or by technology (2013, p. 7). These may all be completely accidental or brought on intentionally.

How Does Risk Assessment Apply to Emergency Programs?


Common myths of risk management and risk assessment is that is it a static process, periodically applied, and conducted by risk managers. The contrary is true and risk management philosophy is that decisions are made by individuals within entities, not legal entities themselves, and that these decisions must be supported by reproducible logic and rationale, not intuition and gut feelings. Every decision that is taken, must have an audit trail that includes consideration of alternative options as a result of the risk assessments, available resources, and other constraints. All influences and external factors including culture, society, laws, and regulations should all be considered during the risk assessment so that compliance is maintained at all times.

Implementing Risk Assessment in Emergency Management


The National Incident Management System (NIMS) is a core function of the National Preparedness Plan and is designed to prepare the nation for incidents that may impact safety and security. NIMS is applied to incidents that arise from any hazard or threat. Although incident management forms only a portion of wider emergency management program, it is the most visible since it’s activities are usually covered extensively by the media during a crisis.

An integrated approach is essential


This means that the risk assessment process is inclusive and transparent and all partners of the emergency program, the public, and those that are responsible for implementing the security measures participate to some degree. Information is shared selectively based on roles and responsibilities, and sensitive information is never distributed. It is important for those who are responsible for implementing security measures to understand the basis and rationale of decisions that are taken, otherwise, new risk could be introduced due to assumptions as discussed previously.

Overcome the Common Pitfalls in Risk Assessment


A disorganized command structure may lead to units that self-dispatch to an incident or task, and do not have accountability to a supervisor. It is important that there is an established process for communications within the delegation of authority system, as well as free sharing of information between units.

About Johannes Swanepoel

These articles are the independent opinions of Johannes Swanepoel and do not necessarily reflect the opinions of Standard Model Partners. Johannes is a GRC technology specialist with over 15 years in a GRC product and advisory services capacity. Johannes has implemented over 30 GRC software and consulting projects worldwide. Johannes has led GRC vendors to leading positions in GRC analyst reports and has been a certified trainer of the ISO 31000 Foundations course leading to individual certification in ISO 31000, the international risk management standard, since December 2012. Johannes holds certifications in risk based decision making, sustainability as well as the GRC – governance, risk and compliance professional certification (GRCP) and software engineering certifications. Johannes holds a Bachelor in Risk Management from DePaul University and The University of South Africa, and Master of Science in Threat and Response Management candidate at University of Chicago.