Risk Assessment and Emergency Management

Risk Management Insights for Emergency Managers

By Johannes Swanepoel

What is Risk Assessment and Emergency Management?


According to the international standards organization ANSI/ASSE/ISO Guide 73: Vocabulary for Risk Management, risk is defined as “effect of uncertainty on objectives” (2011, p. 8) and risk assessment is “overall process of risk identification, risk analysis and risk evaluation” (2011, p. 9).

The NFPA® 1600 defines risk assessment as “the process of hazard identification and the analysis of probabilities, vulnerabilities, and impacts” (2013, p. 7). I understand risk assessment to be the continuous and iterative process of understanding the level of risk by identifying sources of risk, hazards, analysis of event causes, likelihood, and the impacts that a risk may have on the ability of an entity to achieve its objectives.

An entity can be a community like the international community, a nation like the United States of America, a system like the National Preparedness System, profit or not for profit organizations, and even an individual can apply risk assessment to their own personal goals. It applies universally to all entities that are directed by goals and objectives, whatever they may be, even terrorist groups.

Risk assessments are by virtue designed to shape risk treatment and to understand the changing risk profile of an entity by estimating the future probability and consequence of risks. According to the NFPA® 1600 and in the context of crisis and emergency management, these hazards are either affected or induced by adversaries, occur naturally in the environment due to fluctuations in climate, or by technology (2013, p. 7). These may all be completely accidental or brought on intentionally.

How Does Risk Assessment Apply to Emergency Programs?


Common myths of risk management and risk assessment is that is it a static process, periodically applied, and conducted by risk managers. The contrary is true and risk management philosophy is that decisions are made by individuals within entities, not legal entities themselves, and that these decisions must be supported by reproducible logic and rationale, not intuition and gut feelings. Every decision that is taken, must have an audit trail that includes consideration of alternative options as a result of the risk assessments, available resources, and other constraints. All influences and external factors including culture, society, laws, and regulations should all be considered during the risk assessment so that compliance is maintained at all times.

Implementing Risk Assessment in Emergency Management


It is recommended by ISO 31000 that a risk management framework is designed to be fully embedded within the existing emergency management governance framework so that it does not become an additional workload for managers. The framework serves the Plan-Do-Check-Act model to review and maintain integrity of the risk management program and functions to deploy resources, and to drive risk management processes into all emergency management components.

An integrated approach is essential


This means that the risk assessment process is inclusive and transparent and all partners of the emergency program, the public, and those that are responsible for implementing the security measures participate to some degree. Information is shared selectively based on roles and responsibilities, and sensitive information is never distributed. It is important for those who are responsible for implementing security measures to understand the basis and rationale of decisions that are taken, otherwise, new risk could be introduced due to assumptions as discussed previously.

Overcome the Common Pitfalls in Risk Assessment


Assumptions in data are often a barrier to effective and reliable risk assessment. A simple, undocumented, changing or unforeseen assumption and related circumstances can lead to a major crisis when incorrect information is used for decision making during an emergency. All risk assessment activities must always be documented properly, including assumptions, restrictions, constraints and limitations. Assuming that one risk assessment technique will equal another, or that one data source is sufficient input for two different risk assessment techniques, may be a severe oversight. Risk assessments must always be supported by multiple risk studies using a combination of qualitative, quantitative and/or semi- quantitative criteria and/or techniques.

About Johannes Swanepoel

These articles are the independent opinions of Johannes Swanepoel and do not necessarily reflect the opinions of Standard Model Partners. Johannes is a GRC technology specialist with over 15 years in a GRC product and advisory services capacity. Johannes has implemented over 30 GRC software and consulting projects worldwide. Johannes has led GRC vendors to leading positions in GRC analyst reports and has been a certified trainer of the ISO 31000 Foundations course leading to individual certification in ISO 31000, the international risk management standard, since December 2012. Johannes holds certifications in risk based decision making, sustainability as well as the GRC – governance, risk and compliance professional certification (GRCP) and software engineering certifications. Johannes holds a Bachelor in Risk Management from DePaul University and The University of South Africa, and Master of Science in Threat and Response Management candidate at University of Chicago.