Chapter 11. Risk Management and Legal Liability
11.2 Risk Management Process
There are a variety of risk management models that have been utilized and promoted. Each is generally a variation on the same theme, with each having a slightly different approach to the analysis. You’ll find that large operations, government agencies, military, search and rescue all have their own proprietorial processes. Outlined below is the model from Destination Canada for small and medium enterprises. It has four stages: risk identification, risk analysis, risk control, and risk treatment (DC, 2003a).
Risk Identification
The initial stage of the risk management process is systematically identifying risks facing the organization. This step is often referred to as risk assessment. An organization can identify risks in the following ways (CTC, 2003a, p. 6):
- On-site inspections and discussions with management and staff
- Review of products, services, processes, and contracts
- Review of historical activities and losses
- Identification of possible risk scenarios
Once an exhaustive list of the risks is compiled, the next step is to ensure a thorough analysis occurs.
Risk Analysis
A typical risk analysis compares the probability (frequency) of any risks occurring by the consequence (severity) if they do occur. This can be done either in a qualitative or quantitative manner, with either numerical values or descriptors applied. For example, an analysis of the risk of the catastrophic failure of a ski lift at a resort resulting in passengers falling to the ground would likely indicate that the probability of this incident occurring is low due to historical records of use, and required maintenance for safety. However, the consequence would likely be high, considering there could be a large number of passengers involved in a significant fall, resulting in multiple casualties.
Operators need to respond (through risk control, see section below) if the analysis determines any of the following: 1) the probability of the risk occurring is unacceptable; 2) the consequence of the risk occurring is unacceptable; or 3) the combined impact of the probability and consequence is deemed unacceptable (Cloutier, 2000).
Risk Control
Once the risks are identified and analyzed, the next step is implementing mitigation strategies for any unacceptable risks. This step is called risk control, and it comprises two primary concepts: exposure avoidance and loss reduction.
Exposure avoidance involves any mitigation strategies used to avoid the exposure to the risks. Examples are eliminating particularly hazardous activities or services, avoiding certain areas due to environmental threats, or changing a tour destination due to political unrest.
Loss reduction is a different approach; it assumes that you have acknowledged the risk of a particular activity or service, and choose to continue to offer it, but will take steps to mitigate the severity of damage that may occur (CCTT, 2003a). An example is requiring all participants in a ski lesson to wear helmets; the risk of falling still exists, but you have taken action to reduce the severity of any fall.
Risk Treatment
Failing the ability to control all risks identified, the next step in the process is risk treatment. This includes the concept of risk transfer and risk retention. Risk transfer refers to the transfer of responsibility to another party, either contractually or by insurance. Risk can be transferred through contract either by entering into a contract for service, or by requiring participants to sign a waiver. Risk is transferred through insurance by paying premiums to an insurer, wherein they absorb the financial risk of an incident. Risk retention refers to the level of risk that is retained by the company through a conscious decision-making process. Examples of this may include the decision to increase the size of insurance deductible to use, the use of self insurance, or consciously not transferring risks due to an inability to do so (CTC, 2003b).
Take a Closer Look: Emergency Response Plans/Emergency Action Plans
Part of a robust risk management process is either an Emergency Response Plan (ERP) or Emergency Action Plan (EAP). These documents are plans designed assist staff in responding to emergency situations. You will find an EAP in virtually every public building in BC. Your classroom most likely has one posted by the exit. The idea behind having such a plan prepared in advance is that it will help staff respond in a consistent, effective manner if an emergency occurs. The scope and nature of the activities dictate what type of plan is required. For more information on specific plans check with accrediting or licensing agencies related to the specific activity.
A risk control technique that avoids any exposure to that particular risk.
A risk control technique that reduces the severity of the impact of the risk should it occur.
A risk mitigation strategy where the risk is transferred to a third party through contract or insurance.
The level of risk that is retained by the company through a conscious decision-making process.