RISK MANAGEMENT SERVICES
– OVERVIEW –

Click here for the Risk Management Overview in PDF format

1.1 Risk and Its Management – An Introduction
The three elements of risk are:

• An event; and
• The probability of an event occurring; and
• The consequences of the event

In a business environment that places a high-value on corporate accountability, risk management has become an increasingly important area of concern for companies and organizations with risk event exposure.

Risk event exposure and its analysis has traditionally focused on the human and infrastructure safety concerns in an organization’s operations. In the safety field, for example, the consequences of risk have been seen as having wholly negative outcomes. Safety risk management has thereby been perceived as a practice focused exclusively on prevention and mitigation of harm.

Current best practices models, however, have begun to take a wider view of what constitutes risk, how to analyze organizational and operational exposure to it and how to implement effective risk management systems. These models include the new perspective that in the possible or actual occurrence of a risk event, not all consequences will be negative and that certain risks can even result in positive outcomes and opportunities for an organization.

In this overview PEAK offers a brief look at the key components of contemporary Risk Management (RM) policy and practice we believe that organizations will need to engage with in establishing or revising a Risk Management Plan.

It also offers prospective clients with information on PEAK’s RM philosophy, our risk assessment expertise in the field of emergency medical response in predominantly non-urban environments, as well as information about the services we provide to organizations and corporations in the area of risk management planning and execution.

At PEAK, we subscribe to the view that risk management is a core component of any organization’s structure and overall strategic management plan. It is the process whereby an organization methodically addresses the risks attached to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities the organization is engaged in.

The job of good risk management practice is the identification and treatment of these risks. Good risk management practice has the objective of understanding the potential upside and downside of all the identifiable risk factors that can affect an organization, both internally and externally. It should methodically address all risks surrounding the organization’s activities past, present and future.

Good risk management should also be a continuous and developing policy process that is integrated into the culture of the organization, with an effective long-range implementation program led by senior management. The program must translate policy into tactical and operational objectives, assigning responsibility throughout the organization with each manager and employee responsible for the management of risk as part of their job description.

2.2 The Risk Management Plan and Process - Key Components
A Risk Management Planning and Process Model has a number of groundwork development areas which most organizations will need to engage with - some in more depth than others - in order to develop an effective risk management program. They are:

• Risk Assessment - involving Risk Analysis and Evaluation
• Risk Communication and Reporting
• Risk Treatment
• Monitoring

This diagram illustrates the key RM components as they flow from the overall strategic plan,

but are always informed by the continuous cycle of assessment, reporting systems, treatment (plan implementation), decision-making and monitoring.

2.3 Risk Assessment
Risk Assessment is defined as the overall process of risk analysis and risk evaluation.

A comprehensive risk assessment process is the foundation of a risk management plan and has three objectives:

• Determining risk event probability and consequences
• Estimating level of risk; and
• Evaluating and prioritizing the risk

Best practice risk management models encourage organizations to distinguish between sources of risk exposure and causes of risk events.

2.3.1 Sources of Risk
Sources of risk events that should undergo risk assessment cover a wide range of categories. They include:

• Environmental
• Natural Events (avalanche, earthquake, forest fire, etc.)
• Extraordinary Events (bomb threat, act of terrorism, etc.)
• Regulatory (WCB, legislative policy changes)
• Infrastructure/ Construction
• Security (criminal activity, etc.)
• Public Health/Safety
• Litigational

2.3.2 Causes of Risk
In the process of risk assessment across the range of activities an organization is engaged in, it is important to recognize that while some risk events appear to be caused by material or system failure alone, ultimately all risk events arise as a result of human behaviour at some stage in the chain of events leading up to the event occurrence.

2.4 Risk Analysis and Evaluation

2.4.1 Risk Analysis
Involves the identification of potential risks and the kinds of potential and/or existing risk exposure associated with it.

This task requires an in-depth knowledge of the organization, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as a sound understanding of its strategic and operational objectives, including factors critical to its success and the threats and opportunities related to the achievement of these objectives.

Risk identification should be approached in a methodical way to ensure that all significant activities within the organization have been identified and all the risks flowing from these activities defined. All associated volatility related to these activities as well as stakeholder and third-party relationships related to the activity should also be identified and categorized.

2.4.2 Risk Evaluation
Involves the in-depth analysis of potential risk event(s) and the consequences associated with them. This task includes:

Risk Description: The chance of something happening that will have an impact on the given business activity objectives. It is measured in terms of probability (likelihood), and consequences.

Event Description: The potential incident or situation that occurs in a particular place over a particular interval of time.

Consequence Description: The outcome of an event expressed in both quantitative and qualitative terms. This could include quantitative data evaluation such as event frequency and kinds of probable injuries resulting from an event, as well as qualitative analysis, such as the potential for a given risk event to impact an organization’s reputation. In a thorough risk evaluation process, there will be a range of possible outcomes - both negative and positive - associated with an event to be considered.

2.5 Risk Communication and Reporting

2.5.1 Communication and Reporting

Effective communication and reporting systems will be the key to achieving the cyclical flow of RM information and decision-making from senior management to internal staff, stakeholders and other external parties back to senior management as required by the risk management model presented in diagram 2.2.

Documenting communications during risk events, using best practice reporting system models and ensuring staff are trained in emergency protocols and communication technology use, will all contribute to this critical area of risk management practice and risk management monitoring.

Best practice models require senior management to be directly engaged with an organization’s risk management philosophy and responsibilities. This would include publishing and actively communicating the RM policy and program(s) to ensure their uptake in the organization’s culture.

2.6 Risk Treatment
A Risk Treatment Strategy is a way of addressing risk by:

• Reducing its level to what is acceptable or below,
• Transferring or avoiding the risk; or
• Accepting it.

Risk treatment is the process of selecting and implementing measures to modify an identified risk. Risk treatment includes as its major element, risk control/mitigation, but extends further to, for example, risk avoidance, risk transfer, risk financing, etc.

Any system of risk treatment should provide as a minimum:

• Due diligence for the documentation of risk treatments
• Effective and efficient operation of the organization,
• Effective internal controls; and
• Compliance with laws and regulations.

Compliance with laws and regulations is not an option. An organization must understand the applicable laws and must implement a system of controls to achieve compliance.

One method of obtaining financial protection against the impact of risks is through risk financing which includes insurance. However, it should be recognized that some losses or elements of a loss are likely uninsurable; for example, the uninsured costs associated with work-related health, safety or environmental incidents.

2.7 Monitoring and Review of the Risk Management Process
Effective risk management requires a consistent monitoring and review structure to ensure that the risks identified for treatment, the recommended controls and appropriate response mechanisms for these risks are in place. Regular audits of policy and compliance standards should be carried out and performance reviewed to identify opportunities for adaptation, modification and improvement.

Any monitoring and review process should also determine whether:

• The risk treatment measures adopted resulted in what was intended;
• The procedures or program adopted, and the information gathered for undertaking the risk assessment process were appropriate; and
• Whether or not improved knowledge would have helped to reach better decisions and identify what lessons could be learned for future assessments and management of risks.

2.8 Risk Management Administration

2.8.1 Policy Administration
A comprehensive risk management policy should set out the organization’s ideological approach and appetite for risk. The policy should also set out responsibilities for risk management throughout the organization. Further, it should reference all legal and regulatory requirements for policy statements; i.e. for Operational Health and Safety.

PEAK RISK ASSESSMENT AND RISK MANAGEMENT
PLANNING SERVICES

PEAK has a 10-year business history in providing advanced emergency response training and medical emergency response protocol manuals for organizations and corporations operating largely in non-urban environments. Our Outdoor Emergency Care (OEC) Certification courses and the Advanced Protocol Training Program, for instance, are accepted as the BC mountain resort industry’s best practices standards.

Out of our understanding of what it takes to implement risk treatment programs, - developing training modules, reporting and communication systems that respond to emergency care risk events - we’ve come to understand risk management principles in a unique way: We are constantly out there working in the field and bringing the best and newest protocols into active application.

In the growing recreational tourism industry in BC, with over $9 billion in revenues reported in 2003 alone, we see an expansion of the need for knowledgeable emergency care risk assessment and risk management planning services for organizations doing business outside the scope of urban and regional based medical and paramedical response systems.

PEAK Risk Assessment Services
We provide organizations with risk assessment services in the areas of risk analysis and in-depth risk event evaluation, reporting and communication systems, treatment options and overall risk management monitoring. Risk areas we can provide assessment and management services for include:

• Natural Events (avalanche, earthquake, forest fire, etc.)
• Extraordinary Events (bomb threat, act of terrorism, etc.)
• Support Service failure
• Security (criminal activity, etc.)
• Public Health/Safety
• Regulatory Compliance (WCB, legislative policy, etc.)

We will work with your organization to build components of a risk management plan from the ground up, or work with you to revise and/or test an existing plan.

PEAK Risk Management Services
Our management services will assist your organization with the following:

• Establishing policy and strategy for risk management
• Identify RM leadership at strategic and operational level
• Assist in building a risk aware culture within the organization including appropriate education and systems training
• Design and review risk assessments
• Design the communication and reporting plans which advise on risk management issues within the organization
• Develop risk response processes, including emergency protocols, contingency plans and risk report monitoring
• Prepare monitoring reports on the risk management plan for senior management and stakeholders.

Click here for the Risk Management Overview in PDF format

{back to top}