Risk Management: Improving Incident and Organizational Success

“Risk a lot to save a life, risk some to save property, risk nothing for that which is already lost” or some similar phrasing is probably familiar to all in the fire service. Many fire service organizations promote their version of it, and most fire departments adopt it in one form or another. However prevalent this risk management statement may be, there are often shortcomings in how it is implemented.

There are two main opportunities agencies miss when implementing risk management. One is allowing the statement’s emphasis on emergency response to drive the organization’s focus on risk and thereby neglect developing risk management intelligence across the enterprise. The second relates to developing and training on risk management decision making for emergency incidents.


Incident risk management can be improved through defining what criteria are used to identify risk and what is savable, identifying when those risk management decision points need to happen, and conducting training so individuals apply the policy consistently across the organization. These improvements apply not only to emergency response but also to routine administrative, operational, and support functions. These are enterprisewide concerns that most fire officers do not address from a risk management viewpoint. This article explores risk, risk management, and how enterprise risk management can help your organization achieve its goals and objectives.

What Is Risk?

As historically and still generally used, risk is the possibility of something bad happening. But contemporary risk management theory defines risk as the potential outcome of uncertainty. This uncertainty is caused by internal and external factors and impacts an agency’s confidence in achieving its objectives. Risk is not inherently good or bad. For most people, risk has a negative connotation. For us in the emergency services, risk often pertains to the peril we face in protecting lives, property, and environment.

However, potential outcomes can also be positive. For example, people often make medical decisions based on the anticipated benefits of a surgery or therapy. And many actions (decisions) have potential positive and negative consequences. From individuals gambling in Las Vegas to organizations putting levies to a vote, there may be preferred outcomes, but both activities face positive or negative results.

When evaluating risk, projecting this potential outcome of uncertainty can be reasonably calculated as follows:

Risk = threat × probability × consequence.

Some risks are readily evaluated using the equation above and result in a numerical value (e.g., insurance companies estimating on-the-job injuries). But, many risks we encounter in the fire service are either too complicated or too time-constricted to concern ourselves about a finite answer. The key for the fire service is to understand the principles of risk analysis and to apply them practically, whether we are dealing with organizational activities, prevention, or incidents.

In emergency response, fire officers must deal with many risks that can generally be categorized into two of the four major risk types: hazard and operational. Fire officers may also be aware of examples of the other two risk types: financial and strategic. These four risk types are readily described by using common examples of what they cover:

  • Hazard: personnel (injury/fatality), property, liability.
  • Operational: people, process, controls.
  • Financial: market, credit, liquidity.
  • Strategic: economic environment, community changes, political environment.

We often focus on just the hazard and operational risks, but all of these types of risk affect fire service agencies. The degree to which any of these risk types or a specific risk impacts an agency depends on many organizational factors and how the agency manages those risks based on its risk “appetite.”

Risk Appetite

A consistent theme about risk is that everyone has their own tolerance for risk. Like individuals, every fire service agency is unique. We have different communities, resources, staffing, service demands, governance structures, and public expectations. To relate risk appetite to firefighting, consider a suburban community with single-family homes with at least six feet between them. Is this community’s fire hazard the same as that for an urban community primarily consisting of multistory residentials with zero clearance between structures or an industrial/commercial district that supports hundreds of employees and supplies significant sales tax to support public services? It would seem that those agencies would have different risk appetites in terms of fire suppression because the consequences would be different. Even on scene, different incident commanders would likely have different risk appetites for a given incident.

Even if their appetites were similar, they would likely have different risk mitigation strategies. Similarly, community expectations may be very different. For one agency, ensuring the fire does not spread beyond the building of origin and keeping firefighters safe may be a great outcome. In another community, the expectation may be that firefighters keep the fire to the room of origin and accept that firefighter injuries may occur to protect property. Although broad in risk appetite for property conservation, the fire service is likely to be more closely aligned for life safety in concept.

A decade ago, our country entered a recession that dramatically changed the economic environment for most agencies. The reported housing bubble is an example of a strategic risk some cities or districts likely had on their radar and perhaps were able to make budgetary decisions earlier than other organizations. Other agencies may have been aware of the looming concerns but had a greater risk appetite and maintained status quo only to have greater service impacts as the recession’s impact expanded.

As a fire chief in 2012, my agency was looking to improve staffing levels, and management and the board of directors discussed the impacts that additional real estate decline would have on current operations. Further decline threatened existing staffing levels, but there were indicators of market recovery. The board of directors had to determine its collective risk appetite. Although certain interests expressed the need to expand current services, the interest in ensuring existing service levels were maintained won out. As economic indicators continued to point toward recovery, my board of directors’ risk appetite changed, and we were able to modestly increase service shortly thereafter.

Risk Management

Firefighters are generally action oriented, as are the officers who promote through the ranks. Risk management may not seem overly action oriented, but in practice it is. Whether looking to accomplish objectives on scene or organizational goals, risk management is a tool that requires action to improve the likelihood of success. A familiar scenario would be a structure fire.


While on scene, risk factors (threat, probability, consequence) must be accounted for before committing people to tasks. Frequently, we rely on naturalistic decision making in risk management rather than explicitly walking through a risk management process. Regardless of how those decisions are made, we look at mitigations to reduce the risk so it is in balance with the reward (life or property saved). It may be doing an additional hot lap, ensuring a backup line is in place, placing additional ladders while conducting upper-floor searches, revising a vertical ventilation plan, or withdrawing from a structure. In putting these mitigations in place, firefighters, officers, and incident commanders are practicing risk management.

Above, it was noted that the fire service is closely aligned in that we are willing to risk rescuing victims of fire. In practice, however, there are wide variations in determining what constitutes a “savable life.” Mitigating those disparities requires consistency in expectations and training. For this example, in Fire Department Incident Safety Officer, Chief David Dodson provides a rescue profile model (high, marginal, zero) for decision making. Departments may choose to train firefighters, officers, and incident commanders to use this model to mitigate discrepancies in what “savable” means on scene to responders.

As you can see, risk management is not about simply operating in a defensive mode. It allows for a greater probability of success by identifying and mitigating hazards to facilitate safer operations. In each of these situations, the responders reduced the uncertainty of outcome by gathering more information or taking action. These mitigations can be applied to each of the risk factors, and the risk equation can now be represented as

Risk = (threat-mitigation) × (probability-mitigation) × (consequence-mitigation)

Our members are experienced in managing hazard risks on scene and during training, but many are less familiar with managing financial, operational, strategic, or even hazard risks during routine activities. At least, most likely do not recognize that they are using risk management decision making throughout their day. From deciding what time to leave and what route to take to work (strategic risk around the traffic environment) to deciding whether to pass or shoot during a basketball game (operational risk around process), firefighters make risk-based decisions every day—decisions that help achieve their objectives (e.g., be to work on time, win the game).

Many firefighters are also personally aware of financial risk. Whether deciding to invest in a cryptocurrency, contribute more to their deferred compensation plan, or buy a new vehicle, they make financial decisions that impact their future economic choices. Individuals may have jumped into the stock market last year seeking high returns while recognizing the market may adjust in short order. Others may have opted for a lower return on a more secure investment. Everyone has their own risk appetite.

Like individuals, agencies also must manage risks. Agencies make decisions regarding hazard risks (e.g., property loss, purchasing insurance), financial risks (e.g., fuel contracts), operational risks (e.g., training, equipment purchases), and strategic risks (e.g., economic environment, changing demographics). But, because of the magnitude of impact, statutory requirements, and public scrutiny, managing risks for agencies is far more complex than it is for most individuals. Many of these risk management processes are handled by risk management, human resources, or legal departments. From developing contracts to ensuring performance and indemnifying against loss, evaluating and purchasing liability and medical insurance policies, and processing personnel issues and workers’ compensation claims, risk management is essential across organizations. Bringing structure to risk management helps agencies bring coordination and consistency to risk management across the organization. Integrating the concept and processes of risk management into an organization aids in reducing negative outcomes; more importantly, it increases the likelihood of achieving organizational goals and objectives.

Enterprise Risk Management

It is clear that firefighters of all ranks use risk management techniques; it is also clear that they all do not apply the same techniques under the same expectations. As described earlier, the “Risk a lot to save a lot, risk some to save property, risk nothing for that which is already lost” approach leaves many gaps for the individual to fill in. Even though every scene is unique, if fire service agencies work to fill in the gaps through policy enhancements and training, and if they include risk management discussions in after-action reviews, there will be fewer gaps for individuals to fill in and a greater likelihood of success in meeting objectives on the fireground and across the organization.

For risk management to aid the organization in achieving its goals, it must be implemented in a holistic manner. And, as is necessary for success and effectiveness, there must be a mandate and a commitment from the senior leadership and the governing body. Risk management needs to be embedded in the organization’s management at all levels and across all segments of the organization. A risk management system provides an organization with tools to improve its strategic and operational planning and decision-making processes. Through identifying risks and implementing management techniques to address them, an organization can reduce uncertainties and improve the likelihood of achieving its goals and objectives. Many agencies already have components of risk management in place in their different segments (e.g., human resources, finance). However, through consistency and coordination of risk management principles, framework, and processes, agencies can improve the efficiency and effectiveness of their risk management systems. Enterprise risk management can provide the structure to help agencies implement organizationwide risk management practices.

A framework helps address the process of risk management. Implementing a process improves consistency, which improves outcomes. There are many model frameworks, or an agency may decide to develop its own. One such framework is National Fire Protection Association 1250 (2015), Recommended Practice in Fire and Emergency Service Organization Risk Management. There are also nonindustry-specific options such as the Committee of Sponsoring Organizations (COSO) and International Organization for Standardization (ISO) 31000 enterprise risk management frameworks. In addition to more public and private adoption of these frameworks, the COSO and ISO 31000 models are more comprehensive in their approach than NFPA 1250. These and many other frameworks have their strengths, and there is no one framework that is best for all the fire service. Although unique in their scope and approach, frameworks are similar in that they provide a structure to risk management. Exploring one enterprise risk management model provides a basic understanding of the components and arrangement of frameworks generally.

The ISO 31000 Model

The ISO 31000 model consists of three interconnected components: principles, framework, and process. The principles center around creating and protecting values and include using best available information, incorporating human and cultural factors, customization, integration into all aspects of the organization, and continual improvement. The principles drive the framework and the process. These two components feed each other, continually interacting with and contributing to the improvement of the risk management system. The framework provides the leadership and commitment for risk management. It offers a high-level implementation, evaluation, and improvement cycle. This oversight and quality improvement function is fed by and contributes to the risk management process model.

The process component uses several key inputs and outputs for taking risks, from assessment to treatment. The processes include communication and consultation, monitoring and review, and recording and reporting. Key to both the framework and the process is individual involvement. Since risk management decisions are the responsibilities of each member and to the extent that this is an essential element of enterprise risk management (ERM), there comes the saying, “Everyone is a Risk Manager.”

Opportunities Ahead

Through the expansion of risk management within the fire service, we can improve our internal and external customer service through greater achievement of our goals and objectives. Ingraining risk management as part of our decision-making processes will improve the safety and health of our members. It will provide them with tools that will help them to better decide when it is possible to protect life and property within their organization’s risk appetite.

To support the mission, your responders, and the community, take some time to learn about the risk management practices your agency has in place. Learning about current practices may increase your understanding of the strengths of existing risk management components and help you to identify gaps in consistent practices. Reviewing NFPA 1250 or another risk management framework will provide additional background and information on how a risk management system can help achieve organizational goals and objectives.

BRIAN STEWART is a shift battalion chief and hazardous materials chief with Clackamas (OR) Fire District #1. He has been with Clackamas Fire since 2014 when Boring Fire District #59, where he was chief, combined with Clackamas Fire. Stewart has a master of public administration degree and a bachelor’s degree in fire science. He is a designated Chief Fire Officer by the Commission on Professional Credentialing and is a peer assessor for the Center for Public Safety Excellence for fire service accreditation and professional credentialing. He is a director with the Oregon Safety and Health Section and serves on a state incident management team. Stewart has presented at state conferences on firefighter safety and risk management and on using risk management to help achieve organizational success at the Center for Public Safety Excellence’s 2019 Excellence Conference.


Tim Hyden: Fire Service Risk Management

Risk Management: It’s Not Just a Catchphrase

Morris: We Are Obligated to Practice Risk Management

No posts to display