Institute of Risk Management (p.2-5) and Moteff (pp.20-22) have documented Risk management Planning in literature as a sustainable practice for identification, assessment, evaluation, prioritization of resource allocation towards risk mitigation and cost-effective approaches toward implementation of a risk management framework that could result into reduction of risks and threats that might affect the continuity of business processes. Similar observations have been put forward by Hubbard (p.467), Moteff (p.46) and Stoneburner et al (pp.129-131). Hubbard (p.124) data suggests continuity of business processes depends on the capacity for management of residual risks. The sustainability of RMP should be based on a pre-emptive rationale for risk management as opposed to the alignment of RMP onto strategies for Business Continuity Planning (BCP) as proposed by Covello and Allen (pp.98-102) data.
Covello and Allen (pp.122-4) data suggested that the framework of BCP should seek to manage outcomes of residual risks that are associated with business processes and activities. BCP integration into RMP ensures business activities that predispose risks are documented and managed to reduce opportunities for the occurrence of the risks. Literature studies on RMP have documented that unlikely activities could arise and contribute to risks that could affect business continuity, and process efficiencies and impact negatively on the bottom line. Businesses ought to identify differences between RMP and BCP in order to isolate functionality, structure and strategies that inform each of the processes as documented by Gorrod (p.45-6) and Crockford (pp.51-4). RMP should result in a determination of processes that create an environment for BCP for instance analysis and assessment of assets and resources, impact assessment of different business processes on RMP and BCP and cost structures of business processes that support RMP and BCP. organizations ought to identify applicable business controls for organizational observed risks through risk assessment and risk appraisal (Gorrod, p.119). BCP includes RMP in its framework and structure. RMP differs from BCP in terms of pre-emptive approaches that are based on the observation that risks and uncertainties occur at some point in the business lifecycle.
Crockford’s (p.18) data suggests that RMP should be structured towards risk forecasts, estimation of effectiveness of risk control measures and creation of risk response plans that have the capacity to mitigate, monitor and prevent the risks. Crockford’s (pp.20-21) suggestions have been documented by Dorfman (pp.59-62) and Stoneburner et al (pp.86-8) data. Moteff (pp.135-8) however indicated that risks affect the capacity for achievement of project objectives as well as the distorted project schedule, and continuity of business processes. Risks contribute to production waste based on the lean principle of manufacturing through increased production cycle times, accumulation of inventory and incapacity to deliver manufacture to order as documented by Crockford (pp.66-71) and Hubbard (pp.465-9).
Risks have been documented to arise from the least suspect circumstances hence the need for ongoing risk assessment and evaluation in order to implement risk controls that could address risks management at any instant. As a result, RMP should be built on strategies and analysis perspectives that manage risks regardless of their impacts (Dorfman, pp.34-5, pp.96-102). The organization ought o have an ongoing review of its risk threats. This ensures risk reporting is close to business real-time operations and reflects actual potential risks that could affect the continuity of business operations and processes. As a result, RMP should be driven by a sustainable risk management strategy. An organization’s risk strategy cycle should integrate capacity for accepting the occurrence of the risk through clarity in understanding the threat of occurrence of the risk, adopting measures meant to prevent and control the likelihood of the risk, adopting measures towards risk mitigation via implementation of risk mediating steps and adoption of measures meant to transfer risks through risk outsourcing strategies into third parties like the insurance firms who have a position to manage outcomes of the risks (Moteff, pp.34-37).
Gorrod (pp.24-29) data indicates that many organizations have failed to achieve stability in their economic growth due to failure to have structures for risk management. Institute of Management (pp.12-15, pp.17-8) data suggests that organizations have very low risk tolerances which predispose the companies to financial risks, and inability to improve the health of their credit risk rating as documented by Covello and Allen (p.12) data and verified by Stoneburner et al (pp.75-79) data. Institute of Management (pp.18) and Covello and Allen (p.12-14) have documented that the structure for risk management planning in many organizations has failed to contribute to risk management. According to Covello and Allen (p.14) deficiencies in organizational risk management arises from a lack of organizational risk operational plan, failure of management to develop a financial plan that could manage financial risks and a poorly oriented marketing plan that is not aligned to risk management as well as lack of support risk management tools that could inform risk management through the capacity for approval of risks management plans. In many instances organizations, risk management planning doesn’t have adequate support from human capital that is competent to implement risk management planning as suggested by Dorfman (pp.101-111) data. Risk management planning, though has been identified to be driven by competencies of human capital, the benefits associated with risk management planning are not dependent on human capital because risks management is not human capital centered but centered on business processes. Dorfman (pp.124-6) data suggests that risk management planning should be focused on the level of risk policy in place, procedures for risk management and response criteria for risks and management of results of risks. This study is based on Manchester Fire and Rescue Service risk management planning.
Risk Management Overview
The inability of an organization to gain value from RMP arises from deficiencies in risk assessment, and incapacity to prioritize risks which result in wastage of time in risk management which translates into a loss of resources. organizations should identify the rationale for risk management planning that could not contribute to the diversion of resources from risk management planning. This implies organizations ought to devise methods for retention of risks with the objective interest of managing the positive or negative outcomes of the risks when they arise (Moteff, pp.204-6).
In many instances organizations adopt qualitative risk management approaches, which don’t contribute into positive outcomes because qualitative risk management strategies are subjective which implies qualitative risk, approaches are not consistent. Consistency in risk management is an important tool in the sustainability of risk management. As a result, quantifying risks and numerical representation of risk profile and risk position provides organizational direction that could be justified by formal processes involved in risk assessment and evaluation (Gorrod, pp.25-6). This implies, risk management should be a function of legal perspectives or bureaucratic orientation. Through legal and bureaucratic perspectives in risk management, the organization gains from prioritisation of risks hence capacity for resource allocation that could support risk management processes.
Risk mitigation and risk handling measures should not interfere with business process continuity which makes risk management planning to be a subset of business continuity planning. Tasks and processes that define business profit activities should not be distorted by measures towards risk management. organizations fail to identify differences between risks and uncertainties in their capacity for risk management. Risks are measured and evaluated on basis of the probability of risk occurring and impacts of the risk on business processes (Moteff, pp.115-118). As a result, every probable risk ought to have a pre-formulated risk plan which should be instituted towards the management of the risk. Risk categorization, therefore, is an important element in risk management planning since it provides information on risk consequences and capacity to identify risk contingencies in the event a business process activity escalates into a business liability.
Mathematical modeling has been employed in the measurement of risk costs. The average cost of managing an employee as internal stakeholder is used to determine cost accrual ratio for the employee. Through use of the employee cost accrual ratio, the risk management team could document costs of risks associated with the employee activities and tasks. The cost of an employee in a given time frame could be used to provide analysis of estimated time lost when a risk occurs associated with employee activities (Gorrod, p.52). This result into employee risk cost impacts which could be used to determine organizational cost impacts of risks. Integration of lean principles of manufacturing identify risks management increases time of production which translates into build-up of inventory in manufacturing cycle hence inefficiencies in cycle times management. Employees that demonstrate high costs impacts have been identified to have greatest input in risk management. The higher the risk scale of an employee, the higher the returns associated with the employee (Crockford, pp.99-104). High risk employees contribute into positive outcomes of an organizational bottom line and take part in improving reputation of the firm.
Crockford (pp.88-89) data suggests that risk management requires risk management team to categorize risks based on causes of the risks. Crockford (p.89) and Stoneburner et al (p.92) have claimed that there exist two risk categories. Crockford (p.9) data has identified special cause variation risks (p.10) and common cause variation risks (p.14) as documented by Stoneburner et al (p.92-99). Crockford (p.91, p.93) documents that common cause variation risks play an important role towards informing risk management team on the direction of risk approaches and risk management direction. Gorrod (p.225) data indicates that different risk perspectives could contribute into the capacity for organizations to manage special and common cause risk variations. Crockford (p.98, p.103-5) notes that risk management could be achieved through transfer of risk to third parties for instance insurance or reinsurance companies. Crockford (p.104) data suggest risk transfer has capacity to contribute into organizational management of common cause risk variation. Similar observations have been documented by Stoneburner et al (pp.105-6). Crockford (p.97) data indicates that special cause risk variation are common. Similar recommendations have been proposed by Dorfman (pp.228-9). Transfer of risks involves insuring the [probability of the risks after risk appraisal and assessment which results into sharing of burden of the risks losses or economic benefits of the risks. Risk transfer is important element in business continuity planning since it influences on capacity to adopt measures that could contribute into a reduction of risks or minimisation of occurrence of the risks.
Risk outsourcing has been determined as probable method for risk transfer. In the event of risk transfer, the insurance firm might get exposed into liquidity problems that might impact negatively on the insurance firm solvency (Covello & Allen, pp.305-6). This would translate into the probability of the risk being reverted into the first party as opposed to the insurance firm. This implies risk transfer is valid if the third party is solvent and has no liquidity problems; otherwise the company seeking risk transfer still maintains legal responsibilities for any risks or losses that might arise (Hubbard, p.67). Transfer of risk ensures that any risks incurred are compensated based on quantity of risk in terms of monetary value of the risks. As a result, there is need for a firm to have security controls over risks in order to reduce opportunities for occurrence of risks. The firm risk management planning should identify and conform to statement of risk applicability through identification of risk control goals that should be structured on basis of risk category (Stoneburner et al, 24). It is essential to prepare and document a risk treatment plan that should be used and followed in the event of risk.
Goals and objectives
- To investigate risk management planning of Manchester Fire and Rescue Service
- To investigate the structure of Manchester Fire and Rescue Service Risk management hence or otherwise determine current efforts towards risk management planning that are proportionate to the risks that affect Manchester Fire and Rescue service
- To determine rationale for resource or asset allocation towards risk management planning
- To determine the rationale for Manchester Fire and Rescue risk evaluation and mitigation.
Expected outcomes of the study
The study findings would provide elements that should be taken into account when carrying out risk management planning. The findings will pave way forward for risk management planning as a vital element in Business Continuity planning. The findings will play a leading role in the determination of processes that should inform risk management planning through the identification of tasks, risk responsibilities, activities that should contribute to risk control and mitigation and budgetary allocation for the sustainability of risk management planning. The study finding would highlight on the values of risk transfer and rationale for risk assessment and risk appraisal. The findings of the study will play a leading role in the formation of new positions of risk officers who would be responsible for overseeing risks that the organization could be exposed to. The findings of the study would play a leading role in organizational capacity to develop risk management database that would contain elements like database opening date, title of risk in the database, descriptive information on the risk, probability of risk occurring, factors that could create an environment for occurrence of the risk, risk control methods, risk mitigation procedures, and importance of the risk towards organization risk learning culture. The risks in databases would have a personnel designated to oversee their management and timeline or risk resolution milestone. The findings would result into a capacity for the organization to develop anonymous reporting channels in order to create an environment for anonymous whistle blowing on risks that might affect the organization. The findings would provide direction that would be adopted post whistleblowing on a risk through steps for risk handling hence make it possible to reduce negative impacts of the risk or potential of the risk escalating into a liability.
In literature, Risk management planning (RMP) has been defined as capacity for identification, assessment, evaluation and prioritization of risks (Chan & Mauborgne, pp.44-6). The International Standards organization (ISO), through ISO standards ISO 31000 recognizes RMP as positive and negative outcome of uncertainty management of processes that influence on capacity for achievement of targeted objectives. RMP ought to include risks management aspects like economical resource utilisation planning, prioritisation of resources, monitoring and control of risks and risk profile analysis of events and activities that form framework for organization activities. RMP should contribute into maximisation and optimization of resources hence potential to gains from return on opportunities (Covello & Allen, pp.145-7). organizational risks are named and categorised based on the source of the risks for example, there are market uncertainty risks, financial risks, project failure risks, project continuity risks, legal risks and liabilities, risks of credit rating and risks of payment default.
The primary input that ought to be integrated into RMP has been documented as organizational-based risk factors. The internal organizational environment capacity for risk management planning influences on attitudes and risk tolerance capacity for the organization. Managerial practices and managerial risk perspectives influence on risk tolerance capacity. The policy statement of an organization plays a leading role in determining position of the organization with regard to risks tolerance (Chan & Mauborgne, pp.89-92). The policy statement provides ethical position of the organization. The level of risk planning depends on organizational process assets. The organizational assets provide basis for organizational standards for risk management and risk mitigation approaches. The assets influence of approaches that the organization could employ in its risk categorization. Resources determine risk monitoring processes and their efficiencies in risk management and risk documentation (Moteff, pp.56-7). The sustainability of organizational economic growth depends on the risk profile assessment and documentation, risk management responsibilities of employees and level of authority on risks and decisions that are made on risk management. The organizational assets influences on level of qualitative risk management, level of quantitative risk management and capacity for descriptive risk structures that the organization adopts. Assets of an organization determine standards for risk management which further determines project scope statement on risk management.
RMP should be driven by the capacity for determination of risk management milestones. Risk management milestones identify process deliverables and associated risks which require the implementation of a project management plan into RMP (Covello & Allen, pp.150-2). This implies risk management approaches should be defined by the element of time and costs. Information of project or business process milestones helps in developing risk execution activities and determination of safety measures that ought to be implemented at any instance during business activity progress. the risk management planning ought to inform on risk identified, provide documented qualitative and quantitative analysis of the risk, provide risk response methodologies and personnel required as well as level of risk monitoring required based on risk category and business process lifecycle which informs on risk mitigation and management strategies.
The RMP should be structured such that it has the capacity to respond to individual capacity to manage risks (Crockford, pp.34-6). This should be subject to profiling of risks. Individual predisposing factors to risks should be documented and risk management strategies developed based on factors that create an environment for occurrence of the risks. The structure for RMP should be governed by functional methodology on steps that should be taken towards control and mitigation of the risks. The risk methodology framework should document measures meant to prevent escalation of risk or increase of the risk (Hubbard, pp.122-3). There should be defined approaches, risk management tools and support of data on risk management which should inform the organizational direction for future RMP sustainability. The organization should define time scale and schedule for the achievement of different set key objectives for the RMP. The milestones should be based on frequency of RMP monitoring, assessment and life cycle of RMP activities (Moteff, pp.86-8). Other studies have determined that outcomes of RMP should be documented in order to inform future risk analysis and studies on previous data or database on risks. Budgeting assignments and allocations influence on success of RMP if the organization has categorised its risks and developed strategies for risk management based on risk categories. Risk categorization contributes to capacity for a comprehensive understanding of risks that the organization may be exposed to and the determination of rationale for risk handling through risk mitigation measures that are risk categorical. The sustainability of RMP is dependent on the consistency of risk mitigation strategies which gains value from risk structure for different risk categories (Hubbard, pp.401-8).
An organization gains from RMP through the investment of measures that manage risk probability and risk impacts. The organization ought to document its risk probability and risk impacts through consistencies in risk evaluation and assessment. The organization has to quantify its risk position and risk management strategies ought to identify intangible risks (Crockford, p.16-17). This has effect of identifying new risks that the organization could be exposed to subject to analysis of risk threat of processes and activities taking place. Deficiencies in documenting and conducting risk threat of activities result into failure to plan risk management strategies. Inadequate knowledge on risks vulnerability of business activities results into inability to identify risks which results into inability to design risk mitigation measures (Dorfman, pp.125-128). Participation of employees in risk identification and risk documentation depends on level of organizational risk learning culture which ought to contribute into organizational risk knowledge development. This ensures the organizational risk management is structured on relationship risk management hence the probability of use of collaborative approaches in risk management (Stoneburner et al, pp.9-12). Through collaboration and relationship risk management, the organization is positioned to implement process risk engagement structures in risk management which ensures risk management is geared towards documentation of operational procedures and determination of risk threats based on operational procedures.
In many instances, lack of a risk learning culture results into inability to identify and measure employee productivity or develop a framework for a knowledge culture on risks which results into an increase of production risks hence decreased returns on opportunities and returns on investment (Institute of management, pp.25-29). Risks have the capacity to reduce service quality, the reputation of a brand, value of a brand or service and loss of brand generic qualities. This makes it possible for an organization to measure its productivity based on the exploitation of values of intangible risk management. Incapacity of an organization to deploy risk resources impacts negatively on the projection of values of opportunity costs (Dorfman, pp.158-164). This is because resources that risks consume reduce resources that could have been used to generate profits for the firm or be used to motivate employees. The risks that affect organizations result into the inability of an organization to invest which impacts negatively on the solvency of an organization and the probability of an organization to be exposed into liquidity risks. The procedures for RMP should be constituent of procedures that identify, reduce and prioritise risks (figure
Risk handling procedures should be based on the capacity to design new business processes that support the values and objective interests of the structure of the organizational risk (Gorrod, pp.23-6). Thus, the organization ought to have built-in risk control and risk containment strategies which should be used as the foundation for risk documentation. RMP are structured on basis of the probability of the emergence of new business processes. Thus, firm RMP should demonstrate capacity for built-in risk controls on emerging new business activities and processes. Additional business processes should be governed by a corresponding analysis of risk profile. There should be risk quantification for all organizational business processes (Crockford, pp.132-5). the organization should engage in business activities that don’t qualify for high risk which make it possible for an organization identified risks to be managed by any risk mitigation approaches for instance, through the adoption of risk avoidance approaches like elimination of risk opportunities or ceasing business processes that are high risk; reduction of probability of occurrence of the risk through optimization approaches to risk management and mitigation; adoption of risk-sharing approaches where the risk is transferred to third parties like insurance agencies or adoption of risk retention approaches where organization invests in risk acceptance and allocates resources for risk management (Covello & Allen, pp.178-9).
Case-controlled studies have determined that risk mitigation strategies may fail to contribute into risk quantification if the risk strategies are not formulated and aligned on organizational or business strategies. Risk control and prevention measures might include necessity for risk trade offs which might not be in line with ethical best practices for the organization. Unethical business practices contribute into added risks of lack of credibility, transparency of business processes and accountability which impact of healthiness of business internal control and monitoring (Dorfman, pp.112).
Results and discussion of the results
The document analysis of Manchester Fire and Rescue Service (MFRS) determined that MFRS risk management planning “is a structured on input-output documentation of processes” that are involved in risk “mitigation, risk analysis, risk management and risk control”. The MFRS Risk Management Planning (RMP) “outlines mechanism through which “risks on MFRS projects are managed”.
Definition of a risk management planning
The MFRS document analysis determined that MFRS RMP “is internal informal documented structure for risk management that forms basis for formalising risk strategies, risk communication and risk evaluation and assessment criteria”. The document analysis determined that “MFRS RMP depends on project deliverables and risk milestones”. The risk plan for the MFRS is dependent on the “application or size of the project” or “risk issues that might arise during progress of the project” and capacity to “manage escalation of minor risks into major incidents”. The MFRS risk management planning is dependent on “nature of risk that is expected”, “creditworthiness of the risk”, “capacity of the MFRS to plan for the risk” and “capacity for determination of economic risk costs” that might be incurred. The MFRS RMP “is structured on capacity for management of risk vulnerability” that is founded on capacity to “conduct risk assessment” in order to “quantify risks and determine costs disadvantages of the risks”. The risk framework for the MFRS is “dependent on capacity” to identify “rate of insurance” and capability for “planning for adverse risks outcomes”.
MFRS rationale for risk management planning
The MFRS has a rationale that forms foundation for RMP. Focus groups with the risk assessment and risk appraisal team determined that “MFRS has risk innovation team” that conduct analysis on “threats and opportunities that could result into risks” in order to document rationale for “future risk management”. The Risk appraisal manager noted that “MFRS risk is measured in terms of effect thus positive or negative outcomes of the risks”. The MFRS risk structure is defined in terms of “events or series of events that affect continuity of business processes, capacity to deliver service quality or deliver ethical business practices”. The risk research personnel noted that “MFRS risk vulnerability is measured and expressed in terms of probability of an event to occur and negative impacts that the event has on quality of life, quality of service and continuity of processes”.
The MFRS risk management planning is structured on “enterprise risk intelligence”, “enterprise risk events and activities” and “enterprise risk compliance” that form the foundation for MFRS risk management. The risk activity documentation for risk management planning includes determination of “events that could result or predispose occurrence of risks”, “economic costs that include indirect economic costs of the risks events and direct economic costs of the risk events”, determination and analysis of probability of the risk taking place and “processes that could contribute into control and prevention of the risks”, the evaluation and assessment of the “outcomes and consequences of the risks”. The document analysis of MFRS helped to identify “processes that inform MFRS risk probability” through the identification of processes and activities that could reduce occurrence probability of the risk and determination of “efficiencies of the proposed method for risk management planning”. The MFRS RMP is a product of “risk contingency planning through determination and documentation of processes that could decrease “impacts of the risks”. The MFRS risk manager proposed that “risk planning is a function of risk reduction strategies” which are based on “framework for risk mitigation and risk contingency planning”. The reduction strategies for the risks are dependent on level of “risk exposure” that is a difference between “risks identified and risk reduction strategies”.
The MFRS structure for risk exposure
The MFRS risk exposure is measured and expressed in terms of “risks that are identified and potential of risk reduction strategies to manage the identified risks”. Thus, risk MFRS RMP is structured on “quantified risks that cannot be avoided”. The Risk research personnel noted that the MFRS risk structure is constituent of key elements that “inform MFRS risk management policy” namely “quantified threat of the risk”, “quantified MFRS liability of the documented risk”, “and quantified severity of the risk in terms of direct and indirect economic costs”. The structure of risk exposure “is based on “capacity of determined and quantified risk management processes to control and prevent risk occurrence”. Risk exposure, based on focus discussion on risk assessment and risk appraisal, “is supposed to highlight on risk cost factors and risk management strategies benefits planning”. The structure of MFRS risk exposure is used to evaluate, monitor and assess if the “risks of implementing risk management and exposure are high or low compared to capacity to implement risks controls for the risk exposure”. The MFRS structure for risk exposure is dependent on MFRS rationale for “assumed risk”. The MFRS RMP is further dependent on “level of assumed risk” which means “adoption and implementation of RMP is influenced by choices for risk identification, risk mitigation measures and alignment of risk controls on statutory legislation and regulation on RMP”. The MFRS structure of assumed risk is measured in terms of “dollar unit value” of the expected risk management outcomes which in turn influences on the “profitability of managing the risk based on the RMP”. The risk manager personnel interview noted that assumed risk and risk exposure “are vital in prioritisation of risks and impacts of the risks”. As a result, MFRS RMP provides data on risks that are “high, moderate or low”.
The MFRS RMP integrates “stakeholder risk tolerance” in its RMP. Stakeholder risk analysis involves “planning for risks that different stakeholders are exposed to”. The risk manager added that “determination of stakeholder risks provides an opportunity for personalisation of risks that stakeholders are exposed to” and ensures the MFRS understand criteria for risk management for the different stakeholders. Stakeholder risk tolerance also “forms basis for determination of future stakeholder business relationship hence projection of company profitability”. MFRS has a risk reporting format which provides “risk contents that should be reported” which plays a vital role in “documentation of the risks, analysis of risks and communication of risks to stakeholders”. Risk reporting framework, based on document analysis, indicated that “risk tracking is important component in risk communication”. Documentation of the risks plays an important role of “communicating experiences of the risks, communicating on response measures for future risks, communication lessons learned from the risks and rationale for risk auditing”.
The document analysis indicated that the MFRS RMP is founded on capacity towards “capability for employee motivation towards risk assessment, risk identification and mitigation and “development of capabilities for future risk management”. The document analysis indicated that “employees are trained on risk assessment and evaluation” in order to ensure risk “management is aligned to objectives and goals for risk elimination”. Training is meant to “improve on employee competence towards risk analysis”. Training helps to position “MFRS to measure capacity for achievement of risk management objectives”. The MFRS document analysis indicated that “RMP is structured on a cost allocation model” that has made it possible to adopt variable cost structure towards risk management”.
MFRS risk culture
Document analysis determined that culture on risks influences on capacity for organizational risk management. The MFRS documents analysis provided “framework that MFRS utilises in her risk management”. The documents provided “steps that should be followed in risk identification, risk assessment and description of a risk” and “threats to business bottom line that the risk poses”. MFRS therefore has structure that provides foundation for “risk indicators” and “contingency plans that ought to be implemented towards management of identified risk indicators”. MFRS foundation for risk assessment is based on key elements that are used “to determine potential for risk indicators” as provided by extension box below (extension box 1).
The MFRS risk management practices
The MFRS has a documented risk management practices that are based on four key elements provided by figure 3.
Plan risk mitigation and risk handling processes and risk outcomes
Document analysis of MFRS demonstrated that MFRS risk assessment criteria is structured towards “capacity for risk ownership”. Risk ownership plays an important role in “acceptance of the risk” hence capacity for the adoption of “risk management approaches” that are in line with identified “risk indicators”.
Focus discussion with the risk assessment team determined that “MFRS risk management approaches” are structured on risk management goals through identification of the risks which is informed by “risk description” hence formulation of risk management structures based on risk description approaches. The MFRS risk management approaches are based on key milestones that “risk management strategies should achieve”. MFRS RMP is based on “use of appropriate method for risk mitigation” which is based on “risk specific tasking”. Focus discussion with risk manager resulted into “MFRS risk specific tasking” elements which are namely “design of method of risk mitigation”, “testing of methods that should be used for risk management”, “analysis of cost-benefit of the risks identified”, and “simulation of the risk management approaches” to determine their sustainability in risk management. The risk manager noted that MFRS RMP is meant to result into adoption of “risk specific schedules” which are structured on “MFRS risk specific budgets” which play a leading role in “utilisation of appropriate risk management tools” as provided by figure 5.
The MFRS RMP is therefore a product of “risk management decision points” which provide potential for the adoption of alternative risk management approaches. The focus discussion with the risk assessment team determined that “risk knowledge, risk culture and management support for risk management” is important in risk management. There is therefore need for management awareness on risk “since this provides basis for acceptance of the risks” and capacity for alignment of risks to the “organizational objectives”. It also provides basis for “alignment of corporate policies on risks”.
MFRS risk structure and risk management processes
The risk manager noted that MFRS has a risk “structure and risk management processes that are structured on need for realisation of accountability and transparency”. Clarity of risk accountability “is essential component towards risk monitoring and control”. The MFRS risk structure is “mandated to evaluate emerging risks, review efficiencies of risk management strategies, review risk mitigation strategies and report on risk approaches to risk manager”. The document analysis agreed with focus discussion with risk assessment and appraisal team that “risk auditing is key to risk management”.
MFRS risk resources and risk management capacity
Document analysis indicated that MFRS has deployed sufficient “resources and risk management capabilities” towards reduction of risk incidents. The risk resources include “development of a learning culture on risks”, adoption of a “knowledge-driven economy” which ensures stakeholder collaboration in risk control and mitigation. MFRS has invested in training and development programs on risks whose content is reviewed based on emerging risks needs. Reviews on risk based materials for in-house training and development “ensure risk monitoring is sufficient and processes for risk mitigation are standardised based on risk mitigation and prevention.
MFRS tools and techniques for Risk management planning
The risk management scheme for MFRS involves use of “risk recovery planning” which is structured towards integration of marketing plans, financial plans and infrastructure support for risk management”. The MFRS has developed a website for reporting on risks to ensure risk management is timely. This is supported by a reward structure for motivating employees and stakeholders on risks. The risk management structure, based on document analysis, is supported by “renewal of administrative information systems on risk mitigation” which ensures enterprise-wide risk management approach is implemented.
MFRS risk matrix
The MFRS RMP is driven by “MFRS risk matrix” which provides a reflection of “MFRS degree of risk”. The “risk matrix” provides a breakdown of risks based on “risk categories”. The MFRS RMP based on risk matrix represents “MFRS quality of risk management”. The risk matrix design is meant to “map feasibility of risks and uncertainties” and measure “capacity for risk system alignment to risk scheduling and requirements”. The risk matrix provides information on current status of organizational risk profile through the determination of “support resources” that could support risk documentation and determination of activities and impact of different risk management processes towards reduction of risks occurrence.
The document analysis identified that MFRS has a functional RMP which is structured towards BCP. These are structured and aligned to MFRS risk management program plan which is built on key elements for risk management. The risk management integrates employee training and development which has own independent “risk training plan” as “in-house training program” and “out-of-house training program” where employees attend external training programs on risks management. The MFRS RMP is structured on use of risk managers who are responsible for coordination of MFRS RMP. Document analysis of MFRS RMP provided that MFRS has a “risk program plan” which is structured towards utilisation of the following risk management tools which is structured on key elements as represented by program plan (extension box 2).
Document analysis determined that MFRS risk management planning is supported by MFRS risk leadership and risk based strategies, risk accountability and risk reinforcement measures, communication framework of risks and supportive risk management infrastructure.
Recommendations for UAE
Developing an effective risk management plan is an important part of any project. Considering the instance of Manchester Fire and Rescue Service, it should be stated that the recommendations that should be given to UAE are based on the premise that risk management practices should be classified in accordance with the types of the risk, and each type should be managed separately within the frames of the joint risk management strategy. The next step that should be performed is the calculation of probability. It is impossible to manage risks without proper understanding of the credibility of its happening. Additionally, this will help to allocate resources properly: more probable risks will require more managing efforts, while less probable should be attributed to secondary risks, and managed with minimal resources available.
The mitigation stage is one of the most complexes, and the only recommendation that should be given is based on the fact that mitigation strategies should be implemented with proper calculation of the mitigation rate. In general, this presupposes proper consideration of the probability and the probability after mitigation steps implementation.
Contingency steps should involve the assessment of impact reduction. As a rule, these steps are implemented after mitigation strategies; however, the key aim of contingency is to reduce the effects of the risks, while the risks themselves should be minimized. Additionally, proper contingency methods require the calculation of the risk impact before, and after mitigation. Therefore, as it is stated by Moteff (2005), risk reduction involves joint mitigation and contingency.
Theoretic approaches towards risk management planning involve seven key steps:
- Understanding risk principles. It is impossible to manage risks without understanding their origins, consequences, and mechanisms. Hence, risks should be studied.
- Risks should be projected on the blueprint of project implementation. This is required for understanding which risks feature any part of project implementation, what causes these risks, and what should be reworked for mitigating these risks.
- Each risk should be divided into elements. As a rule, the risk is not a single problem, as it may involve several smaller aspects. Considering the fact that risk elements are solved jointly, the division of these factors will help to unite risk management strategies.
- Develop mitigation and contingency plans. This is performed in accordance with the probability and ranks
- This may be the next step of the previous action: each risk factor or component may be regarded as a separate risk, and managed correspondingly. However, unreasonable division of risks may cause ineffective resource allocation.
- The risks should be ranked. This is required for proper understanding of risk consequences, and this ranking may be applied for calculation of the probability.
- Develop mitigation and contingency plans. This is performed in accordance with the probability and ranks.
The final step that should be included into risk management plan, but is not regarded as a part of risk management strategy is risk monitoring. As a rule, managers neglect this rule, as they consider that monitoring is not required for mitigating risks. However, monitoring may decrease these efforts essentially. In general, risk management strategy is developed on the basis of proper resource allocation, and division of responsibilities. In accordance with the practices performed by Manchester Fire and Rescue Service, these responsibilities should be divided between at least three managers: risk manager, project manager, and CEO.
This section reports on whether the study achieved its goals and objectives with regard to risk management planning.
The study achieved its objectives by determining the structure for Manchester Fire and Rescue Service risk management planning. The results demonstrated that Manchester Fire and Rescue service risk management planning is structured on Risk management matrix. Risk management matrix has been used to develop structure for risk management planning based on input-output documentation of processes. The input-output processes involve activities that contribute into risk mitigation, risk assessment, monitoring and controls of risks to identify opportunities for the risks, risk analysis to determine approaches that could be appropriate for risk mitigation, and identification of capacity for organizational risk tolerance hence capacity for sustainability of business continuity planning.
The study findings determined structure of Manchester Fire and Rescue Services Risk management planning to be dependent on risk management tools which include evaluation of risk indicators, adoption of technical approaches to risk management, verification of risk management approaches in order to identify appropriateness of the risk management approaches to specific risks. The results determined that the rationale for risk management planning should be based on measures for risk mitigation that involve training and development of employees so that they are positioned to participate in risk assessment and reporting protocol and standards on risks that affect the business continuity planning. The results established that risk policies influence on the capacity for risk monitoring, risk evaluation and risk documentation. Risk policies influence on capacity for employees to participate in risk reporting and communication of risk to appropriate personnel. Risk policies influence on efficiency of risk whistle blowing and potential for protection of risk whistle blowers. Thus, risk policies play a leading role in stakeholder risk tolerance which impacts on organizational risk tolerance capacity.
The results demonstrated that risk management planning provides foundation for quantification of risks and determination of cost advantages of risks based on direct and indirect economic costs of risks. The risk management planning influences on capacity for organizational risk vulnerability subject to determination and sustainability of risk management strategies. The findings established that risk auditing plays an important role in determination of risk profile of organization and provides basis for risk management approaches that should be taken towards reduction of risks. The results demonstrated that risk culture, risk learning culture and alignment of risk management planning strategies influences on capacity for utilisation of risk management tools and techniques that could translate into resource utilisation and optimisation of returns on risk opportunities.
The findings established that risk communication provides foundation for lessons learned from risk management, which position the Manchester Fire and Rescue Services to utilise new knowledge learned from previous risks encountered and enhance quality of risk auditing, risk mitigation, risk control, risk assessment, risk appraisal and provide opportunity for development of risk-aware organization. As a result of risk communication, risk management planning should result into improvement of risk accountability and transparency hence improve on internal control. This has effect of improving ethical best practices for management and hence improvement of organizational stakeholder confidence and trust. It also provides opportunity for stakeholder engagement
The results established that a cost allocation model is important in the sustainability of risk management planning. Risk management planning is resource-intensive hence resource allocation influences on the capacity for risks to have positive or negative effects on the organizational bottom line through its influence on the liquidity of the organization. The liquidity of the organization is influenced by level of risk exposure which should be determined in order to provide the foundation for credit risk rating of the organization. Risk budgeting; (as a function of cost allocation model), influences on the capacity for the achievement of risk management planning objectives which translates into a reflection of level of risk that the organization could be exposed to. Risk management planning includes personnel risk auditing in order to identify role and responsibilities of key personnel in risk management.
Caracelli, Valerie J. and Greene, Jennifer C. Crafting mixed-method evaluation design, In J. C. Greene and V. J. Caracelli (eds.), Advances in mixed-method evaluation: The challenges and benefits of integrating diverse paradigms: New Directions for Program Evaluation, No. 74. San Francisco, CA: Jossey-Bass, 1997. pp. 19-32.
Chan W. Kim, and Renée Mauborgne. Blue Ocean Strategy, Harvard: Havard Business School Press. 2005.
Christensen, Larry B. Experimental Methodology. 5th ed. Boston: Allyn and Bacon. 1991.
Cook, Thomas D. and Campbell, Donald T. Validity. In T.D. Cook and D.T. Campbell. Quasi-experimentation: Design and analysis for field settings. Boston, MA: Houghton Mifflin, pp. 37-94. 1979.
Covello, Vincent T. and Allen, Frederick H. Seven Cardinal Rules of Risk Communication. Washington, DC: U.S. Environmental Protection Agency. OPA-87. 1988.
Crockford, Neil. An Introduction to Risk Management (2 ed.). Cambridge, UK: Woodhead-Faulkner. 1986. p.18.
Dorfman, Mark S. Introduction to Risk Management and Insurance (9 ed.). Englewood Cliffs, N.J: Prentice Hall. 2007.
Elmes, David G. Research Methods in Psychology. 4th ed. St. Paul: West Publishing Company. 1992.
Fetterman, David M. Ethnography, 2nd ed., Thousand Oaks, CA: Sage Publications. 1998b.
Fetterman, David M. Ethnography: Step by Step, Applied Social Research Methods Series, Vol.17, Walnut Creek, CA: Sage Publications, Inc. 1998a.
Gorrod, Martin. Risk Management Systems: Technology Trends (Finance and Capital Markets). Basingstoke: Palgrave Macmillan. 2004.
Greene, Jennifer C. and Caracelli, Valerie J. Defining and describing the paradigm issue in mixed-method evaluation. In J. C. Greene and V. J. Caracelli (eds.). Advances in mixed-method evaluation: The challenges and benefits of integrating diverse paradigms. New Directions for Program Evaluation, No. 74. San Francisco, CA: Jossey-Bass. 1977. pp. 5-18.
Guba, Egon G. and Lincoln, Yvonne S. Judging the quality of fourth generation evaluation. In E.G. Guba and Y. Lincoln. Fourth generation evaluation. Newbury Park, CA: Sage, 1989. pp. 228-51.
Hubbard, Douglas. The Failure of Risk Management: Why It’s Broken and How to Fix It. Oxford: John Wiley & Sons. 2009: p. 46.
Institute of Risk Management/AIRMIC/ALARM. A Risk Management Standard. London: Institute of Risk Management. 2002.
Lincoln, Yvonne S. and Guba, Egon G. Naturalistic inquiry. Beverly Hills, CA: Sage. 1985.
Martin, David W. Doing Psychology Experiments. 2nd ed. Monterey, CA: Brooks/Cole.
Moteff, John. Risk Management and Critical Infrastructure Protection: Assessing, Integrating, and Managing Threats, Vulnerabilities and Consequences. Washington DC: Congressional Research Service. 2005.
Stoneburner, Gary; Goguen, Alice and Feringa, Alexis. Risk Management Guide for Information Technology Systems. Gaithersburg, MD: National Institute of Standards and Technology. 2002.