Chapter 11. Risk Management and Legal Liability

11.2 Risk Management Process

There are a variety of risk management models that have been utilized and promoted. Each is generally a variation on the same theme, with each having a slightly different approach to the analysis. You’ll find that large operations, government agencies, military, search and rescue all have their own proprietorial processes. Outlined below is the model from Destination Canada for small and medium enterprises. It has four stages: risk identification, risk analysis, risk control, and risk treatment (DC, 2003a).

Risk Identification

The initial stage of the risk management process is systematically identifying risks facing the organization. This step is often referred to as risk assessment. An organization can identify risks in the following ways (CTC, 2003a, p. 6):

  • On-site inspections and discussions with management and staff
  • Review of products, services, processes, and contracts
  • Review of historical activities and losses
  • Identification of possible risk scenarios

Once an exhaustive list of the risks is compiled, the next step is to ensure a thorough analysis occurs.

Risk Analysis

A typical risk analysis compares the probability (frequency) of any risks occurring by the consequence (severity) if they do occur. This can be done either in a qualitative or quantitative manner, with either numerical values or descriptors applied. For example, an analysis of the risk of the catastrophic failure of a ski lift at a resort resulting in passengers falling to the ground would likely indicate that the probability of this incident occurring is low due to historical records of use, and required maintenance for safety. However, the consequence would likely be high, considering there could be a large number of passengers involved in a significant fall, resulting in multiple casualties.

Operators need to respond (through risk control, see section below) if the analysis determines any of the following: 1) the probability of the risk occurring is unacceptable; 2) the consequence of the risk occurring is unacceptable; or 3) the combined impact of the probability and consequence is deemed unacceptable (Cloutier, 2000).

A carabiner with a twist lock.
Figure 11.4 Technical safety equipment needs to be regularly inspected as part of the risk management process.

Risk Control

Once the risks are identified and analyzed, the next step is implementing mitigation strategies for any unacceptable risks. This step is called risk control, and it comprises two primary concepts: exposure avoidance and loss reduction.

involves any mitigation strategies used to avoid the exposure to the risks. Examples are eliminating particularly hazardous activities or services, avoiding certain areas due to environmental threats, or changing a tour destination due to political unrest.

 is a different approach; it assumes that you have acknowledged the risk of a particular activity or service, and choose to continue to offer it, but will take steps to mitigate the severity of damage that may occur (CCTT, 2003a). An example is requiring all participants in a ski lesson to wear helmets; the risk of falling still exists, but you have taken action to reduce the severity of any fall.

Risk Treatment

Failing the ability to control all risks identified, the next step in the process is risk treatment. This includes the concept of risk transfer and risk retention. refers to the transfer of responsibility to another party, either contractually or by insurance. Risk can be transferred through contract either by entering into a contract for service, or by requiring participants to sign a waiver. Risk is transferred through insurance by paying premiums to an insurer, wherein they absorb the financial risk of an incident. refers to the level of risk that is retained by the company through a conscious decision-making process. Examples of this may include the decision to increase the size of insurance deductible to use, the use of self insurance, or consciously not transferring risks due to an inability to do so (CTC, 2003b).

Take a Closer Look: Emergency Response Plans/Emergency Action Plans

Part of a robust risk management process is either an Emergency Response Plan (ERP) or Emergency Action Plan (EAP). These documents are plans designed assist staff in responding to emergency situations. You will find an EAP in virtually every public building in BC. Your classroom most likely has one posted by the exit. The idea behind having such a plan prepared in advance is that it will help staff respond in a consistent, effective manner if an emergency occurs. The scope and nature of the activities dictate what type of plan is required. For more information on specific plans check with accrediting or licensing agencies related to the specific activity.

Media Attributions

  • Carabiner


Icon for the Creative Commons Attribution 4.0 International License

Introduction to Tourism and Hospitality in BC - 2nd Edition by Morgan Westcott and Wendy Anderson, Eds is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book