Skip to main content

From the Officer's Desk: Rules of Risk Management

"From the Officer's Desk" is a bimonthly column aimed at EMS leaders.

You may think of a crisis as an immediate threat to life safety, but any unexpected outcome that negatively impacts an organization, its stakeholders, or its community may create a crisis environment. Although managing crises effectively when they occur is essential, organizations must also strive to identify and guard against risk factors that can lead to crises. They should be able to identify, assess (i.e., prioritize), analyze, and mitigate such risks and control their environment once those factors are reduced. 

We are surrounded by risk. Organizational risk factors can be found in services, processes, systems, workflows, policies, geographic locations, specialized equipment, and other activities both internal and external. In attempting to identify them, the EMS officer must look at their organization or division from a macro perspective, internally and externally, with an eye toward all the threats it might face. Here are some example risk factors that could help foster a crisis:


  • EMS service delivery (poor care provided to patients); 
  • Lack of a capital replacement plan (may result in outdated and nonfunctioning equipment); 
  • Reduced staffing and hours of operation (not having the support to provide services); 
  • Minimal training to internal stakeholders (employees not prepared to manage critical events);
  • Billing for services (underperforming billing process may lead to misallocated or uncollected fees). 


  • Safety challenges from disasters, terrorism, etc. (resulting in injuries to responders or civilians);
  • Market competition (loss of revenue); 
  • Increased hospital turnaround times (limiting available transport units); 
  • Medication shortages;
  • Epidemics/pandemics (inability to handle increased demand); 

Using an organizational risk-management framework will provide an organized approach to minimizing and eliminating risk factors. 

A Risk-Management Framework  

Risk management is an approach that’s preventive, rather than reactionary. When poisoned Tylenol killed seven people in 1982, maker Johnson & Johnson handled the crisis so effectively, it became a teaching case: After the threat was mitigated (largely by pulling products from store shelves), the company implemented a risk-management plan that included tamperproof caps and seals on all bottles. 

An organization’s goal must always be to identify potential risk factors before the crisis occurs. A risk-management framework should encompass several aspects: a strategic risk objective or goal; identification, assessment/prioritization, analysis, and mitigation; and a method for controlling the environment once the risk is addressed. 

Identifying risk factors—Consider what internal and external organizational activities have the greatest potential to negatively affect the community, employees, or organization. Many organizations can spot risk factors as they conduct quality assurance chart reviews. However, EMS officers must expand the search into all aspects of service delivery. Don’t attempt this by yourself; establish a risk-management team and seek input from internal and external stakeholders and professionals who work with the identified risk factors every day.

Assessment—Focus on identified factors that could have the greatest detriment to life safety, followed by those that imperil the organization. Ask:

  • Does this risk pose a threat to life?
  • What is the probability of this risk becoming a crisis within 24–72 hours? 
  • What is the probability the crisis will cause life threats to internal and/or external stakeholders? 
  • What is the probability the crisis will affect the organization and prevent it from doing business? 

A onetime risk-crisis assessment is not good enough—the process must be ongoing. No matter how busy an officer may be, risk assessment should never become a low priority.

Risk analysis—After identifying and prioritizing risk factors comes the challenge of analyzing them. This entails quantifying how much threat they pose to the organization, stakeholders, and community. A key question is whether the organization has the tools and personnel to deal with the risk becoming real. 

Consider using a probability impact matrix. This scores the probability a risk will turn into a crisis and its impact. Assign numerical values of 1–3 to each risk factor based on probability and its corresponding impact potential based on severity, where 1 is low, 2 is medium, and 3 is high. To obtain a risk score, multiply the probability of the risk by the severity of its impact. For instance, a risk with a moderate likelihood of occurring (2) but great consequences if it does (3) would have a risk score of 6 (2x3). 

Note the maximum score under this matrix would be 9, representing the gravest possible risk. 

Mitigation—When creating a mitigation plan, build on information gathered during the analysis phase. Plans should be easy to follow and clearly articulate how to mitigate each risk factor:

  • State clearly that the safety of all personnel at all times is the first priority and promoting situational awareness and injury prevention is critical; 
  • State how the risk will be mitigated; 
  • If a risk could involve the community, provide specific information about sheltering or other safety needs; 
  • Use the necessary tools to eliminate or minimize the risk; 
  • Include simple process flow charts; 
  • Assign a spokesperson to disseminate information to stakeholders if there’s a threat of the risk becoming a crisis; 
  • Specify how the risk-mitigation team will communicate with each other: monthly meetings, videoconferences, conference calls, e-mail, etc. 

These plans must be routinely updated. 

Controlling the environment—This part is difficult—it requires constant monitoring and evaluation to determine if the risk factors that were eliminated or minimized don’t recur as threats. Note that risk factors that were simply reduced, rather than eliminated, may remain present. 


EMS officers are responsible for preventing the risks that threaten their organizations from becoming crises. Employing a risk-management framework that clearly delineates how to set strategic risk objectives; identify, assess, analyze, and mitigate risk factors; and control the environment afterward will help them do this successfully. Select a risk-management tool that works for your organization and begin working toward a less risky environment. 

Orlando J. Dominguez, Jr., MBA, RPM, is assistant chief of EMS for Brevard County Fire Rescue in Rockledge, Fla. He has more than 30 years of EMS experience and has served as a firefighter-paramedic, flight paramedic, field training officer, EMS educator, and division chief. He recently earned his Lean Six Sigma Black Belt. 

Back to Top