Risk is an inevitable aspect of law enforcement operations. Bad outcomes occur. And when they do, agencies face the potential for lawsuits and officers face the even more disturbing possibility of judgments against their personal property and assets, termination from their agencies, and even criminal charges. This is why the evolution of policing in the 21st Century requires a more direct and active role in mitigating inherent risks.
While risk involves the potential for loss or injury, risk management is a process used to mitigate risks by analyzing trends, establishing controls, and actively overseeing often predictable behaviors or actions. In their book "Fundamentals of Risk Management," S.D. Ashley and R. Pearson define risk management as a "… process for managing risks that you can identify — and insuring those you can't manage." For this discussion, the insuring element involves active monitoring throughout the various organizational levels of a law enforcement agency.
While this is a relatively new concept for many law enforcement organizations, it is important for all personnel at all operational levels to embrace risk management strategies that are designed to protect both internal and external stakeholders. It is also important to understand that the mitigation of risk is a process that requires buy-in and active participation at all organizational levels.
Risk Management Philosophy
The risk management process incorporates many different systems ultimately designed to protect a given organization from both internal and external threats. These threats are what can erode public and organizational confidence with internal resources, command structures, and policies.
While some risk management programs focus largely on internal personnel liability concerns, such as early warning systems, other programs appear to encompass not only personnel liability, but organizational liability from a more global perspective.
Some agencies incorporate internal audits into the process. Others depend on a staff inspection process or accreditation; neither of which typically drills down deep enough to sufficiently protect the organization from both internal and external threats. Many staff inspection processes feature systematic approaches, which scratch the surface of what could be a more in-depth internal audit-type mechanism. There is also a great deal of emphasis placed on the feel-good effect associated with many staff inspection processes. While morale and relationship development are important, these do not protect the organization.
Additionally, while accreditation arguably brings about a certain level of assumed organizational professionalization, some of the concepts are also an Achilles heel. Since accreditation involves a set of generically applicable standards designed to fit any type of department, it largely fails to incorporate agency-specific standards that wholly protect the organization within its organic form. Accordingly, while accreditation also involves a systematic audit-type process, that process simply explores whether an agency was able to show it satisfied the generic standards at hand — another aspect that fails to adequately protect the organization.
An effective risk management program incorporates some fundamental elements designed to offer 360-degree organizational protection. The military uses a five-step model that includes: hazard/risk identification; hazard/risk assessment and analysis; development; implementation of internal controls designed to mitigate risks; and a supervision and evaluation process that ensures standards are conformed to and enforced at all organizational levels.
A comprehensive program also looks at various risk/threat factors such as:
- Physical Environment
- Legal Environment
- Operational Environment
- Political Environment
- Social Environment
- Economic Environment
- Internal Environment
An effective internal audit process is also critical to the success of a risk management program. An internal audit process ensures compliance is maintained to some degree, especially considering future events are often predicted through an examination of past occurrences. Internal audit involves a random sampling of what the organization does and then involves drilling down deep enough to ensure that the organization is operationally doing what they say they should be doing. The internal audit process looks for problems or trends before they elevate to critical mass levels and expose either employees or the organization to avoidable risk.
Establishing Risk Management
A law enforcement agency seeking to establish a risk management program should identify primary risk categories for each operational component. From there, continue to synthesize that data and work with the components in order to identify strategies for assessing and controlling various types of risk.
The risk management concept will ultimately reshape the manner by which the organization functions and involves more active participation from not only command-level leadership but first-line leaders and other employees across all organizational levels.
Establishing a comprehensive risk management program involves four primary stages, each supported by a conceptual framework of integral tasks.
Stage 1: Program Development
This stage involves identification of relevant risk factors, establishing risk management goals and/or objectives, staffing, and policy considerations. Primary sub-components include:
Planning: Your program has to address relevant organizational needs pertaining to risk. Ideally, your planning sets the basis for how risk is viewed and addressed by the agency's sworn and non-sworn. An organizational strategy establishes benchmarks and outlines specific goals and objectives designed to drive the organization forward in an ever-changing world.
While many organizations utilize a strategic planning program, many personnel do not harbor a clear understanding of the concept. Looking at strategic planning from an overall standpoint ensures an agency is remaining productive and cutting edge. Planning helps define innovative goals and/or objectives designed to maintain a contemporary organizational posture (survival into the future). This should be something all law enforcement leaders are engaged with, as it helps determine where their agencies are going, how they are going to get there, and what their needs will be as they navigate into the future.
Staffing: Identify relevant stakeholders throughout the organization, not just within typical oversight functions historically found within internal affairs and human resources. In order to embrace a true risk management philosophy, all organizational members must be exposed to these concepts and they must clearly understand their role in the process. Most successful risk management models recognize the importance of informal leaders in order to foster a successful program.
Public service organizations are extremely regimented and have a great deal of process-oriented movements, which are typical within bureaucratic or tall organizational structures. While not unique in that respect, law enforcement has entered a new era with a new generation of officers who require more information in order to subscribe to change. Most organizations have myriad processes, but lack a clear understanding of why many of those processes are important. If organizations don't address and answer the why, they will not get to where they need to be in today's workplace. All agencies share a responsibility for educating their personnel and then empowering their workforces to make good decisions that are paramount to organizational success. Establishing necessary buy-in requires a philosophical approach and starts with first-line leadership.
Not only does effective policy provide the necessary framework for your risk management program, it also distributes responsibility and identifies procedures for effective risk mitigation. Many organizational policy inventories feature cumbersome, fragmented, conflicted, and voluminous amounts of standard operating procedures. An effective risk management program must have a firm foundation to build upon. Organizational policy provides that foundation; therefore, organizations must synergize and work toward effective policy changes that support a comprehensive program if they are to experience positive results.
Stage 2: Risk Assessment
This is a critical element of a risk management program and is necessary in order to identify and prioritize risks. Primary sub-components include:
Risk Identification: Obviously those who are closest to the organizational work efforts for a given component are in the best position to identify risks. Additionally, an analysis of historic data is important in order to understand recurring risk or patterns of activity, actions and/or behaviors, which contribute to organizational liability.
All components should work to identify risk and research past activity related to workplace injury, internal affairs, and litigation in order to formulate effective risk management plans. This step also involves an examination of best practices within similar organizations in order to incorporate proven strategies.
Risk Prioritization: Obviously not all risks are created equal and even though certain risks lack frequency, in law enforcement that does not always direct active efforts from a risk management approach. Deadly force is one such example. While occurrences of deadly force are relatively infrequent, the level of organizational risk from such incidents is extremely high and requires prioritized consideration. Command staff should be asked to prioritize risks specific to their operational environments.
Stage 3: Solution Analysis
This critical step involves putting the research into motion and identifying, evaluating, and implementing effective solutions designed to mitigate organizational/employee risks. Primary sub-components include:
Identification of Solutions: Commanders should be asked to identify potential controls, which could be used or are being used to manage risk within their respective components. Typically, solution identification involves risk control/mitigation, avoidance of risk behaviors or transferring risk from one entity or location to
Evaluation of Solutions: Another important aspect of the process involves evaluation of all identified solutions. Policies and infrastructure support within a given organization play an important role in choosing the appropriate solution. Identification of appropriate resources and cost analysis fall under this element as well.
Implementation of Solutions: Once appropriate risk mitigation strategies are identified and evaluated, they must be incorporated into practice within all levels of the organization. Not only does this phase involve effective policy management, but also comprehensive training strategies designed to turn organizational philosophies into organizational culture.
Stage 4: Program Administration
All relevant stakeholders must ensure risk management concepts are not only appropriately designed to mitigate risks to employees and the organization, but also monitored in such a manner that supports overall effectiveness across the broad spectrum. It is incumbent upon all components to equally share in the distribution of resources dedicated to risk management strategies. Primary sub-components include:
Monitoring: As Mark Cooper wrote in "Safety Management in the Emergency Response Services," no one area of a risk management program operates in a "vacuum." In other words, risk management is not simply a component manager responsibility, but one all internal stakeholders from the operational level up should embrace and actively participate in. In that regard, a research and planning body should primarily serve a consulting and coordinating role within the organization's risk management approach. Keep in mind, this is a process that involves everyone.
Assessment: Data should consistently be compiled and analyzed in order to determine whether existing strategies are effective and contemporary with ever-changing best practices, policies, and accreditation standards. Any successful risk management program must be flexible and adaptive to changing operational environments. This is a difficult concept for many governmental organizations, as is the desire to often apply a one-size-fits-all approach to managing problems. Effective risk management strategies are component specific and should be subject to change.
Communication: Like any other important organizational feature, effective risk management strategies require abundant communication throughout all organizational levels. Communication also assists with the buy-in element as well as with illustrating the how and why — important features in gaining the necessary amount of involvement from all personnel; especially those who are early in their career.
Assessing law enforcement risk does not involve simply reviewing a single policy, document, or set of statistics. It is a comprehensive, methodical, and ongoing process requiring a systematic examination of operations, documentation, training, internal systems, and behaviors associated with risk. Virtually every organizational function in law enforcement agencies features some degree of risk. That's the nature of the profession and one that requires ongoing focus in order to minimize exposure to employee and organizational risks.
Another important consideration centers on how well organizations educate their personnel. In order for risk management strategies to work, line function employees must believe in the principles and clearly understand what is expected of them. In addition, their activities must be monitored and measured against the intended goals of the program in order to be effective.
Captain Rex M. Scism is a 30-year law enforcement veteran who currently serves as the director of research and development for the Missouri State Highway Patrol. Scism holds a master's degree in criminal justice and frequently lectures on police leadership and management concepts throughout the country. He is an adjunct faculty member in the department of criminal justice for Columbia College.