Many companies have adopted a regimen to analyze all risks collectively rather than individually or in segments. This is known as enterprise risk management and it takes the various aspects of risk — operational, financial, compliance, governance, reputation and others — and places them side by side so managers can see how risks affect the organization's overall health. It also looks at how these risks interplay with each other and ultimately affect the organization's goals, objectives and operations. Often, operational risks can become financial risks, which in turn can become reputation risks that can have serious consequences for the firm if they are not addressed in an appropriate way.

The notion of risk management is not new to the fire service. Indeed, the fire service has become rather adept at operational risk management, particularly as it relates to protecting members from injuries or death. But merging the study of all risks involved in a department's day-to-day operations and its long-term management has not yet taken root. However, given the variety and, in some cases, the depth of risks confronting the fire service, embracing the enterprise risk management approach will help firefighters and managers identify latent risks from past practices, better manage present risks and anticipate future risks.

There was a time when the idea of risk in the fire service was relatively clear-cut: put the wet stuff on the hot stuff without firefighter injury and death or with a minimal amount of collateral property damage (with that last part a much lower priority). This became more sophisticated when put in the context of the proverbial cost-benefit analysis and the service accepted the idea that life and property risk, in that order, were the only priorities when considering dangers confronting firefighters. The actions of fire officers and firefighters, it followed, should reflect the cost-benefit realities before charging into a burning building. Certainly, this development is a point on the evolutionary path of progressive fire service management. And there since have been further advances in other risks, such as emergency-vehicle operation, health and wellness, workplace, and harassment.

It is wrong to chart progress in fire service risk management along a linear path, like a one-dimensional chronology. This will unnecessarily constrict the fire service's perspective of the nature of the risks it faces on and off the fireground and place a chilling effect on the ongoing efforts to increase managerial professionalism and expertise.

But what is enterprise risk management? The Committee of Sponsoring Organizations of the Treadway Commission in its 2004 report defines it as: “A process, effected by an entity's [governing body], management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within [the entity's] risk appetite, to provide reasonable assurance regarding the achievement of the entity's objectives.”

Risk should be looked at from the perspective of the entire organization. Further, replace the notion of a straight-line graph. Progress made in risk management should be illustrated with a flow chart showing vertical and horizontal dynamics or circular rotations to articulate the interrelationships between risks arising from the interrelationships of the various moving parts of a fire department.

As the CSO report suggests, enterprise risk management is not so much an event, as in “we have enterprise risk management,” as it is a process, an ongoing and flowing practice through the organization.

Consider the problems that some in the fire service have experienced of late:

• Operational issues involving line-of-duty deaths and injuries in training and response situations arising from outdated equipment and techniques or lapses in judgments and oversight.
• Legal issues involving vehicle incidents in which third parties are injured or killed.
• Compliance issues regarding rules for conducting live and simulated training.
• Governance and financial issues surrounding questionable trips and purchases under the guise of fire training.

Each of these issues presents clear and obvious risks and the opportunity to spawn other risks. For example, legal risks present financial risks far beyond paying settlements or judgments; financial risks present operational risks if there is less money with which to operate the department; and compliance risks present legal risks, especially if the compliance shortcomings involve a violation of law or regulation. And all of these present serious reputation risks that can hurt a department's ability to raise money, gain support for projects or attract quality candidates.

A major challenge facing the fire service, like most industries just now coming to accept enterprise risk management, is that there is no mechanism for initiating and maintaining this regimen. To be sure, some municipalities have risk managers who have the fire department within their purview of responsibility. But the fire service has not developed a position that can assume the task of enterprise-wide risk management. Safety chiefs or battalion chiefs probably come closest to this notion. These are mostly fireline jobs that do not extend to the upper reaches of the organization in scope of authority or purview of purpose. Furthermore, finance is handled by commissioners or finance units outside of the fire department, or in separate operating silos from the operational commands. Legal usually is managed by outside or corporation counsels, and reputation often is managed by crisis management teams and media advisors brought in by senior management, usually after something bad has occurred.

Organizations that have accepted enterprise risk management have created positions, committees or groups and given them proper authority to identify, analyze and assess risk from the top down and across the entire enterprise.

The fire service is not alone in the need to focus more attention on enterprise risk management. A 2007 survey by The Conference Board, a business research organization, found that ERM has not yet occurred in most companies. The Conference Board also noted that ERM generally takes three to five years to implement, and companies often start and restart crafting an ERM framework that is viable for their particular organizations.

For it to work in the fire service, local officials need to create the position of chief risk officer of the fire department. Additionally, or alternatively, they must consider developing a risk committee of fire department senior managers. The primary objective of the chief risk officer or the risk committee should be to assess risks across the full spectrum to understand how they are connected and what likely consequences are to be expected as a result of a failure to properly manage those risks.

Positions and committees alone are not enough. Freedom to make the essential inquiries and examinations, and access to information and decision-makers within the fire department are key to making enterprise risk management work. In a vertically integrated, chain-of-command environment like the fire service, this will be difficult. But risk examination up and down the vertical structure will give fire department managers a much better feel for how their entity truly operates.

Likewise it will be hard for departments to step away from traditional sources of risk management guidance — insurers and fire service lawyers — and subject themselves to the rigors of enterprise risk management assessment. Fire departments will have to open themselves to outside scrutiny, from management advisors, external auditors, loss-control experts and others who have helped businesses gain the upper hand in managing risks. The fire service is as insular as it is tradition-bound, making external examination difficult to accept at first blush. However, a fire chief certainly would want these same resources coming into the organization on his or her terms before problems arise rather than on someone else's terms after a theft, a fireground death, a bookkeeping irregularity or a round of bad publicity.

Enterprise risk management is one way for the fire service, paid and volunteer alike, to become more accountable for its operations and management.

Gregory V. Serio is chief of the Verdoy Fire Department in Latham, N.Y., and a licensed attorney. He is a partner in Park Strategies LLC, and leads its risk and insurance management practice group. Serio also serves as a principal of Compass Cos. Risk Management Consultants. From 2001 to 2005, Serio was superintendent (commissioner) of insurance for the state of New York.