ILOILO CITY COMMUNITY COLLEGE

Bachelor of Science in Tourism Management

THC2 -Risk Management in
Application to Safety, Security and Sanitation

Module Contents
I. Learning Outcomes
II. Learning Materials
III. Learning Activities Management
IV. Evaluation/Student’s Activity

I. Learning Outcomes
Dear student, at the end of the chapter, you will be able to:

• Describe the principles of risk management

• Recognize factors to consider in risk analysis

• Explain the importance of risk assessment

II. Learning Materials

• Gadget with internet access, basically for Facebook, messenger, PDF or MSWord

III. References

• Risk Management as Applied to Safety, Security, and Sanitation by Ricaforte, B. G. R. & Cruz, R.
G., Rex Book Store

IV. Learning Activities

What is Risk Management?

As a management tool, risk assessment is powerful as it provides fact-based and science-based decision-
making in safety, security, and sanitation. The holistic process of risk assessment is carried out by using
the principles of risk recognition, risk analysis, and risk evaluation. Risk management is conceptually
presented in the figure below:
 “Framework of the Book for Risk Assessment” reprinted from Risk Management as Applied to Safety,
Security, and Sanitation by Ricaforte, B. G. R. & Cruz, R. G., Rex Book Store. Permission not sought.”

Risk Principle
Creation and protection of value across an organization for performance improvement, innovation,
promotion, and goal achievement are the very purpose of risk management. It is then a proactive
management tool in preventing occurrence of possible risk and hazards in the company’s value chain.
The principles of effective risk as management based on Philippine National Standards 31000:2018 (PNS
ISO 31000:2018) are as follows:

a. Integrated. Risk management is an integral part of all organizational activities.

b. Structured and Comprehensive. A structured and comprehensive approach to risk
management contributes to consistent and comparable results.
c. Customized. Customized and proportionate to the organization’s external and internal
context related to its objectives.
d. Inclusive. Appropriate and timely involvement of stakeholders enables their knowledge,
views, and perceptions to be considered resulting in improved awareness and informed risk
management.
e. Dynamic. Anticipates, detects, acknowledges, and responds to those changes and events in
an appropriate and timely manner.
f. Best available information. The inputs to risk management are based on historical and
current information and on future expectations. Information should be timely, clear, and
available to relevant stakeholders.
g. Human and cultural factors. Human behaviour and culture significantly influence all aspects
of risk management at each level and stage.
h. Continual Improvement. Risk management is continually improved through learning and
experience.
 Risk assessment starts with risk identification. The purpose of risk identification is to find, recognize,
and describe risks that might help or prevent an organization to achieve its objectives. The organization
should identify whether it is controllable or uncontrollable.

Types of risk

1. Compliance (mandatory) Risks.

As the name suggests, compliance risks involve government-mandated licenses, business permits,
and requirements.

2. Hazard (or pure) Risks.

These are the risks that can prevent or deter the achievement of company’s goals, missions, and
objectives. Typical examples include insurable-type risks to include fire, typhoon, flood,
earthquake, and injury among others, causing normal operations to be affected by loss,
breakdown, theft, and other threats. Hopkin (2018) also provided operational-disruption examples
caused by people, premises, processes, and products.

3. Control Risks.
These are risks that can cause uncertainty or doubt about the ability to achieve company’s goals,
missions, and objectives.

4. Opportunity Risks.
These are risks that are usually deliberately sought or embraced by the organization specifically for
the future long-term success of any organization.
 Categories of Operational Disruption

Category Examples of Disruption

People Lack of people skills and limited resources
Improper behaviour by a manager
Unexpected absence of key associates
Sickness, illness, or injury to associates
Premises No enough prohibition
Damage or contamination to premises
Damage of physical assets
Theft of physical assets
Processes Failure of IT hardware or software
Interference due to computer virus and hacker
Mismanagement of information
Communication or transport failure
Products Poor product or service quality
Supplier failure
Delivery of defective goods or its parts
Logistics failure

“Categories of Operational Disruption” reprinted from Risk Management as Applied to Safety, Security, and Sanitation by Ricaforte, B. G. R. &
Cruz, R. G., Rex Book Store. Permission not sought.”

ACTIVITY 1.1

1. Among the 8 principles of effective risk management as discussed above, which do you think should
be prioritized by a tourism-related enterprise? Explain clearly and concise. (10pts.)

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Risk is the effect of uncertainty on objectives. It is usually expressed in terms of sources, events,
consequences, and likelihood.

An effect is a deviation from the expected which can be positive, negative, or both. It can address,
create, or result in opportunities and threats.

Objectives can have different aspects and categories and can be applied at different levels.

Risk management are coordinated activities to direct and control an organization with regard to risk.
RISK ANALYSIS
The purpose of risk analysis is to comprehend the nature of risk and its characteristics and the
level of risk. It involved detailed consideration of uncertainties, consequences, events, scenarios,
controls and their effectiveness.
Risk analysis provides an input to risk evaluation, to decisions on whether risk needs to be
treated and how, and on the most appropriate risk treatment strategy and method.
Renfroe and Smith (2016) defined threat assessment as consideration for the full spectrum of
threats (i.e., Natural, criminal, terrorist, accidental) for a given facility/location.
Once the possible threat is identified, a vulnerability assessment must be performed to
consider the potential impact of loss from a successful attack and vulnerability of the facility, location, or
event to an attack.

1st asses the impact of loss. It is defined as the degree to which the facility or event is compromised by a
successful attack from the given threat and it can be categorized as follows:

• Devastating: The facility is damaged/contaminated beyond habitable use. Most items/assets are
lost, destroyed, or damaged beyond repair/restoration. The number of visitors to other facilities
in the organization may be reduced by up to 75% for a limited period of time.
• Severe: The facility is partially damaged/contaminated. Examples include partial structure
breach resulting in weather/water, smoke, impact, or fire damage to some areas. Some
items/assets in the facility are damaged beyond repair, but the facility remains mostly intact.
The entire facility may be closed for a period of up to two weeks and a portion of the facility
may be closed for an extended period of time (more than one month). Some assets may need to
be moved to remote locations to protect them from environmental damage. The number of
visitors to this and other facilities in the organization may be reduced by up to 50% for a limited
period of time.
• Noticeable: The facility is temporarily closed or unable to operate, but can continue without an
interruption of more than one day. A limited number of assets may be damaged, but the
majority of the facility is not affected. The number of visitors to this and other facilities in the
organization may be reduced by up to 25% for a limited period of time.
• Minor: The facility experiences no significant impact on operations (downtime is less than four
hours) and there is no loss of major assets.

2nd measure the level of vulnerability.

Vulnerability is defined to be a combination of the attractiveness of a facility as a target and the level of
deterrence and/or defense provided by the existing countermeasures. Target attractiveness is a
measure of the asset or facility in the eyes of an aggressor and is influenced by the function and/or
symbolic importance of the facility. Sample definitions for vulnerability ratings are as follows:

• Very High: This is a high profile facility that provides a very attractive target for potential
adversaries, and the level of deterrence and/or defense provided by the existing
countermeasures is inadequate.
 • High: This is a high-profile regional facility or a moderate profile national facility that provides an
attractive target and/or the level of deterrence and/or defense provided by the existing
countermeasures is inadequate.

• Moderate: This is a moderate profile facility (not well known outside the local area or region)
that provides a potential target and/or the level of deterrence and/or defense provided by the
existing countermeasures is marginally adequate.

• Low: This is not a high-profile facility and provides a possible target and/or the level of
deterrence and/or defense provided by the existing countermeasures is adequate.

3rd, identify the level of risk. Risk analysis then can be defined also as a combination of the impact of
loss rating and the vulnerability rating used to evaluate the potential risk to the facility or to an event
from a given threat. A sample risk matrix is depicted in Table 1. High risks are designated by the red
cells, moderate risks by the yellow cells, and low risks by the green cells.

Table 1. Matrix Identifying Levels of Risk

A. Minimal Threat

B. Potential Threat

C. Credible Threat
D. Defined Threat

Source: (Renfroe, N., & Smith, J. (2016, August 8). Resource Pages | WBDG - Whole Building Design Guide. Wbdg.org. https://wbdg.org/resources/threat-
vulnerability-assessments-and-riAsk-analysis#:~:text=%22Risk%20is%20a%20function%20of%20the%20values%20of

Lastly, the ratings in the matrix can be interpreted using the explanation shown in Table 2.

Table 2. Interpretation of the Risk Ratings

Source: (Renfroe, N., & Smith, J. (2016, August 8). Resource Pages | WBDG - Whole Building Design Guide. Wbdg.org. https://wbdg.org/resources/threat-
vulnerability-assessments-and-riAsk-analysis#:~:text=%22Risk%20is%20a%20function%20of%20the%20values%20of

Risk analysis is an analytical process to provide information regarding undesirable events in which it
estimates probabilities and expects consequences for identified risks.

An event is the occurrence or change of a particular set of circumstances. It can have one or more
occurrences and can have several causes and have consequences. It can also be defined as an expected
situation which does not happen or an unexpected situation which happens.

Threats maybe the result of natural, critical, terrorist, accidental acts to cause harm.

Consequence is an outcome of an event affecting objectives.

Vulnerability describes the characteristics and circumstances of a community, system or asset that
make it susceptible to the damaging effects of a hazard.
Risk Evaluation
The purpose of risk evaluation is to support decisions. The purpose of Risk Evaluation involves
comparing the results of the risk analysis with the established risk criteria to determine where additional
action is required
Risk Evaluation Matrix

Cuskelly and Auld (1989) suggest the use of a risk evaluation matrix as shown. It contains four
management response options according to the level of identified risk. Risk evaluation matrix is a
management tool which accurately assess business exposure, based on the frequency and severity of
identified potential risks.

HIGH
Reduce Risk Avoid Risk
Frequency of Risk
Potential

Retain Risk Transfer Risk

LOW HIGH

Severity of Risk Potential

“The Risk Evaluation Matrix” reprinted from Risk Management as Applied to Safety, Security, and
Sanitation by Ricaforte, B. G. R. & Cruz, R. G., 2020, Rex Book Store. Permission not sought.”

Risk Retention – Both the frequency and severity of risk is low. The business operator assumes and
accepts a certain level of losses. Retention is either passive (risks are retained by business operator
without the knowledge that they are occurring), or active (where risk is identified and a decision is made
to retain and pay for any losses from the business operator’s own resources).

Risk Transfer – is where the frequency of risk potential is low, but the severity of a potential incident is
high. The most common approach is transferring responsibility to other parties (e.g. insurance, waiver of
accountability)

Risk Reduction– is where the severity of a potential risk remains low, but the overall frequency of risk is
increasing the need to consider ways of reducing their exposure

Risk Avoidance – is where frequency and severity of risk potential are both high, business operators
should consider cancelling a program of activity
Risk evaluation is a process that is used to compare risk analysis results with risk criteria in order to
determine whether or not a specified level of risk is acceptable or tolerable.
Risk evaluation matrix is a management tool which accurately assess business exposure, based on the
frequency and severity of identified potential risks.
V. Evaluation
1. List 3 tourism activities or hobbies which are alcohol-free. Try to include activities which involve
different levels of risk. (at least 1 each of low, medium, high, very high)
2. List at least 3 long and 3 short-term risks of each activity.
3. Consider the different risks that you have noted, rate it either low, medium, high, very high.
4. Explain a brief why would you do it? Or explain why would you not do it?
Name and
Section:
Level of Risk Would
Tourism (Low, Medium, you, do it?
Activities Risk High, Very-High) Yes or NO Why?
1 Short-term risk
1
2
3
Long-term risk
1
2
3
2 Short-term risk
1
2
3
Long-term risk
1
2
3
3 Short-term risk
1
2
3
Long-term risk
1
2
3

Deadline of submission is on March 1, 2022. Send your answers in messenger named: MsAnn Waclyn