In a memo addressed to Berkshire Hathaway managers, Warren Buffet stated, “Culture, more than rule books, determines how an organization behaves.”1 When it comes to risk management (RM) in law enforcement, the same concept applies. RM protocol is one of the most important components in law enforcement and public safety, both in the daily administrative mayhem and operational duties. RM in law enforcement certainly encompasses policies and regulations protecting peace officers and their agencies from lawsuits stemming from an array of risks, but, as indicated, it is more than the textual language in documents and policies. It is also the contextual factors (environmental, social, and cognitive) that influenced the language—the story behind everything. Law enforcement personnel at all levels need to see RM efforts as doing what is right for the agency and the community.
There is nothing like receiving a call to start an internal investigation because an officer’s or deputy’s actions violated someone’s civil rights or a notification that the lack of decision-making from a manager made a bad situation worse. The leader’s immediate internal reaction to such complaints is often stress, panic, or worries about long-term effects on the agency and the communities impacted. The investigator immediately hopes this complaint is invalid and unsubstantiated. And if so, then what will it cost the agency? Is there another complaint against the same person?
A survey conducted by the author on April 11, 2017 with law enforcement executives and RM experts provided insight into their immediate thoughts when they hear the phrase “risk management.” Their collected responses included finances, training, cultural competence, selection, hiring, succession, cyber exposure, officer wellness, failure to supervise, negligent retention, and inequalities in assignments and disciplines—all of which are factors that put the agency and the community at risk.2
Agencies that employ proper RM protocols clearly define their missions, mitigate and reduce risks and liabilities, and inspire buy-in (support and ownership) at all levels of the organization.
Many law enforcement leaders understand that RM has to be practiced in every facet of the profession. Police experts believe RM is addressed in the agency’s policy, procedures, and general orders. Experts also believe risk is mitigated through relationships and communication, successful community-police relationships, and better relationships among employees. There are progressive RM trends in law enforcement already under way by leading agencies that have figured out how to do it right. Agencies that employ proper RM protocols clearly define their missions, mitigate and reduce risks and liabilities, and inspire buy-in (support and ownership) at all levels of the organization. Flagship agencies understand that successful RM protocol epitomizes both protection and service of all communities (including their own first-line personnel).
Risk Management: Definitions, Facts, and Myths
RM has been defined as “[t]he identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks,” which is similar to the issues managed by law enforcement.3 With this definition in mind, RM does matter to the profession. In order for the RM mind-set to matter to everyone, it has to make sense and be relevant to all individuals and groups affected. One step to creating this buy-in and understanding is to dispel several myths about RM.
Dr. David Hillson, known as the Risk Doctor, identified the following 10 myths of risk management:
1. All risk is bad.
2. RM is a waste of time.
3. What you don’t know won’t hurt you.
4. The risk manager manages risk.
5. All risk can and should be avoided.
6. Our projects aren’t risky.
7. Risk management requires statistics.
8. Risks are covered by routine processes.
9. Contingency is for wimps.
10. Risk management doesn’t work.4
Imagine if everyone in law enforcement really held these attitudes. How often would leadership and lawyers battle in mitigation meetings? How stressed and stretched will the RM team be in response to the liabilities? How difficult would be for supervisors to manage their personnel through this culture of complacency A quick online search can result in multiple examples of court cases and payouts to settle cases between citizens and the police agencies; however, this is minimal information on communication and relationships to support the work of RM. Be sure to seek the advice the RM experts in your organization for protocols.
Risk Mitigation and RM Protocols
The RM team for a Midwest public school District, with its own school police agency, provided the following five RM phases they propose be followed by all employees.
1. Identification—Identify any and all hazards.
2. Analysis—Analyze these hazards as to their relevance.
3. Control—Reduce or eliminate identified hazards with training, engineering controls, or transfer.
4. Finance—Determine how much it is going to cost to control hazards and how these costs will be paid
5. Administration—The ongoing review and implementation of the above.5
There are several great agencies (large and small) with top to bottom leaders who effectively model the best RM behaviors. Nonetheless all law enforcement leaders must be competent in the rules of engagement of RM, with knowledge that extends beyond the rule book. This competency inevitably includes finding ways to get others engaged, motivate cooperation, and inspire compliance with this 21st century way of thinking about RM. In the article, “Managing Employee Risk Demands and Data, Not Guesswork,” William E. Kruse and Nate Dvorak state, “Quite simply, culture [italics in the original] is what employees are doing when no one is looking.”6 Law enforcement experts must remember RM is not only a concept, but also a practice that focuses on the needs of the people more than mere policies. Industry experts believe that organizations prepare for future events by employing tools and tasks focused on risk assumptions and avoidance, and the combination of other techniques. There is no one template that fits all agencies. Agency leaders need to sit at the table together to troubleshoot, forecast, and problem solve.
So how does an agency facilitate a culture and attitude of safety and the proper management of organizational risks? As the short survey of law enforcement leaders performed by the author indicated, training is a key component in RM protocol.7 In order to build a culture of RM, the concept must be taught, reinforced, and consistently branded throughout the systems of the agency (e.g., training, policies, procedures, communications, incentives and rewards, role modeling, discipline), and, as previously stated, RM and safety must matter to the single common denominator: the individual.
RM is both proactive and reactive. Agencies are proactive when they make RM a priority and seek potential threats and problems on the front end.8 Determine priorities for teaching and educating employees by using the law of total probability—calculating different parts (fully or partially known) to come up with the total. Applause is due to law enforcement leaders who recruit the best people to sit at the table of risk management and who are true troubleshooters and problem-solvers. They are looking for legitimate change agents and leaders. Agencies that believe they do not have the capacity or capability to worry about RM or do not have the resources to implement RM plans, should seek out experts. Major troubleshooters and problem-solvers might be inside the agencies that were not yet considered. Seek them. Recruit them. Utilize them. Reward them. If the agency has an RM team, incorporate them in as many meetings as possible. If the agency does not have an RM team, design one.
Applause is due to law enforcement leaders who recruit the best people to sit at the table of risk management and who are true troubleshooters and problem-solvers. They are looking for legitimate change agents and leaders.
It would be a perfect world if an agency’s proactive efforts were so complete that all risks were eliminated. But since that is not the reality, leaders have to be prepared for damage control. So, when a problem happens, the organization and leaders are ready to mitigate the plethora of possible outcomes. Responses to risk issues fall under the scopes of training, retraining, disciplining, settling in court, conducting transparent community forums, and other means. The law enforcement community must take the lead in communicating this mind-set by encouraging all personnel to model safety and wellness throughout all ranks of any organization and communicating the same way. Experts must get buy-in and personal ownership of the safe culture for it to be effective. But how does an organization get all of its members to buy in to RM?
Risk Management Buy-In
The goal is to get all employees to see the RM mind-set as relevant to their personal safety, wellness, and health, as well as organizational success. Command staff should encourage employees to be leaders in the march of personal wellness and risk management—find those who are passionate about their health, and let them lead, teach, motivate, and facilitate the discussions around RM and personal safety with their peers and other leaders. In the article “5 Ways to Encourage Your Employees to Lead,” Peter Economy discussed five ways to foster leaders:
1. Build cross-functional teams, which promotes communication.
2. Be transparent with employees with information.
3. Give employees autonomy to make decisions.
4. Show your passion for the cause.
5. Communicate clear definition of roles.9
On the proactive side, police experts want to get the right people at the table to think of any and all possible risks.10 There should be a response team for damage control that works to minimize damages (or the perception of damages). Some things will go wrong because of human error, but problems can also be minimized because of human intelligence.
Getting stakeholders to buy in requires communication, consistency, trust, ownership, and personal relevance. RM is solidified through clear communication and the transfer of transparent information. Police experts on all levels of an agency must believe the RM attitude and must model this behavior. Upper-level and first-line supervisors should use incidents as teaching opportunities for all employees.11 No matter how cliché the term is, communication is still the key to RM. Communication means clearly disseminating and transferring information, accurately reporting incidents, and notifying relevant parties of the organization of possible threats and risks. This is the 21st century RM approach, and it is every employee’s responsibility. Law enforcement executives must communicate to their employees that they need everyone to lead these efforts. For example, a message encouraging or recruiting officers to participate in RM might read as follows:
You are at the front line of risk management for the agency. You are the face of the department, and we need you to document what you see, talk about what you do, give advice on how to fix problems, and acknowledge the good work of coworkers.
When you become aware of an incident that is or could possibly be negatively profiled in CompStat, squad meetings, media, and the public, please let your chain of command know immediately. This way, our department can disseminate information and prepare leadership for potential risk and threats. Risk management matters. If you stay safe, healthy, and well, then you are a premiere role model of risk management. Again, this is risk management through communication, and you are the front line. Thank you for your assistance in this effort.
Law enforcement executives must make RM an integral part of daily operations, management, and administration. Leadership has the challenge of getting all levels of employees to buy in to the attitude of personal safety. In addition to each officer’s safety goal “to make it home,” one’s wellness, health, and personal satisfaction also matter. The challenge is to move the concept of RM away from the idea that the responsibility falls entirely on the RM team and more toward the practice of ownership of one’s own personal safety and the safety of others around them. Departments need to understand that RM is not a “one-and-done” approach to policies, procedures, and general orders. Instead RM is a practice, a shift in paradigm and culture, and a belief that gets the organization in alignment with its own mission and vision. If policies need to be revised, employees need to be retrained, or budgets need to be analyzed and re-appropriated, then the agency leaders need to make those things happen. Lives are at stake. Law enforcement leaders should communicate the needs and model RM behavior to foster the culture development. As previously stated, the culture of each agency is reflected in its organizational behavior, beyond rule books and policies.
1Tamara Rosin, “11 Universal Management Trusts from Warren Buffett,” Becker’s Hospital Review, April 28, 2016.
2 Electronic survey of police executives and leaders by author, April 11, 2017.
3 Online Business Dictionary, s.v. “risk management,” accessed April 15, 2017.
4 David Hillson, “Top 10 Myths of Risk,” Five Dimensions (Spring 2015).
5 Kenneth Wamble, email message to author, April 13, 2017.
6 William E. Kruse and Nate Dvorak, “Managing Employee Risk Demands Data, Not Guesswork,” Business Journal, March 16, 2016.
7 Electronic survey of police executives and leaders by author, April 11, 2017.
8 Mary Velan, “Why Risk Management Should Be a Law Enforcement Priority,” EfficientGov, January 15, 2016.
9 Peter Economy, “5 Ways to Encourage Your Employees to Lead,” Inc., September 10, 2013.
11 Phil Jones, “Considering ‘Risk Management’ from the Patrol Supervisor Perspective,” PoliceOne, January 9, 2014.