Creating a Comprehensive Risk Management Program

Best Practice

Risk management is a program designed to identify potential events that may affect the government and to protect and minimize risks to the government’s property, services, and employees. Effective risk management ensures the continuity of government operations. The importance of risk management has been growing steadily over the last several years for a variety of reasons including legal, political, and medical liability, increased use of technology, and higher litigation costs.

Risk management is geared to achieving a government’s objectives through strategic decisions that flow through high-level goals, effective use of resources, reliability of reporting, and compliance with applicable laws and regulations.


GFOA recommends that governments develop a comprehensive risk management program that identifies, reduces or minimizes risk to its property, interests, and employees. Costs and consequences of harmful or damaging incidents arising from those risks should be contained. Adequate and timely compensation for restoration and recovery is another consideration.

The following steps should be included in an effective risk management program.

 1. Risk Identification – An essential component in identifying risk is to understand the sources, types, and likelihood of risk. Risk identification should identify at a minimum the exposures in each of these areas.

  • Physical environment (natural or man -made disasters and infrastructure)
  • Legal environment (laws and legal precedents)
  • Operational environment (day-to-day activities and actions within the local government, including services provided and workforce demographics)
  • Political environment (legislative activity, elections)
  • Social environment (socio-economic composition of the community)
  • Economic environment (market trends, interest rates)
  • Internal environment (the attitude of individuals towards risk)

2. Risk Evaluation – The frequency and severity of claims should be monitored and modifications made as necessary. Risk evaluation reports often include such information as the number of open claims, the amount paid out, and the amount reserved. Report results should be communicated in a form and timeframe that enable employees to carry out their responsibilities. Over time, these reports reveal a government’s risk profile. The Public Risk Management Association (PRIMA) has a variety of risk evaluation data available to governments.

3. Risk Treatment – After identifying and evaluating risk exposures, the next step is to decide how best to treat the exposures. Management may select a variety of risk responses –avoiding, accepting, reducing, sharing, or transferring risk. A risk management program should be a well-rounded combination of preventative and control measures, risk transfer, and risk retention. The latter two methods refer to a government either shifting the financial burden of risk to another entity or performing the task of risk financing in-house. In addition to these three methods, governments may occasionally choose not to provide a service altogether, a risk management technique known as risk avoidance.

  • Loss prevention and control –Training, workshops, and inspections are common loss control measures.
  • Risk transfer – Two basic types of risk transfer involve financial or contractual risk.
  • Financial risk transfer may involve the use of an insurance company or risk managements pools. The criteria for procuring insurance should involve quality and scope of service, breadth of coverage (level of deductibles), financial stability, and cost. Most governments typically begin with three basic types of coverage.
    • Property insurance protects against damage or loss of property.
    • Liability insurance covers losses related to a government being found negligent in the performance of operations.
    • Worker’s compensation provides employees with coverage for all medical bills resulting from job-related injuries or disabilities as well as lost income.
    • Risk management pools may be classified through various factors like type of service, lines of coverage, or type of government. Additional information on risk management pools can be found through the Association of Government Risk Pools (AGRiP). A government can also transfer risk by having a contractor pick up the liability.
    • Risk retention – When a government retains risk (i.e., self insures) it assumes financial responsibility for some losses. Retaining some risk (e.g., paying a deductible) can lower the government’s premiums. However, the government needs to be aware of its exposures through self-insurance.
    • Risk avoidance – Governments may avoid providing specific services if the risk management costs are excessive.

 4. Risk Management Implementation – To implement a risk management program, consideration should be given to the establishment of risk management polices and procedures that includes a statement of the organization’s goals, identifies officials charged with carrying out risk-related functions (e.g., planning, organizing, coordinating, implementing, monitoring, and controlling the government’s risk management program), and contains guidelines for making decisions about fundamental activities (e.g., risk control and risk finance). It is essential that government officials are aware of not only the policies and procedures, but that the risk responses are implemented and effectively carried out.

 5. Risk Program Review – In the environment of shrinking budgets and increased accountability within the government, it is essential that organizations review the effectiveness and efficiency of the risk management programs functioning within their organizations and make changes or modifications as necessary.

  • Risk Management, Elected Officials Guide, GFOA, 2001
  • “Enterprise Risk Management-Integrated Framework,” The Committee of Sponsoring Organizations of the Treadway Commission, September 2004 (
  • GFOA Best Practice, “Business Preparedness and Continuity Guidelines,” 2005 and 2008.
  • Association of Government Risk Pools (AGRiP) (
  • Public Risk Management Association (PRIMA) (
Approved by GFOA's Executive Board: 
March 2009