Risk Management Processes

Your risk management process drives the content of your safety management system (SMS) and must be applied to all activities and risky operational areas such as driving.

It must include a systematic risk management process and a culture of dynamic risk management or ‘on the job’ thinking - these are described below in the four steps of a risk management process.

This risk management process must be supported by other safety tools such as incident reporting and staff training and used in conjunction with the other advice on this website.

The four components of a risk management process

Risk management involves four components:

  1. Identify the hazards and risk 
  2. Assess the risk (before and after deciding on risk management methods)
  3. Manage the risk 
  4. Ongoing monitoring and communication

These must be supported by robust documentation.

One: Risk and hazard identification

The purpose of this step is to identify what serious injuries or illnesses could occur (risks) and to identify what could cause them to happen (hazards). 

Where and how you look will determine whether you identify these things correctly. 

Where to look

Every activity and all risky operational areas should be subject to a risk management process. 

When looking for risks and associated hazards consider the operational environment, equipment and people.

Here are some examples of things to consider:

Operational environment

  • location, e.g. terrain, remote areas, accessibility, urban areas
  • the operational base, e.g. power failures, areas where vehicles with heavily laden trailers often reverse
  • unique environmental factors, e.g. rock falls, traffic on roads, avalanche risk, river levels
  • health risks, e.g. drinking water quality
  • evacuation routes
  • communication black spots
  • weather, e.g. impact on temperature, length of trip, equipment to be carried
  • natural disasters – earthquakes, floods etc


  • is equipment fit for purpose, does it meet industry standards?
  • potential for incorrect equipment use and its implications
  • potential for equipment failure and its implications   


  • experience, e.g. in total and/or within your operation
  • competency in both hard and soft skill sets
  • implications of incapacitation, e.g. solo guide becomes ill or injured
  • numbers needed to adequately supervise clients, i.e. staff to client ratio
  • health and behaviour, e.g. fatigue, unpredictable behaviour
  • senior staff off sick or otherwise unavailable


  • technical skill ability
  • age
  • fitness and general health
  • language and cultural issues
  • social and behavioural issues


Examples of things to consider:

  • who else (commercial and non-commercial) could be in the area where you operate?
  • what impact could other users have on the safety of your activity?
  • what impact could your activity have on the safety of other users?

How to look

How you look must include systematic processes and real time on–the-job (dynamic) risk and hazard identification.  

Systematic processes

  • involve as many suitably knowledgeable people as practical, e.g. staff, auditors, technical experts, clients, operations, recreationalist
  • do each activity and 'walk through' each operational area and identify what could cause serious harm
  • use a form or checklist as you go to help guide your team through the identification process
  • include reviews of past and current incident reports

On-the job real time

  • ensure staff know that they must constantly look for changes to hazards – include this in induction and training programmes
  • include questions about new or changed risks or hazards in pre and post trip briefings/report forms/meetings

Two: Assess the risks - two stages

Stage One

Once you’ve identified the risks and associated hazards in your operation, you need to assess how serious they are. Assessment involves looking at each hazard and deciding how likely it is to happen, and if it does happen how serious the consequences would be.

This initial assessment or rating is called the ‘real' risk rating. It identifies the most serious risks and helps you to focus on managing the most important things.

Stage Two

Once you’ve decided how you are going to manage the risk you need to do another assessment. This second rating is called the ‘residual' risk rating and is used to check whether the remaining risk is at an acceptable level.

If the real risk was high, and the residual risk is low that doesn't mean you can relax. Rather it highlights the importance that your risk management technique works well. 

Real and residual risk ratings should be recorded so that you know which are your most important safety concerns. Anything with a high real risk rating should be closely monitored even if the residual risk is low. 

Reducing risk to an acceptable level

Acceptable means to a level where the remaining risk is in line with industry good practice.

Context is very important – who is the activity aimed at, why are they doing this activity, and does the level of residual risk fit with these things? For example if someone signs up for an activity with a low level of risk, it is not OK to take them on a high risk activity.    

If the residual risk is not at an acceptable level another management technique must be used. Ultimately, if you cannot lower the risk to an acceptable level you cannot do the activity.

Risk matrix

Use this risk matrix to help you with your risk assessments. Ensure that you:

  • involve your team - take staff skill level into account
  • use a technical advisor - in-house or external
  • take participants’ expectations and skills levels into account
  • check that your assessment is in line with the context and nature of the activity, e.g. for mountain biking - on a beginner’s cycleway tour, a narrow rocky section of trail may be assessed as a risk that must be managed (walk that section); the same type of terrain on an advanced cross country tour may not present a risk that needs to be managed
  • check that your assessment is in line with industry good practice

Three: Decide how to manage risks

Use your risk assessment results to ensure you are focusing on managing the most important things.

Manage risk to an acceptable level, as described above, and by the hierarchy of control. This means your first priority must be to eliminate the risk, and if that can’t reasonably be achieved then you should try to minimise the risk.  

Eliminating hazards

Examples include not taking people under a certain age or without a certain skill set, or keeping people away from the hazard e.g. establish a no-go zone behind a barrier or portage a rapid.

Minimising hazards

Often a combination of controls is used to minimise a hazard. Examples include use of competent staff, supervision levels, briefings and safety equipment. 

Who and what to involve

Who you involve in deciding how you will manage risk is extremely important. Your system should ensure that you: 

  • work with your team to decide the best method for managing each hazard
  • use a technical advisor – if you don’t have one in your operation use an external advisor
  • have policies on who can make independent risk management decisions in the field, e.g. what level of experience and qualification they need
  • review client feedback on hazards and make changes to your procedures as appropriate
  • consult with land managers, iwi, recreational users, other operators and client organisations as relevant to understand their particular requirements and objectives

Good practice 

Good practice is the range of actions currently accepted within the adventure and outdoor sector to manage the risk of harm to staff, participants and visitors.

You must operate at good practice or better in order to meet your legal responsibilities. 

Knowing where to find and how to identify reliable good practice information is critical. It will often involve using a combination of technical advice and written resources. 

The Good Practice section on this website tells you how to find reliable information and contains Activity Safety Guidelines and other documents which outline good practice for managing specific risks in specific activities. 

Trigger points

Having defined ‘trigger points’ can be particularly helpful as safety management controls. They give clear direction and remove the need to make a judgement call in critical situations and can be set for people, environmental and equipment factors.

Trigger points are particular circumstances and situations that cause an action to happen, for example: 

  • when the river is at a certain level, you must not run a certain rapaid. 
  • when staff have worked seven consecutive days with groups they must have a day off 
  • abseil ropes assigned to a particular cave are replaced after 6 months of use. 

Four: Monitor and communicate 

You need to monitor risk to know whether it has changed and whether it is still being managed correctly.

You must be confident that risk management information is being well communicated throughout your team. 

Risk and Hazards

Monitor risks and hazards for changes, do this in 'real time' and through regular formal checks. 'Real time' means staff are assessing them throughout their day. Reinforce this behavior through training, induction and questions in pre and post activity briefings.  

More formal checks include scheduled reviews or using tools such as the FLASH tool and it's guidance document to assess and communicate daily risk factors.  

Management methods

Check that your risk management methods are still correct and that they are being used by staff. Use formal and informal techniques such as: 

  • asking staff during activity debriefs
  • checking for changes in industry good practice
  • scheduling regular technical advisor reviews
  • monitoring staff in the field 


Staff must be clear on their risk management responsibilities, including:

  • how to pass on information that risks have changed
  • how to share their ideas on improved ways to manage risk
  • that they must stop an activity if they feel it is unsafe. 

If there are changes to risks or how they are managed it must be communicated to relevant staff in a timely manner. Ways to do this include staff meetings or emails, hazard update whiteboards and prompts in pre-activity briefing notes. Documentation must also be updated.  

"Complacency is our biggest fear - we push the philosophy of when everything is going well, take a look over your shoulder."


You must document your overarching risk management system and the results for specific activities and operational areas.

The overarching risk management system - Safety Management Plan

Your Safety Management Plan (SMP) must describe your overall risk management system and processes. 

Go to the tools and templates section for more information.

Specific activities and operational areas 

For each specific activity and risky operational area you must document the results of risk assessments (real and residual risk) and hazard management methods including evidence of eliminate and minimise priorities of action. 

Depending on the size and complexity of your operation and the risks being managed, some of this information may be in your Safety Management Plan (such as your Risk Matrix), and some will be in other tools such as Standard Operating Procedures (SOP's), Risk Assessment and Management forms (RAMS) or Activity Management Plans  

Go to the tools and templates section for more information.