Risk Management vs Risk Analysis: What’s the Difference?
A coastal city’s disaster forces them to rethink their EM protocols
This essay lays out the roles, responsibilities, and day-to-day realities of risk managers and risk analysts.
We follow a barrier-island city that skipped an evacuation order, lost lives, and now wants a new hurricane evacuation protocol ~
Then we explicitly discuss the roles, responsibilities, and motivations of risk managers and risk analysts in general.
The city manager: morning after the storm
Salty air and drywall dust hit me as I step out of the truck. A skiff leans on a stop sign. Three people are gone. The water fell fast once the wind turned, but the bay side neighborhood is marked with dirty wet rings halfway up the walls.
Yesterday was supposed to be a glancing blow. Warm water and a tightening core turned it into a punch. The surge came early and higher than expected.
We were too slow.
Our hurricane plan is twenty years old. It tells us to “consider” evacuation.
That word slowed us down!
There are no clear triggers, no simple zones, no ready-to-send messages. Too many maybes. No mention of climate change or adaptive management.
I didn’t know if I could make the call, or even who to call.
So I write down what’s got to change:
- Update the flood picture to today’s sea level.
- Re-time how long it takes the city to clear out ~ weekends, bridges, schools, rentals and all.
- Split the island into zones with plain go/no-go triggers tied to forecast water and time.
- Prepare messages in English and Spanish we can send in minutes.
- Test out traffic patterns that move people out as quickly as possible.
- Start an internal drainage study ASAP.
That night, I faced the council. The room was packed.
I explained why we hesitated, how the storm grew so fast, then how it all turned south, and finally what it will take to fix it.
They decided I was right. And then they fired me.
Before I handed in my badge, I left two things on the desk: last night’s timeline ~ every call, every minute ~ and a sticky note on a copy of the old emergency plan that read:
“No more consider. Call it by the trigger.”
What happens next?
The council votes to refresh the hurricane playbook.
They hire a new city manager.
The new manager hires a consulting firm to perform the risk analysis.
From here, the council sets policy and authorizes funds; the city manager runs the work and carries it out; the consultant builds the analysis and drafts the plan.
Council → hires the city manager.
The council is the boss. It sets priorities, passes resolutions, and controls the purse.
City manager → hires the consultant.
The manager writes the scope, runs procurement, and directs the analyst’s day-to-day work.
Clear split of duties
How the work actually runs ~ Analysis + Management, start to finish
The new city manager opens with a short kickoff meeting. The council sets the goal and guardrails ~ what risks the city will live with, what it won’t, and when decisions must be made. The manager turns that into a scope and contract, then hands the consultant the data and people they need.
The consultants update the flood picture to today’s sea level and local geography. They also rebuild the evacuation timeline ~ weekends, rentals, bridges, schools, nursing homes.
While the modeling engine hums, management drives the boat. The manager checks progress, organizes staff, and drafts the resolution that names who can trigger an evacuation in a short warning scenario. Legal and communications teams shape the plain-English pieces.
Midway through, the analyst develops options: a conservative bundle, a middle course, and a bare-minimum stopgap ~ each with cost bands and the expected reduction in risk. The manager recommends a plan and explains why. Finally, the council votes to fund one of the plans.
The ultimate result is a vote on a tight council packet: an automatic trigger table, flood maps, an evacuation timeline, and message templates in English and Spanish. The resolution pre-delegates the authority to act on those triggers without another meeting.
Before hurricane season, the city runs a drill, tightens the triggers, and starts a decision log so the next round moves faster and cleaner.
From one city to everywhere: Risk Management vs Risk Analysis Explained
The storm story is local. The split between roles ~ people performing risk analysis and people ultimately making the decisions ~ is near universal.
Whether you’re talking about floods, wildfires, cyberattacks, or public health, the same two jobs show up:
Risk analysis
*Risk analysis is a systematic way to build knowledge about a hazard.* It identifies what could happen, how likely, how bad, and how sure we are about any of it. It blends data, models, and expert judgment and explains the uncertainty instead of hiding it.
Risk management
Risk management is the set of choices and actions used to handle that hazard. It sets the line the organization won’t cross, picks options to reduce or live with the risk, funds the work, and owns the outcome. Assessments inform the choice; they don’t make it. That’s the job of risk management.
Analysis = what could happen and how sure we are.
Management = what we will do and why.
Definitions adapted from Aven (2018), Aven & Zio (2014), and the SRA Glossary (2018).
Responsibilities of Risk Managers and Risk Analysts
Motivations and Incentives
Common Failures
Conclusion
This story started with a bad call, three lives lost, and a help wanted ad.
The way to address risk isn’t some magic model that can predict the future: It’s risk analysis and risk management.
The council sets the priorities and funds the effort. The city manager builds the team, brings the plan forward, and owns the clock. The analyst sharpens the picture so the people with authority can decide what to do.
Risk analysis and risk management aren’t twins ~
they’re partners.
Analysis explains what could happen, how bad, how often, and how sure we are ~ and it shows the reasons behind those answers.
Management decides what we will do and why ~ the triggers we adopt, the tradeoffs we accept, the money and staff we commit, and the voice that faces the public.
Carry this beyond storms ~ cybersecurity, wildfires, public health ~ same handshake, same relationship between analyst and manager.
If you need one sticky note for the wall, here it is:
Risk Analysis tells you what could happen and how sure we are.
Risk Management tells you what we will do and why.