The People, Process, & Progress Podcast - How to Combine Project Risk Tools with Emergency Planning
Episode Date: June 10, 2025Warren Buffett said it best: “Risk comes from not knowing what you're doing.” On today’s episode, How to Combine Project Risk Tools with Emergency Planning, we’re focusing on how project manag...ers and public safety leaders can speak the same language when it comes to risk. The Federal Emergency Management Agency, or FEMA, created the Threat and Hazard Identification and Risk Assessment—also known as THIRA—to help communities anticipate and plan for the unknown. In the same way, project risk registers help uncover obstacles before they become blockers. Today, we’ll connect the dots between THIRA, stakeholder maps, and integrated risk matrices—so your team can prepare, prioritize, and progress, no matter the scenario.
Transcript
Discussion (0)
Warren Buffett said it best,
risk comes from not knowing what you're doing.
On today's episode,
how to combine project risk tools with emergency planning,
we're focusing on how project managers
and public safety leaders can speak the same language
when it comes to risk.
The Federal Emergency Management Agency or FEMA,
created the Threat and Hazard Indication and Risk Assessment,
also known as THIRA,
to help communities participate and plan for the unknown.
In the same way, project risk registers
help uncover obstacles before they become blockers.
So today we'll connect the dots between THYRA,
stakeholder maps, and integrated risk matrices
so your team can prepare, prioritize, and progress
no matter the scenario.
But first, please silence your cell phones,
hold all sidebar conversations to a minimum,
and let's get started
with the People Process Progress podcast.
In three, two, one.
Welcome back to the People Process Progress podcast,
episode four of our All Hazards Project Management series,
how to combine project risk Tools and Emergency Planning.
I'm your host, Kevin Pennell.
I used to live in the military medicine world
and public safety and all hazards emergency management,
incident management, and then for a while now,
I've worked in the project portfolio space
in healthcare and IT, and I realized
there's a lot of crossover.
So if you've listened to the show, thanks so much.
If you haven't, subscribe, go to Apple.
Spotify, all the places, peopleprocessprogress.com
is our hub
where you can get to me on YouTube or Instagram or X,
all those places, and I'll go over that again later.
But thank you.
So today, this risk, right?
There's always risk before we do anything,
whether it's spontaneous or planned.
But I'll say that joint risk workshops
can help create a shared understanding of uncertainty
and build trust across teams.
And sometimes it's a little scary,
joint, we're gonna get together,
we're gonna throw it all on the table,
but this is the people part, right?
When we integrate traditional project risk registers,
which I'll get into in a little bit,
with hazard-based risk assessment tools,
we could create a more complete risk picture.
So if you're in the emergency management world
or public safety world and you have a project,
consider this.
Or if you're in the project management world,
listen to this and think how you can learn a bit
from your public safety folks.
This should be part of our process, right?
With a more clear visual collaborative risk planning,
we will drive better and faster decisions.
And you guessed it, we will make progress together.
So the first thing I wanna talk about
that's people on a tool here
is there's joint risk workshops, right?
So we're gonna make a stakeholder register.
And this is a document that identifies stakeholders,
their roles, interests, influence, communication needs.
I talked about the RACI matrix.
This is a little different, but very similar.
And the RACI is again, responsible, accountable,
consulted and informed.
Says kinda, how do we treat the folks involved?
What should we do?
Who owns things, that kind of stuff.
So here's a project example that works, right?
During multi-hospital,
let's say electronic health implementation,
leaders using a stakeholder register align
who do we need to influence, right?
What are the roles, who do we need to communicate with?
Particularly let's look at nursing
and information technology,
administrative and clinical leadership.
It helps surface any early resistance
and define who we need to target the risks in,
obviously, the benefits that we want to get out of that project.
Our cap toward our public safety and in this example, public health friends about regional
mass vaccination.
We saw this during COVID.
I used to practice with this with my public safety and public health and county leader
and state folks all the time.
Our mission statement locally was to get a 10-day supply
of antibiotics to over 300,000 people in 48 hours.
No small task, right?
So let's say in a regional mass vaccination campaign,
there's emergency managers, public health folks,
using a stakeholder register and looking at
who are our constituents,
who are the folks that live in this area,
can help us coordinate logistics better
with the school systems, the National Guard, and IT.
Now, a lot of this is baked into the processes we use,
respectively, the Planning P, Public Safety,
or All Hazards process, and then our Waterfall Agile World
of Project Management.
So let's get into a couple strategies
that can kind of combine these, right?
So the first for people is cross-functional workshops,
or risk workshops, to be specific.
And so for the EHR project example,
let's keep rolling with that, right?
We bring together folks from clinical and IT operations,
we identify potential go live risks.
We don't know what's happening in their area
on their nursing units and they don't know
what's happening in plant operations,
the facilities or in IT.
So we need to share that perspective,
that common operating picture on,
hey, if we have a downtime at
this time, is that good or bad?
Well, it's change of shift, so it's horrible, or it's good because we're not actively charting
or typically we chart around this time, each time.
So again, we can also, as IT, flag integration delays.
We're short on resources here or there.
So we have these early.
A lot of this is, again, part of a regular process, but think about just combining it into one workshop.
It's hard virtually now.
Of course, hospital workers are not virtual,
but they really help mitigate a lot of risks
that we could have well before launch or build.
In the mass vaccination campaign example,
these cross-agency workshops, right,
these risk management, these risk workshops,
again, are gonna help us know, hey, law enforcement,
what's going on out in the world?
National Guard, what resources do you have?
Public health, how should we do this?
This is a public health-led thing.
And the school Wi-Fi might not be strong.
Just these little things, these are risks,
the infrastructure, where are we gonna be?
And it's fixable, but we can discover it early,
so it's very helpful.
So strategy one for the people is get everybody together
and have a cross-functional risk workshop.
Strategy two, assign those roles, right?
So don't just say, hey, here's a risk.
Somebody's gotta own those.
We do that in project management.
We kind of do it in all-hazard incident management
where safety's gonna make a safety plan
and operations is aware of it,
but that could be spelled out.
That's where I think the public safety folks
and the all-hazards incident management,
brothers and sisters, could take some from project management
is when we make a risk register, we call out,
here's the risk, here's the likelihood,
here's where it goes, and there's equivalents for those.
But let's go back to our example.
So we're rolling out this electronic health records.
We're gonna give ownership to the nurse managers
for critical workflow risks.
What could happen?
What does happen in this workflow?
Well, we as information technology
take charge of system stability, right,
and it helps for escalation.
What if something happens?
So when we plan for go live, we say,
here's the folks that are gonna be on,
we make a whole workflow.
If this happens, here's the sequence.
It can also go to somebody at the service desk
who's never been a part of it,
and it reduces downtime and confusion.
And for the vaccination, we know who's going to do, we build this into our instant action
plans and planning.
So who's going to do logistics, what in operations are we going to call the public health teams
that are communicating on what's happening, where are the supplies, what's going on with
them.
But we have identified these risks in this workshop and then we've also outlined
them in our plan so we kind of get to dual hat those.
So again, so we're getting our people together, we're having functional workshops to identify
risk, we're going to assign who needs to work on this risk, what we're going to do with
them.
So we're building this process, right?
And we're aligning risk registers with hazard assessments and so there's a tool we can use
for that called an integrated risk matrix.
It can be very simple.
It can be what's the risk, what's the impact if it happens, what's the likelihood that
it happens, who owns it, what are we going to do about it?
It can be that simple.
There are forms and stuff all for that.
So let's talk about for project example.
So for the EHR implementation, we're going to do just that, right?
We're going to flag what's high likelihood, high impact for different areas.
Is it data?
Is it the users?
We're going to track that.
So it kind of bleeds into our progress.
But process and progress go hand in hand often.
And then we're going to link to corrective action.
So we know what to do. We're going to talk about it.
We're going to pivot. We're going to stop doing things, start doing things.
And public safety, same thing, right?
We plan a great layout of where we're going to have this mass vaccination.
And then this area doesn't work.
We find out when we're on site again,
and we should do a site visit ahead of time anyway,
but we should know ahead of time with this risk matrix
likely what's gonna happen.
Now, are there unknowns?
Yes, for sure, right?
And if there's these red zone risks,
they're gonna be addressed immediately,
securing generators or security for the people there,
whole bunch of different risks that have to do
with either the people, their environment, or sickness if you're doing this in an outbreak,
all this kind of thing.
So a strategy here to help this process
is to align the risk register that we made
with a hazard vulnerability assessment, right?
So in the EHR process,
we're gonna look at what our hospitals'
maybe hazard vulnerability assessment is.
So are there any big environmental things
that could impact us, right?
We lose power all the time, we lose heat or something
that could affect, you know, if we affect the people,
we're gonna affect the project we're trying to put out there,
particularly electronic health record
that tons of people use.
And environmental stuff is a huge risk
that we often don't think about,
probably in the traditional project management world,
because usually inside, unless you're doing construction or landscape
or something like that.
But it's important to consider,
and environmental is also the politics of it,
not just is it hot or cold and those kind of things.
So consider that, consider aligning those.
And it's a good thing for project managers
and really leaders at any level
to know what the hazard vulnerability assessment
of your hospital is.
So you just have an idea of what are the hazards where I am.
For the vaccination thing,
this is where our epidemiologists,
our public health physicians are gonna know,
where's the disease in the area?
What's the weather like?
They won't be the weather folks,
but we'll work with other folks, right?
What are overlapping threats?
We would make as part of our plan,
what's the weather forecast for today?
Particularly when I was an EMS captain,
as a planning captain.
So for weather events,
we would put the forecast on there,
the weather map, so everybody knew for the next five
or 10 days, not just what are the units on the street,
but what do we expect?
Who do you call if you need help, if you need food
and water, all that kind of stuff.
Another strategy is to score internal
and external threats together, right?
Have one big list, because if you have a separate list,
it's hard to keep them combined,
they can be updated differently.
And again, you're going to do the same thing.
What are the threats?
What's the likelihood?
What's the impact?
Who owns it?
If anything, you're not going to stop a tornado, but we could own that I'm going to help evacuate
people to the basement, those kinds of things.
So this is part of good, particularly for electronic health record or any other software
or technical rollout is what's your go live plan?
What's your support plan?
Who's going to do what?
That leads into this if you've identified the risks, right?
And similar for mass vaccination,
what have you scored as far as,
or rather what's the score of the risk
if you're short on staffing?
Sometimes we're like, the plan looks awesome,
we're full of staff, and then five people call out
because life happens.
So we got to be ready for those kinds of things.
So for the process, we want to align the risk register with the hazard vulnerability assessment, whether you're doing an electronic
health record project or a mass vaccination or whatever it is. So you know, what are the threats
to this place where we're going to have this big thing happen, this project or this vaccination?
And the second thing is we're going to put the internal and external threats together,
not on separate lists, because that's a nightmare. So, Incident Command System folks, public safety folks,
particularly emergency management, are very familiar
with the Hazard Identification and Risk Assessment,
or HIRA tool, it's out there, Google it,
there's tons of templates, there's official ones,
unofficial ones, but it really is a pretty
straightforward thing, I've seen it mostly in spreadsheets,
it's very easy to use, but it gives you some structure
and it helps you refine that process.
And again, unless you're doing this for a grant
or reporting that requires you to have a certain way,
find one that works for you and just start using it.
So we're looking at people, right?
We're doing these cross-functional workshops.
We're looking at process.
We're combining all the lists together.
And of course, we're gonna see how we're making progress.
Well, through that matrix, we're gonna get some visualization and then we're gonna communicate the lists together. And of course, we're gonna see how we're making progress. Well, through that matrix,
we're gonna get some visualization
and then we're gonna communicate these risks, right?
So that the HiraTooler, again,
Hazard Identification and Risk Assessment Tool,
it avoids this across the probability and consequence
and it's very heavy used by emergency managers
or hospital-specific emergency planners,
but it's a really good structure
and it's actually one that project management
could adopt to use for projects.
So if you're a project manager,
give H-I-R-A, or hazard identification
and risk assessment, a Google.
So let's see how we're gonna visualize this
and communicate this, okay?
So we're going to heat maps, that's where we're going to.
And that's kinda what it sounds like
if you've seen a movie of the Predator heat vision, right?
Where you see green or blue is cooler, and then it goes to red and then white hot.
That's what we're looking at.
And what it goes to is low risk to high risk.
That's the simple explanation.
The kind of more official is a color-coded chart showing risk severity based on likelihood
and impact, right?
So for a project, we're going to use this or you can and there's tools.
There's, again, Smartsheet I love, I have no affiliation,
you can make this with conditional formatting in Excel,
there's online tools, all this kind of stuff,
but basically we want to look at this heat map
that's based on all the stuff we talked about
this in an episode before, our combined workshop,
our combined risk register, all these kind of things,
or matrix, and it's gonna show us where the risks lie
and how do we address them, and we're going to update these, right?
So it's not a fire and forget it.
Here's what we think ahead of time.
Here's what's happening now.
We're always changing the risk, the impact, the likelihood.
If it's happening, obviously there's kind of things.
So this heat map has to change based on data that we feed it unless we have some sort of
machines or vehicles or something, some kind of GS device that we're tracking that
is feeding back where things are.
And then it's cross-referencing maybe what the weather is there, those kinds of things.
So for Electron Health Record, we're going to use as live of a heat map as we can to
update leadership weekly.
Like here's the risks.
Heat map is kind of akin to a stoplight.
It's a different visual.
If you've seen weather maps, you've seen a heat map, right?
So again, green is good, red or white hot is a problem,
typically red.
And we're gonna just let leadership know at a high level,
here's what's going on, here's the good, the bad,
the ugly of it.
Similar for the vaccine campaign,
are we running low on supplies?
No, we're doing good.
We're getting this many a day.
And the heat map could be numbers.
So are we high, medium, medium low and people showing up or not to get these vaccinations or get this medication?
So here's a couple strategies one build dashboards and use GIS data. I've been a part of some
Events and incidents and been very fortunate to work with GIS pros and have some good friends that work in the big GIS companies
And it's awesome
So you can get devices and have them attached to people
and they go all over the place
and you can see where they are
and you can see the risks in the area.
It's a little harder to do that
and ask our project managers
to wear these sitting in their house, right?
But you can make heat maps using tools
like Microsoft Power BI.
There are other tools as well.
That's one I'm familiar with.
So you can see both, is it resources we're looking at,
where there's too many, where there's not enough,
or just right, and are there similar deadlines
that are being missed?
So the key is building the system how you wanna use it.
So the data in is good,
and then the heat map for you is effective,
because you can just throw data in there,
and it's not helpful, but what do you wanna measure?
Do we wanna measure if our resources
are being overtaxed or not, or underutilized,
or if we're spending too much money, or not enough,
or I don't know if you can not spend enough money
in business, but that kind of thing, right?
So strategy one for monitoring progress is build
a dashboard with something, GIS is great,
doesn't have to be, but build it so people can see it
and get to it and they know where to find it.
The second strategy for this progress part
is we gotta update those visuals.
I mentioned this before.
It's gotta be something consistently like, I don't know,
in an event that you're working, it's real time, right?
You want devices that are just sending this back to you
in a project that's over months or years,
weekly, every couple days, every couple weeks.
It depends on the size of the risk and what's happening, but it should be a regular tempo
so that anytime I can look and see what is close to near real time.
When we say real time, it's really hard to get that unless it's fully automated.
That's just it.
A person's not going to sit there and hit a button constantly.
It's just not practical, especially if you're out there working with nurses on the unit
or you're out there helping people fill out their paperwork before they get vaccinated.
Doesn't make sense.
It's got to be something automated.
So to track progress, build a dashboard, find a way to automate the data or if the frequency
allows for a more planned event for a longer project, just set the frequency that, hey,
every week we're going gonna update a risk register
that's gonna feed into the heat map,
that means we're gonna report that every two weeks
to leaders, et cetera, et cetera.
You gotta find your tempo.
So what I would say to you all is pick something,
a current project or an upcoming planned event
that you're gonna have public safety folks at,
build a shared risk log, get together in a room,
and just throw it out there.
What are the risks, right?
It's very much like what comes out of the tactics meeting,
but it's the safety plan.
But it doesn't have to be super incident command system.
I mean, it can be very basic, right?
The risk is people don't show up,
and what are we gonna do about that?
Or the risk is we run out of water bottles,
or the risk is that the data doesn't,
whatever it is, whatever people can think of,
and then group them together,
there's kind of things you can do. But keep it simple, right people can think of and then group them together, there's kind
of things you can do.
But keep it simple, right?
This works in project management, it works in IT stuff, it works with operations and
incident command system, public safety.
And then prioritize the top ones, right?
What do we have to address?
Because either life safety, patient safety, that's always first, right?
What's going to hit us in the wallet?
What's going to hit us on the clock?
What's going to us in the wallet? What's gonna hit us on the clock? What's gonna reduce our quality? What's gonna make our scope and manageable for projects or what's?
Unreasonable to ask somebody to do in a 12-hour shift like all these kinds of things and then just start talking right score them
And start preparing it doesn't have to be perfect at first
It should get pretty good before you go live or before the event starts
But something is better than nothing for sure.
And that's coming from a public safety planner
and project manager who you'd think would be just OCD
about perfect planning and all that.
And it's a lesson I learned a long time ago,
thankful to my mentors and friends.
So what did we learn?
What did we talk about?
The people component of what we talked about
when we are wanting to combine project risk tools
with emergency planning,
because I really think there's some good crossover,
particularly with Mindset and some of the tools
and stuff I talked about,
is that we wanna have stakeholder maps
and cross-functional workshops.
So get everybody together so we can find those blind spots
because you might see something I didn't see and vice versa.
Process-wise, we're gonna align what we call out, right,
with hazard assessments that have already been done
or done recently. We can get a more complete picture. And progress-wise, we're gonna align what we call out with hazard assessments that have already been done or done recently.
We can get a more complete picture.
And progress-wise, we're gonna build tools.
We want dashboards, we want matrices,
we want updates from the field or from the data
or the devices, and we're gonna move teams
to react to those, to address them.
We're not just gonna look at them and go,
oh cool, that's happening.
Because when we combine this stuff
with the precision of project planning
and the urgency of public safety, we don't have to manage the risk, we just get to lead through it.
So thank you so much for listening to People Process Progress, particularly this episode.
If it helped you connect the dots a bit between your project work and real world risk management,
please share it.
Share it with a colleague.
It's fun for me, I hope it's fun for you.
Judging from some feedback I've gotten lately it is.
But especially maybe somebody in healthcare emergency
services, RIT leadership.
Let's keep building smarter, stronger systems together.
If you wanna stay together with me, share this episode,
share the show, I'm on Apple, Spotify, Amazon,
all the platforms these days.
I'm on Instagram and X at Penelok AG.
I have a YouTube channel I just rebranded,
it's called Own Move Anchor, which is own your mind, move your body, anchor your spirit.
It's all those seven pillars I've talked about of ownership, mindfulness, movement, boundaries,
connection, sleep and faith.
It used to be called the Penelope Fitness Club.
It's a little more holistic now.
Still some workout videos, cold plunges, jiu-jitsu after action reports, ways to anchor your
mind.
Another great way to anchor your mind is through reading.
I happen to have written a book called
The Stability Equation, Seven Pillars for a More Balanced
Life, that's where this pillars dispension came from.
And they came from me, from doing research,
from being in a tough spot, finding my way out of it,
planning my way out of it, and then taking action.
And that's where ultimately this year,
the thought of own your mind, move your body,
anchor your spirit came from, because it combines all these pillars together. So remember though, when you of own your mind, move your body, anchor your spirit came from
because it combines all these pillars together.
So remember though, when you're planning an event,
whether you wear a badge or not, or you're in khakis,
put people first, create a combined process,
and make progress together.
Thank you for being here, and Godspeed, y'all.