CRMP Decision-Making

Who is the guidance for?

This guidance on Decision-Making in the Community Risk Management Plans (CRMP) process is for those tasked with leading, the CRMP and those who make strategic decisions based upon the information within it. According to the CRMP Fire Standard, fire and rescue services must:

Make decisions about the deployment of resources based on the prioritised risk levels and planning assumptions involved. This should be carried out with consideration to internal and external resource availability (people, financial and physical) including collaborative, cross-border and national resilience assistance. Consideration should also be given to other strategic influences such as consultation feedback, stakeholder engagement and political objectives.

In 2020, the NFCC’s Community Risk Programme (CRP) through its Definition of Risk (DOR) project, delivered a national definition of risk, a Glossary of Risk-Related Terms and a conceptual risk framework for the UK Fire and Rescue Service, to help bring national and local consistency to community risk management planning.

Within the ISO Standard referred to in the DoR report, there is a reference to the challenges of risk management “in a world of uncertainty”. It is within the context of this reality that the estimation of risk analysis informs the decision maker. This should always be understood as being at the background of the analysis on which decision-making is based.

The whole CRMP is underpinned by three key themes that should support, influence, and inform each individual component throughout the whole process:

These themes should be utilised to ensure each component within the process has been developed using a broad range of community and organisational intelligence, and links are made throughout this guidance.

Individuals within a service who work to develop a CRMP may differ between fire services and may differ from one cycle of CRM planning work to the next. With these acknowledgements in mind, a series of Competency Frameworks have been developed. These aim to clearly articulate the requisite competencies (behaviours, skills, knowledge, experience, and techniques) required to develop a CRMP.

The Competency Frameworks also outline the requirements of strategic-level staff and those tasked with risk analysis.


Decision-making in this context involves deciding whether to increase, decrease, change, or maintain existing risk mitigation and risk reduction activities.

The Fire and Rescue National Framework for England states:

“Every fire and rescue authority must assess all foreseeable fire and rescue related risks that could affect their communities. They must put in place arrangements to prevent and mitigate these risks, either through adjusting existing provision, collaboration and partnership working, or new capability.”

Prevention, Protection and Response are recognised broad types of risk mitigation within the Fire and Rescue Service. They describe the various types of risk mitigation activities applied in risk reduction and help to explain how and why resources are being deployed.

In many services, ‘Prevention’, ‘Protection’ and ‘Response’ are also organisational units with their own relationships to different aspects of risk. This could be the structure used to assign owners to risks. This helps community risk management planning by putting accountability for decisions about risk mitigation within these organisational areas.

However, recently, some services have changed the focus for decision-making about the best risk mitigation from being within each of these three groups. Instead, they take a more global approach by gathering the decision-makers of these three units together to collectively assess the best risk mitigation from within that collective ‘toolkit’ or options. It is only then that they agree and assign the most appropriate risk owner.

To eliminate the bias that some forms of presentation of data are known to create, careful consideration should be made to decide on the best manner of presentation of the data and subsequent risk evaluation on which the decision-making is based (see the videos on handling feedback from consultation).

A Service is always faced with complex trade-offs that may elevate one type of risk reduction activity, while reducing another, for example, allowing resourcing to mitigate risks that bear low likelihood and low to medium consequence to be subservient to addressing risks of higher priority due to their perceived likelihood and level of consequence.

This means that community risk management planning needs to consider a wide range of activities. This may mean considering equipment and asset needs, people and competency needs, and about how to work with partners and other agencies. Selecting the most appropriate activities involves balancing the costs and efforts of implementation against the benefits to be gained.

Legal, regulatory, and other requirements should also be considered: things such as social responsibility and the protection of the environment.

If risks have been assessed as unacceptable, the decision criteria may require implementing risk mitigation or reduction activities regardless of cost.

When deciding whether to maintain or change activities, the values and perceptions of stakeholders should be considered, and care should be given to establish the most appropriate ways to communicate and consult with them.

Where risk mitigation and reduction activities can impact risk elsewhere in the FRS, or with stakeholders, wherever possible, their input should be evaluated as part of the decision-making process. It is important to note that the luxury of having such time is present in planning, but not in operational decision-making.

However, CRMP decision-making may be taken by a person or organisation outside of the FRS that was not responsible for undertaking the consultation (see the Stakeholder and Public Engagement Guidance). Such decisions are likely to be based on a recommendation from the FRS that is made following a review of the consultation report. This suggests the need to allow sufficient time for this to take place and underlines the importance of making every effort to reduce bias in the way information around the risk is presented.

Any decision-making papers should be submitted only when the consultation report has already been published and decision makers have had sufficient time to consider the findings.

Decision Criteria are distinctly linked to the Fire Data Lifecycle (see Data and Business Intelligence Guidance). This aids the effective allocation of resources to reduce community risk by being based on up-to-date, relevant, and credible data and providing reference links to the source data.

Data informs decision-making, but those who make the decisions are not always those who analyse the data, so cross-team, cross-function, and cross-organisational working is essential. Importantly, the DoR Report states that modern risk assessment typically recognises that statistics of past incidents do not fully capture future potential risks and that informed subjective views can be a valid contributory input to a risk assessment.

Decision-makers should therefore bear in mind that perceived risks, which might include other definitions of risk and prioritisation of other risk metrics, might lead to different conclusions. If appropriate, these differences can be explored through sensitivity tests. These tests model how changes in Inputs affect outputs. Other differences can be explored through social scientific studies of risk perceptions and subjective views about risk-based decisions determined through Stakeholder and Public Engagement.

Decision-making spans a wide range of risk mitigation that may include consideration of equipment needs, skills and competencies, and coordination or consideration of the activities of partners or other agencies addressing the same or similar risks. All of this entails balancing cost vs. perceived benefits. In some cases, the ESV Digital Tool may provide some insight by using the Service’s own data to project such a cost benefit ratio based on local data.

In all cases, recording what reference data, assumptions, and lived experience (local knowledge) impacted the decision-making process is an important record and reference for future assessments.

Risk Evaluation Decision Criteria

Benchmarks that define the significance of the risk analysis process, as determined by the levels involved and overall organisational risk appetite.

Risk Evaluation

Comparative terms, such as “high risk”, “medium risk” or “low risk” are different evaluations of the risk level. Such evaluations can only be made by combining specific risk measures and risk criteria in a specific context. To be clear, the relevant risk metric and context should be specified, e.g. “high risk of fire for a multi-storey office in London”. Establishing and recording the definitions for what constitutes ‘High’, ‘Medium’, or ‘Low’ is important. Doing this is benefited from a first draft being reviewed in groupings of Watch Managers and others to establish specific definition: e.g. ‘High’ equals ‘In the event, more than 70% of the population will be affected’.

Risk evaluations are highly context-sensitive. Hence, there is no such thing as “high risk” in general. Risk evaluation will be informed by the operating context and strategic objectives outlined in the definition of scope. Nevertheless, a few commonly used risk measures and criteria are valid in many contexts. One such set was defined by the HSE for industrial safety. Instead of high, medium and low risk, here, the terms intolerable, tolerable, and acceptable risk are used.

Maintaining registers of old risks without correctly assigning dates to them can be dangerous. All risk statements should be dated and shown as: ‘valid from this date’ because, without regular review, risk analysis and the assignment of its relative category can become outdated, sometimes very rapidly.

Decision Criteria – deciding risk mitigation

This is the step in the process where decisions are made about allocating resources to maintain or change risk mitigation based on decision criteria.

Decision criteria are the ‘benchmarks’ that advise on cost vs risk vs benefit trade-offs. When selecting risk mitigation actions, the direct and associated costs and benefits should be considered, along with any disadvantages. Consideration should also be made about the relevance of existing mitigation or prevention activities, allowing the potential for a current risk mitigation activity to be replaced by something considered to be potentially more effective in the current context.

Some useful questions to ask are:

What physical assets are needed, and where?

1. What skills and competencies are needed, and where?
2. Is access to specialist resources required? If so, specifically what?
3. What organisational or technical systems do we need?
4. Do we need new skills to be learned?

See the Economic and Social Value of UK Fire and Rescue Services (ESV) for the methodology for placing a value on various protection, prevention, and response activities based on local data.

Planning the Deployment of Further Risk Mitigation

These are measures that maintain or modify a risk, including preventative and management activities. When additional risk mitigation is required, an assessment should be made to identify if any associated or further hazards have been identified that also may need to be addressed.

This stage is for developing a plan for the deployment of resources for community risk management. However, the actual deployment, i.e., the implementation of the resources, is part of ongoing Service Management. The plan should state the priority order in which activities should be implemented and resources deployed, and show the rationale and assumptions that underlie decisions.

The risks are not addressed until activities are implemented and resources deployed. The deployment plan should set out how these will be implemented. It should include:

The reasons for selecting the activities and the expected benefits to be gained.
1. Those accountable for approving the plan and those responsible for implementing it.
2. Specific actions.
3. Resource requirements, including contingencies.
4. Performance measures and constraints.
5. Reporting and monitoring requirements.
6. Timing and schedule.
7. Any necessary expenditure authority.

Deployment plans should be integrated with management processes and discussed with appropriate stakeholders. Decision makers and other stakeholders should be aware of the nature and extent of the residual risk profile after deploying resources – see Table 1 (below) that visualises risk through risk position.


CRMP decision making


Inherent position – The inherent risk with no mitigation measures.

Residual position – The current risk with current mitigation measures.

Target position – The desired risk after implementing mitigation measures.

This should be documented and subjected to monitoring, review and, where appropriate, further activities or further resources may need to be applied.

The deployment plan itself might generate risk, particularly if it involves physical or procedural modifications to existing arrangements, or it has implications for certain stakeholders. Therefore, it should also be considered for risk assessment, and modified if necessary.

The scale of work involved in some resource deployment might warrant the development of specific projects. These should be managed in accordance with recognised project management methodology, and therefore provide all the appropriate project management rigour.

Relevant stakeholders should be kept informed of progress with resource deployment. This might include making some monitoring information available.

In decision-making, a RACI Model should be developed showing who is:

Responsible, Accountable, needs to be Consulted, or just needs to be Informed
It is worth noting that some factors can prevent immediate or prompt deployment of resources, such as:
1. A need for consultation with stakeholders, likely to be affected
2. The time required to plan the detail of the control and then obtain budgetary approval
3. Reliance on the same workforce to implement several controls.

Appendix 1

Example: Fires in a built environment

Below is the diagrammatic presentation of the relationship between risk analysis and links to specific risk groups (in this example, it is societal risk) and the subsequent decision-making and possible risk mitigation mapped to the risk evaluation.

The diagram below provides examples of potential intervention decisions mapped to the broader risk mitigation for each risk group:

Individual: In the FRS context, community safety activities are primarily based on education or prevention programmes such as Home Fire Safety and Safe and Well Visits, which aim to influence human behaviour to prevent fires from occurring in dwellings or to protect people in the event that they do occur.

Community Safety activities may be complemented by Fire Safety (Structural Protection and Enforcement) activities and Operational (Intervention and Response) arrangements. Together, the risk to the community will be reduced through the effective combination of prevention, protection, and response activities.

Societal: In this category, compliance with the Fire Safety Order is also relevant. Risk interventions include the ‘risk-based inspection programme’ (as outlined in IRMP GN 4) carried out by both Protection and Response staff.

An effective ‘risk-based inspection programme’ relies on the prioritisation of specific building types or occupancies. By doing so, the higher risk or more complex premises are able to be prioritised for physical inspections by competent inspecting officers. Fire Safety Advisors and operational crews can carry out fire safety checks on medium or low-risk occupancies. The competency of the staff inspecting or checking buildings is defined by the National Competency Framework for Fire Safety Regulators.

Emergency Responder – See country specific operational risk management guidance:

England and Wales – Provision of Operational Risk Information System (PORIS)

Scotland – Scottish Fire and Rescue Service: provision of operational risk information

Northern Ireland –

Environmental: Because of the reality of risks associated with climate change, CRMP Hazard Identification Guidance recommends the development and use of a locally developed Environmental Plan that sits alongside, and informs the CRMP Guidance.

FRSs attend incidents that have the potential to pollute air, land and water. Water courses and other aquatic environments are considered to be the most vulnerable to pollution from emergency incidents, and the aspect of the environment that the FRS can protect most readily. The development of pollution prevention in all areas is, however, seen as a core function in a CRMP. Please see guidance on developing an Environmental Plan.

Heritage: The main criteria used in selecting buildings designated as having Heritage Status are:

1. Architectural or historic interest: this includes buildings that illustrate important aspects of the nation’s social, economic, cultural, or military history.
2. Group value, especially where buildings comprise an important architectural or historic unity or are a fine example of planning (such as squares, terraces and model villages).

Historic England provides a gazette of the National Heritage List for England that is official and up-to-date. The equivalents for the Devolved Administrations of the UK are:

Northern Ireland: Historic Buildings and Monuments
Scotland: Listed buildings
Wales: Listed Building Data Map

Community: This refers to the impact of a hazardous event on the wider community.

The British Insurance Brokers Association (BIBA) reports that government figures suggest nearly one in five businesses suffer a major disruption every year. It also adds that these records show that 80% of businesses affected by a major incident close down within 18 months.

Such disruption does not only occur in the commercial sector; local authorities and other public and voluntary sector organisations can also be victims of a major hazardous incident.

The consequential impact of such a major event can seriously affect the wider community, potentially for long-term periods, and can be a contributory factor in increased levels of crime, unemployment, and health and housing inequalities.

Appendix 2

Example in Practice

Cornwall Fire and Rescue – Workload Profiler

Cornwall included a review of their Prevention and Protection activities as part of their CRMP process. As part of this, Process Evolution was commissioned to support the service’s CRMP activities, and their Workload Profiler was used to size and cost the additional resources required to undertake different initiatives.

1. Analysis of systems data highlighted several actionable insights:

a) Outputs from reviewing HFSC suggested that resources were concentrated in areas which were already serviced by WT and DC resources, leaving some OC areas at risk
b) The approach to inspecting premises with SSRI had led to a discrepancy by crewing arrangement, similar buildings in On-Call areas were visited more infrequently
c) Fire Safety Audits were examined, with the process taking on average 1-hour longer than the national average.
d) Workload Profiler sized the resource requirements needed and flowed through as a key recommendation in our work, “Give Protection and Prevention teams sufficient resources to deliver their remit”.

2. This was particularly important for the Protection teams due to the long lead times required to train a competent Fire Protection Officer

3. Scenario analysis explored options around change

a) What if more audits were to fail?
b) What if we needed to go to every High-Risk property every 3 years
c) What if we stopped doing certain types of inspection

Appendix 3

Decision-Making Competencies


The Competency Framework for CRMP articulates the requisite competencies (behaviours, skills, knowledge, experience, and techniques) required to undertake CRM planning.

Within the competency frameworks, the following requisites are outlined for strategic level staff members, as well as risk analysis and implementation level staff members for decision-making:

Strategic level (FRA members, PFCC, CFO, chief officer team)

1. Effective and focused strategic decision-making skills. Keen awareness of organisational priorities and the community risk management plan’s focus.

2. Comprehensive understanding of the financial health and future challenges of the FRA/other governance arrangements.

3. Ability to align CRM planning with medium term financial planning and workforce planning to ensure coherent decision-making on the allocation of resources.

4. Financial management skills and sound understanding of funding, budget setting, forecasting and resource management.

5. Sound understanding of, and strong advocacy for, effective technological and digital solutions to assist with the development and management of community risk management planning processes.

Risk analysis and implementation level

1. Ability to interpret complex data and risk intelligence, understanding how this can influence community risk management planning and decision-making and aid effective risk horizon scanning.

2. Good understanding and use of technological and digital solutions to assist with the development and management of community risk management planning processes.

3. Understanding of the importance of aligning financial and other corporate planning with community risk planning.

4. Ability to develop and manage robust governance processes linked to community risk management plan risk recording and decision logging making sure that there is a good audit trail of decisions that are based on clear evidence.

5. Sound understanding of, and strong advocacy for effective technological and digital solutions to assist with the development and management of community risk management planning processes

Risk analysis and implementation level

1. Ability to interpret complex data and risk intelligence, understanding how this can influence community risk management planning and decision-making and aid effective risk horizon scanning.

2. Good understanding and use of technological and digital solutions to assist with the development and management of community risk management planning processes.

3. Understanding of the importance of aligning financial and other corporate planning with community risk planning.

4. Ability to develop and manage robust governance processes linked to community risk management plan risk recording and decision logging making sure that there is a good audit trail of decisions that are based on clear evidence.

As highlighted within the competency frameworks, most FRSs will have strategic leads for different areas of business, for example, Equality and Diversity, ICT, Data and Business Intelligence, Partnership Working, etc. Where there is no existing provision for this strategic leader role in the FRS’s community risk management planning process or access to a senior leader from elsewhere, it may be useful for the FRS to consider how best to ensure there is appropriate direction and accountability.