1. Introduction
All service, manufacturing, or extraction industries face a wide variety of risks. Some of these risks are minor, but some pose a significant threat to their survival. Identifying, analyzing, assessing, treating, and managing risks is part of the risk management duty of service managers. This paper focuses on the service sector of the economy, reviews risk concepts, approaches to risk management, and the tools and methods that service managers can use to protect their organizations. There is ample research on risks and their management in specific service industries, such as healthcare, air travel, hospitality, finance and banking, etc. However, the literature survey revealed only one journal publication that focused on services in general (Hollman and Forrest, 1991).
Hollman and Forrest (1991) focused on the risk management concept and its application to service businesses. They characterized risk management as the application of general management concepts and proposed a five-step process to help managers cope with risks of pure loss exposures. In addition, the authors proposed a set of insurance, noninsurance, and financing techniques to treat risks of loss.
The literature survey found two tangentially relevant publications, one by Hollman and Mohammad-Zadek (1984), who described the risk management concept and the process that is used in applying it in small businesses, and a second by Nordin et al. (2011) focusing on services provided by manufacturing companies. The authors of the paper examined the risks for manufacturing companies in extending their goods offerings by the addition of different kinds of services. They also developed a conceptual framework that helps manufacturing managers assess the risks of infusing various services into their offerings of goods.
The literature survey for this paper was conducted between 8/25/2025 and 10/14/2025 using the databases ABI/INFORM Complete, Academic Search Premier, Business Abstracts with Full Text, Business Source Premier, EBSCO Databases, JSTOR, and Health Source: Academic/Nursing Edition, using the keywords risks, enterprise risk management, healthcare, vulnerability, resilience, robustness, air travel, and hospitality industries.
The rest of the paper is organized as follows. Section 2 reviews risks in general and various definitions of risk from the literature. Section 3 discusses risk management and enterprise risk management as two approaches to managing risks in any organization. Section 4 is a review of types of risks in general. Section 5 discusses vulnerability, resilience, and robustness as relevant concepts in risk management. Section 6 reviews methods and tools that can help service managers decrease vulnerability, and increase the resilience and robustness of their organizations. Section 7 presents risks in air travel and their management as an example of risks in an important service industry. Section 8 presents risks and their management in hotels and resorts as another example. Section 9 is where a summary of the paper and conclusions are presented.
2. Risk Definition
This subtitle may give the impression that there is a single definition of risk. However, there is no universally accepted definition of risk among risk researchers or risk management practitioners. “The word ‘risk’ derives from the early Italian risicare, which means ‘to dare’” (Wolke, 2017). Risk and risk management scholars have proposed various definitions, some overlapping and others distinct. Before examining examples of risk definitions, it is important to distinguish between two types of risks.
Pure risks are those risks that can only lead to loss or no loss; there is no possibility of a gain. Pure risks can be insured if insurers are able to predict the potential losses and agree to cover them. Olson & Simkiss (1982) presented a review of fundamental concepts that must be recognized to adequately understand risk management: analyze the objectives of risk management, understand the basic nature of risk management, and identify and analyze appropriate alternatives. They also reviewed various financial insurance alternatives to protect the organization against pure risks. Speculative risks are those risks that may lead to loss or gain for the risk taker (Williams, 1966; Johnson & Flanigan, 1977; Hollman and Mohammad-Zadek, 1984; Hollman and Forrest, 1991; Wolke, 2017). This distinction seems to be accepted by both risk researchers and practitioners. Pure risks will be the focus in this paper.
The following is a sample of risk definitions from the literature:
“Risk is the ‘possibility of loss or injury’ and the degree of probability of such loss” (Kaplan and Garrick, 1981).
“Risk is “the possibility that bad or good things may happen” (Nason and Livvarcin, 2020).
“Risk is based on possible damage or the potential loss of a net asset position, with no potential gains to offset it” (Wolke, 2017).
“Risk equals the expected disutility” (Campbell, 2005).
“Risk can be defined as “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives” (Kim, 2017).
“Risk refers to uncertainty about and severity of the events and consequences (or outcomes) of an activity with respect to something that humans value” (Aven and Renn, 2009).
“Risk is the potential of gaining or losing something of value” (Stamatis, 2019).
“Risk is a situation or event where something of human value (including humans themselves) has been put at stake and where the outcome is uncertain” (Rosa, 1998).
“A common definition of risk includes two dimensions: the probability of occurrence and the associated consequences of a set of hazardous scenarios” (Gardoni and Murphy, 2014).
“Risks, or equally risk events (noun), refer to future events with undesirable consequences without specific regard to intent, and hence include accidents and non-accidents” (Pinto and Magpili, 2015).
“We consider a future activity [interpreted in a wide sense to also cover, for example, natural phenomena], for example, the operation of a system, and define risk in relation to the consequences (effects, implications) of this activity with respect to something that humans value” (Aven et al., 2018, Society for Risk Analysis Glossary).
Risks created by “unknown unknowns” as described by former defense secretary Donald H. Rumsfeld (DoD News Briefing, 2002) should be added to these risk definitions (Kim, 2017). The probability and impact of these events are impossible to know. Some of the events that fit this description include Ebola virus disease (EVD), severe acute respiratory syndrome (SARS), COVID-19, mad cow disease, and the horse meat scandal. Another hard-to-predict, low-probability, high-impact extreme outlier category of events that are almost impossible to predict are known as “Black Swans” (Taleb et al., 2009). Some examples of black swan events are the “Black Monday” stock market crash of October 19, 1987, the “Dot Com” crash of 2002, and the September 11 terrorist attacks.
For the purposes of this paper, the following definition of risk will be used:
“Risk is the uncertainty about and severity of the consequences, effects, implications, of an activity, including natural phenomena, with respect to something that humans value.”
This definition is consistent with Rosa (1998), Aven and Renn (2009), and (Aven et al., 2018, Society for Risk Analysis Glossary).
It should be noted that researchers and practitioners in different sectors of the economy, such as manufacturing, agriculture, mining, finance and banking, air travel, healthcare, hospitality, etc., have developed risk definitions that are appropriate for their sectors. “… each disciplinary literature on risk can similarly be categorized to provide unique epistemological perspectives. As a result, all the disciplines have something valuable to add to our understanding of risk” (Althaus, 2005). Risk definitions for one segment of the service sector, air travel and airports, will be reviewed as an example later in the paper. It should also be noted that types of risks and their relative importance for an organization depend on the specific features of the organization, such as industry characteristics, and services and goods produced (Wolke, 2017).
Regardless of how they may be defined, risks must be managed. There are two major approaches that are commonly used in manufacturing and service organizations: risk management (RM) and enterprise risk management (ERM). The next section will review these approaches.
3. RM and ERM
An early definition of Risk Management (RM) states that it is “the process of planning, organizing, directing, and controlling the resources and activities of an organization so that the possibility of loss or injury is reduced to the lowest possible level at the lowest cost” (Dillon et al., 1984). RM is a process “that identifies loss exposure faced by an organization and selects the most appropriate techniques for treating the loss exposures” (Rejda et al., 2022); as such it focuses on the negative, threats, and failures (Kaplan and Mikes, 2012). The major criticism of RM is that risks are dealt with in “silos”, each function of an organization, such as operations, finance, marketing, etc., focusing on and dealing with its own risks (Fraser et al., 2021).
Enterprise risk management (ERM) is advanced RM that deals with all major risks faced by an organization; pure risk, speculative risk, strategic risk, operational risk, and financial risk are the major risk categories (Rejda et al., 2022). Some authors consider more categories of risks managers must deal with, such as market, credit, legal, and reputation risks (Crouhy et al., 2023). ERM is also referred to as “holistic risk management” (Schneier and Miccolis, 1998). In other words, ERM must be aligned with the strategy and mission of an organization (Hardy, 2015). Nocco and Stulz (2022) reviewed the benefits of ERM as creating value for shareholders and examined the practical issues in the implementation of ERM. Like the lack of a universally accepted risk definition, many researchers and practitioners have offered different definitions of ERM (See Bromiley et al., 2015). The following is a small sample of ERM definitions from the risk literature:
ERM is a structured and disciplined approach to help management understand and manage uncertainties and encompasses all business risks using an integrated and holistic approach (Sobel and Reding, 2004).
Enterprise Risk Management (ERM) “is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.” RIMS (The Risk Management Society) (2025).
“Enterprise risk management (ERM) is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an organization’s operations and objectives and/or lead to losses” (Hayes, 2025).
“The culture, capabilities, and practices, integrated with strategy-setting and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value.” (COSO, 2020) (COSO is a private sector initiative sponsored by five accounting- and auditing-related associations).
Various professional organizations and researchers have proposed frameworks and conceptual models for ERM. Three well-known frameworks by professional organizations are by COSO (2017), International Organization for Standardization (ISO, 2018), and CAS (2003) (See Sidebar, ERM Frameworks by three professional Societies). These frameworks and models have been designed for business organizations in general; they are applicable to both service and manufacturing organizations. However, none of them is considered to be a “one size fits all” type of model; each organization is likely to make modifications, depending on the services or goods (See the Appendix Notes).
ERM and its implementations have been criticized in the literature. Bromiley et al. (2015) identify limitations and gaps in ERM implementations that management scholars are best equipped to address. Paape and Speklé (2012) point out that their research found that the COSO ERM framework does not contribute to risk management effectiveness. Similarly, Fraser et al. (2024) provided a review of literature investigating “why many organizations fail or flounder in their attempts to implement ERM.” Horvey and Odei-Mensah (2023) present a comprehensive literature review on the measurements and performance of ERM and conclude that, despite mixed findings on ERM and firm performance in the literature, they have found enough evidence that ERM positively affects firms’ performance and shareholders’ value. See also a literature review by Anton and Nucu (2020) for ERM adoption, determinants of ERM implementation, and the effects of ERM adoption (See the Appendix Notes).
4. Risk Types
All ERM frameworks and models in the literature require the identification and understanding of the risks an organization deals with. Mishra et al. (2019) identify four general categories of risks: strategic, operational, financial, and hazard. Kaplan and Mike (2012) identify three risk categories: preventable, strategy, and external. Francis (2019) provides a more comprehensive list of risks: market and financial risk, credit risk, physical assets risk, operational risk (including crime risk, technology risk, cyber risk, regulatory risk, people risk, legal risk, model risk, data risk, reputational risk, project risk, strategic risk, and supply chain risk). Damali et al. (2021) developed “a comprehensive model of the risks of customer participation in service delivery, integrating research from the marketing, operations and supply chain management, strategy, and information technology fields.” Specific risk types in airline operations, air traffic control, and airport management will be discussed later in the paper.
5. Relevant Concepts Related to Risk Management
Any discussion of risks and their management inevitably includes three relevant concepts: vulnerability, resilience, and robustness because of their close relationships (Scholz et al., 2012; Haimes, 2009; Aven, 2011; Zheng et al., 2021; Neuvel et al., 2015; Mentges et al., 2023; Brand and Jax, 2007). Scholz et al. (2012) show how these terms can be consistently defined based on a decision-theoretic, verbal, and formal definition. Any organization using some kind of risk management framework must deal with these concepts and make use of them for risk management and protection of an organization against various risks. Although there are a few other concepts relevant to risk management, such as redundancy in systems (e.g., backup generators), flexibility, reliability, and adaptiveness, the following discussion will focus only on the three concepts listed. As in the definition of risk, various researchers offer a variety of different definitions and interpretations of the three concepts.
5.1. Vulnerability
Merriam-Webster (MW, 2025) defines “vulnerable” as “capable of being physically or emotionally wounded: open to attack or damage: assailable”. According to the Cambridge Dictionary (CD, 2025), vulnerability is “the quality of being vulnerable (=able to be easily hurt, influenced, or attacked), or something that is vulnerable.” Clearly, any vulnerable organization is at risk and susceptible to loss of lives and/or damage to property.
Vulnerability, resilience, and robustness are frequently researched subjects in risk theory, many fields of natural science, risk management, and business management. Gallopín (2006) offers a perspective to identify and analyze relations among vulnerability, resilience, and adaptive capacity in socio-ecological systems and “specification of the terms to develop a shared conceptual framework for the natural and social dimensions of global change.” McEntire (2011) suggests that vulnerability is related to both liabilities and capabilities that influence the impact of a disaster and reviews four methods for addressing vulnerability. Neuvel et al. (2015) proposed vulnerability reduction strategies for land use planning projects in the Netherlands.
Adger (2006) defines vulnerability as a state of “susceptibility to harm from exposure to stresses associated with environmental and social change and from the absence of capacity to adapt” and identifies challenges to vulnerability research as developing robust measures and incorporating diverse methods for including perceptions of risk and vulnerability. Based on reference frameworks in classical statistical physics, Gheorghe and Vamanu (2004) develop a method to diagnose the current vulnerability of a complex system, as well as to dynamically monitor the time-evolvement of the vulnerability.
Berkes (2007) explored how resilience thinking helps deal with uncertainty and change and discusses how building resilience reduces vulnerability. Aven (2011) points out the inconsistencies in the definitions of risk, vulnerability, and resilience and proposes a framework in which all three concepts incorporate the uncertainty (probability) dimension. Scholz et al. (2012) identify two types of vulnerability: static and dynamic. When the vulnerability of a system is viewed at a certain point in time, it is static vulnerability, and it equals risk. Dynamic is when vulnerability is considered over a period.
Leino et al. (2024) “examine multifactor vulnerability and balanced centricity (beyond customer-centricity) in value creation and value cocreation during disruptive shocks.” Fleming (1998) developed a model to offer a framework for managers to help them conduct an analysis of their organization’s vulnerability and to take appropriate countermeasures to contain the risks arising from terrorism. Nyanchama (2005) provides insight into defining and implementing effective vulnerability management programs as part of information security management.
Kamalipoor et al. (2023) conducted a bibliometric analysis of vulnerability reduction in technology-based business research and considered four strategies for vulnerability reduction. Kubacki et al. (2020) proposed an integrative framework for vulnerability analysis in social marketing systems by identifying the relationships among power, power asymmetry, vulnerability, and resilience. Bongiovanni and Newton (2019) examined the ways modern international airports can create their own security problems by adopting practices, attitudes, and behaviors that could increase their overall level of vulnerability.
5.2. Resilience
Hollings (1973) was the first to introduce the concept of resilience in ecological systems. This work has had significant impact in the fields of ecology, environmental management, ecological economics and the impact of global change on the lives of humans. He stated that “Resilience determines the persistence of relationships within a system and is a measure of the ability of these systems to absorb changes of state variables, driving variables, and parameters and still persist.” “Improving a system’s resilience offers significant advantages in managing risk; improving the resilience of a system constitutes an integral part of the risk management process” (Haimes, 2009).
Today, the concept of resilience has been discussed in relation to and applied to many systems. Ecologists make a distinction between engineering and ecological resilience. Levin and Lubchenco (2008) define engineering resilience as “the rate at which a system returns to a single steady or cyclic state following a perturbation” and ecological resilience as “the amount of change or disruption that is required to transform a system from being maintained by one set of mutually reinforcing processes and structures to a different set of processes and structures.” Interestingly, these researchers do not make any distinction between resilience and robustness. The focus of this paper will be on engineering resilience relating to all service systems.
Kruk et al. (2015) define healthcare resilience as “the capacity of health actors, institutions, and populations to prepare for and effectively respond to crises; maintain core functions when a crisis hits; and, informed by lessons learned during the crisis, reorganize if conditions require it.” Halekotte et al. (2025) identify three understandings of resilience in human-made and natural systems as a process, an outcome, and a capacity, and suggest that only resilience should be understood as a capacity. With reference to supply chains, Christopher and Peck (2004) and Melnyk et al. (2014) state that resilience must be designed into the system. Furthermore, Melnyk et al. (2014) identify two critical capacities of a resilient system: “the capacity for resistance and the capacity for recovery.” The first, resistance, defines a system’s ability to delay a disruption and reduce the impact once the disruption occurs. The second, recovery, defines the ability to recover from a disruption.
Tasic et al. (2020) developed a multilevel approach to design a framework with which an organization can self-assess its crisis preparedness and response capacity and thus enhance resilience. Tortorella et al. (2023) investigated the relationship between soft lean practices implementation and organizational resilience development in the service sector. Barasa et al. (2018) conducted a review of empirical literature from both the health and other sectors on organizational resilience. They found that the resilience of organizations was influenced by a set of factors, including material resources, preparedness, information management, and redundancy. Hall et al. (2023) identify research approaches and issues in relation to three types of resilience: engineering, ecological, and socio-ecological resilience. The authors provide a synthesis of the core elements of each resilience approach and their implications for hospitality and tourism. O’Connor et al. (2025) performed a bibliometric analysis to examine existing literature on hospitality and tourism small and medium enterprises (SMEs) and their resilience.
Vainieri et al. (2024) studied the definition and operationalization of resilience in health system performance assessments in European Union countries. They examined resilience and how it was defined and operationalized into key performance indicators in European Union countries. Leino et al. (2024) propose a framework of balanced centricity and service system resilience for service sustainability. Wandelt et al. (2025) developed a novel airport resilience measure, the Global Airport Resilience Index (GARI). Through interviews with international health systems experts, Paschoalotto et al. (2023) found that the COVID-19 pandemic did modify experts’ views on various aspects of health system resilience.
Walker (2020) presented an interesting view of what resilience is and is not: “The simplest definition of resilience is the ability to cope with shocks and to keep functioning in much the same kind of way… Resilience is about learning how to change in order not to be changed.” Walker (2020) also states that “resilience is not always good and desirable. Evil dictatorships, salinized landscapes, and psychotic states in people can be very resilient. The problem in such cases is to know how to reduce their resilience.” Gallopín (2006) identifies and analyzes the conceptual relations among vulnerability, resilience, and adaptive capacity within socio-ecological systems.
5.3. Robustness
Like resilience, robustness is an important concept both in engineering and in some other sciences including medicine, ecology, biology, and hydrology. In engineering, robustness is applied to the design of goods and manufacturing processes. Japanese quality expert Professor Genichi Taguchi is credited with developing methods for both (Taguchi, 1986; Taguchi and Clausing, 1990; Taguchi et al., 2005). Taguchi (1986) defined robustness as “the state where the technology, product, or process performance is minimally sensitive to factors causing variability (either in the manufacturing or the user’s environment) and at the lowest unit manufacturing cost.” In other words, a robust product or process will not deviate from its target design performance specifications because of factors in the environment or in use that may cause variability.
Weiss and Goldberg (2019) show how robust processes reduce variability in service systems and achieve customer satisfaction. Scholz et al. (2012) state that robustness can be seen as an antonym of vulnerability. Stewart (2003) introduced a framework based on the three T’s of task, treatment, and tangibles for designing a robust service encounter for improved quality.
5.4. Bringing the Three Together
It should be clear from the above discussion that vulnerability, resilience, and robustness are closely related and play critical roles in service risk management. Strategies and tools for reducing vulnerability, and increasing the resilience and robustness of service systems should be deployed for a successful defense of any service organization against risks. Identifying risks and reducing, avoiding, or transferring them whenever possible should be the first step in reducing vulnerability and increasing the resilience and robustness of service systems. Insurance against pure risks is one way to transfer some risks to other entities. Investing in redundant equipment such as emergency generators for hospitals, hospitality establishments, and airports helps increase the resilience of these organizations. Using multiple suppliers (for food, supplies, components, and parts) for airlines, hospitals, and hotels also decreases vulnerability and increases resilience. Investments in state-of-the-art information systems and software against cyber-attacks are crucial for risk management. Designing robust and flexible processes, and continuously monitoring economic, political, climatic events, threats, and emerging trends should be part of preparedness for risk events.
6. Tools and Methods
6.1. Poka-Yoke (Error-Proofing)
Tools and methods, mostly from manufacturing management, should be utilized for reducing vulnerability and increasing the resilience and robustness of service systems for effective and efficient risk management. One of the most useful and widely used tools in manufacturing is poka-yoke, also known as fail-safe, error proofing, or mistake proofing, a method that was developed by the Japanese quality expert Shigeo Shingo (1986).
Shingo (1986) developed this method for manufacturing. In manufacturing processes, it utilizes an automatic device or method which makes it impossible for an error to occur or alerts the operator and stops the process so that the error can be corrected. A simple example of error proofing in recycling waste is color-coding trash bins to make separating materials easier. In product design, parts or sub-assemblies are designed so that they can be assembled in only one, the correct way (Dvorak, 1998; Grout, 2006). Another example is SIM cards; they have been designed with a notch so that they can be inserted into a cell phone in only one way. Stewart and Melnyk (2000) introduce the method, implementation steps, and metrics of poka-yoke for manufacturing systems through four building blocks.
Despite its manufacturing origin, poka-yoke has been recommended and applied in improving many services. Chase and Stewart (1994) focused on the application of poka-yoke in services. The same authors provided detailed coverage of the technique in their book for both manufacturing and services (Chase and Stewart, 1995). Stewart and Grout (2001) provided a scientific basis for poka-yoke (mistake-proofing) concerning human error by drawing upon research from psychology and cognitive science.
Poka-yoke can be very useful in designing and improving service delivery processes when used together with service blueprinting. Originally developed by G. Lynn Shostack (1984, 1992), service blueprinting is a visual representation of a service process as a flow chart (Seyring et al., 2009). It shows how the components of a service are connected and how they interact. Studying the blueprint can help identify where in the process failures may occur and change the design or develop countermeasures to prevent them. Obviously, service blueprinting can also be used for simply improving the service process and introducing innovations (Kingman-Brundage, 1989; George and Gibson, 1991; Bitner et al., 2008). Clearly, poka-yoke and blueprinting together will improve the resilience and robustness of services and reduce vulnerability to service failure risks.
There are quite a few applications of poka-yoke in numerous services. Lee et al. (2019) provide a taxonomy of security management approaches from the organizational security management perspective for the application of mistake-proofing tools in security management. Jin et al. (2012) proposed a method for the analysis of medication incidents and the systematic planning of error-proofing (EP) countermeasures. Using a panel of healthcare professionals, Kovach et al. (2013) reviewed 150 error-proofing strategies for medical error prevention and ranked them based on effectiveness, cost, ease of implementation, and mitigation of errors. Grout (2006) discussed how healthcare processes should be designed to prevent medical mistakes and improve patient safety. The World Health Organization (WHO, 2016) has published a monograph to raise awareness among WHO member states to reduce medication errors in primary care. This publication covers causes of medication errors and potential solutions.
6.2. Failure Mode and Effect Analysis (FMEA)
Another tool from manufacturing engineering for risk management and risk reduction is FMEA. It was developed for the U.S. military in the 1940s. Its purpose is to identify potential failures or risks in a product or process design, so that they can be eliminated or countermeasures can be implemented. Failure mode means the specific way a product or process can fail. Effect analysis focuses on studying the consequences of those failures.
Application of FMEA requires a multidisciplinary, cross-functional team from all fields of expertise related to the product or process (see https://asq.org/quality-resources/fmea for a step-by-step implementation of FMEA). Most applications of FMEA use root-cause analysis (RCA) and the “5 Why’s” process. In a service setting, a successful application of FMEA would reduce the vulnerability of a service process and increase the resilience and robustness of the process.
FMEA can also be used to study product or service failures after they occur, for improvements and developing countermeasures for their prevention. RCA can be used to discover the causes of failures rather than symptoms. RCA is a systematic investigative procedure for identifying the true sources that lead to failures in services and service processes (See NCPS, 2021 for a detailed guideline for RCA). RCA is usually accompanied by the “5 Whys” process (Serrat, 2017; Vidyasagar, 2016). Three other tools from manufacturing, Pareto charts, service blueprinting (or flow charts), and Ishikawa (or Fishbone, or cause-and-effect) diagrams, can be used to aid the FMEA and RCA procedures. These simple, easy-to-use graphical tools are covered in most operations management textbooks.
6.3. Root-Cause-Analysis (RCA)
RCA has widespread applications in risk identification in healthcare. In their seminal report on medical errors, the Institute of Medicine’s Committee on Quality of Health Care in America (Kohn et al., 2000) states that RCA “requires that an organization experiencing a sentinel event conduct a root cause analysis, a process for identifying the basic or causal factors of the event.” Askari et al. (2017) used FMEA together with RCA to examine the hazards associated with the process of service delivery in the intensive care unit (ICU) of a tertiary hospital in Iran. Chia et al. (2024) studied the integration of Healthcare Failure Mode and Effect Analysis (HFMEA) with RCA and a service blueprint to mitigate medical risks and enhance mass casualty triage efficiency in emergency units. Khorsandi et al. (2012) reviewed the quality of the adverse incident reporting system and the RCA of serious adverse incidents at the Department of Surgery of Ninewells Hospital, in Dundee, United Kingdom. Doggett (2005) reviewed the cause-and-effect diagram, interrelationship diagram, and current reality tree as tools that can be used with RCA.
6.4. Pareto Charts
Named after the Italian economist Vilfredo Pareto, Pareto charts are used to identify the frequency or costs of types of failures in a failed service process so that corrective actions can be focused on the most frequently occurring or most expensive failures first. It is based on the 80/20 rule, which states that 80 percent of failures are caused by 20 percent of possible causes. The cause-and-effect diagram was created by the Japanese quality expert Kaoru Ishikawa (1985, 1991). The diagram is used to identify causes or sources of errors such as equipment, people, materials, environment, and processes. Sub-causes emanating from these are also represented in the diagram.
FMEA and the associated tools have been used in manufacturing and many services (Reid, 2005; McCain, 2006). A detailed coverage of the method can be found in Stamatis (2019). Malekjahan et al. (2025) used FMEA to determine and score existing risks in aviation. Pourmadadkar et al. (2020) conducted a risk assessment study on the CABG (coronary artery bypass grafting) process.
An integrated approach, based on FMEA, Quality Function Deployment (QFD), and MCDM (multiple-criteria decision-making) techniques, is proposed to identify and prioritize the disruptions in the process and present corrective activities to avoid them. Ye et al. (2024) studied steps from COVID-19 patients’ admission to intensive care unit to treatment to discharge and found that potential risks existed to cause nosocomial infection. They used a flow chart for process analysis and developed improvement suggestions based on the FMEA. Sun et al. (2025) investigated the effect of healthcare failure mode and effects analysis (HFMEA) in the management of patients with intrathecal morphine pump implantation.
Kuwaiti (2016) conducted a study to analyze the effect of the Six Sigma methodology, together with FMEA, a Pareto chart, and poka-yoke, in reducing medication errors in the outpatient pharmacy in a Saudi Arabia hospital. Hambleton (2005) used FMEA and RCA in examining real or potential failures in a healthcare compliance program.
7. Risks in Air Travel and Their Management
As an example, regarding risks and their management in services, this section will focus on risks in air travel. Air travel is one of the most important industries in the service sector. The following statistics give an idea about the magnitude of airline operations in the U.S.: based on 490 air carriers, a total of 95.3 million departures were performed from January 2014 to June 2024; in 2024 this number was 10,672,803 departures. Between 2002 and 2024, a total of 19,296,544,405 passengers were carried by all airlines; in 2024, the number of passengers of all airlines was 1,107,987,703 (BTS, 2025). IATA (2025) forecasts total passenger revenue for world airlines as $693 billion in 2025.
“Air travel” is used as an umbrella term for its most important components: airlines/airplanes, air traffic control, and airports. Each one of these components has a long list of risks concerning human lives and property. It is not possible or necessary to give an exhaustive list of all these risks to understand the threats to which humans may be exposed; only the most important risks will be reviewed.
The most important risks in airline operations are:
1) Pilot fatigue/pilot health
2) Terrorist attacks targeting airplanes
3) Air traffic control errors
4) Cyber-attacks on airports
5) Runway incursions
6) Runway excursions
7) Unmanned aerial vehicles (UAVs)
Physical and mental pilot fatigue, as well as pilot health, is one of the greatest concerns for airflight safety. Risk literature, as well as healthcare, transportation, and safety literatures, are replete with research and countermeasures on this topic. A Position Paper prepared by a special subcommittee of the Aerospace Human Factors Committee of the Aerospace Medical Association reviewed the relevant scientific literature, summarized applicable U.S. civilian and military flight regulations, evaluated various in-flight and pre-/postflight fatigue countermeasures, and described emerging technologies for detecting and countering fatigue (Caldwell et al., 2009). Hartzler (2014) provided a literature survey detailing both the health and safety concerns of fatigue among commercial pilots, as well as benefits and risks associated with strategic napping to alleviate this fatigue. van Drongelen et al. (2017) surveyed 504 airline pilots through an online questionnaire, including person, work, health, sleep, and lifestyle-related characteristics, to determine risk factors for fatigue among airline pilots.
Wingelaar-Jagt et al. (2021) described the pathophysiology, epidemiology, and effects of fatigue and its impact on aviation, as well as several aspects of fatigue management and recommendations for future research in this field. Minoretti and Emanuele (2023) provided a comprehensive review of the most common health issues experienced by commercial airline pilots and concluded that taking care of pilots’ health and ensuring public safety will require a collaborative effort among airlines, governments, and regulators. Zhu and Chen (2023) studied the impact of fatigue on flight safety through a structural equation model and concluded that, compared to physical fatigue, mental fatigue is more likely to occur in pilots and present a more serious risk.
Nicolas (2024) developed a chronological account of major aviation-related terrorist attacks, including the hijacking of aircraft and attacks, and emphasizes the need for advanced technologies and stringent national and international regulations to combat aviation terrorism. Airline hijackings and deaths resulting from them have significantly decreased since the peaks in the 1970s, mainly due to stricter controls and countermeasures taken by governments and airlines (Korecki and Hoika, 2022). Consequently, terrorist attacks on airplanes are still serious but low-probability risks.
Air traffic control errors may originate from the fatigue of controllers or lack of appropriate training. Russeng et al. (2021) found no significant relationship between working period and work fatigue, while work shift and workload have a significant relationship with work fatigue in air traffic controllers. Li et al. (2021) investigated the relationship between traffic volume, air traffic management occurrences, and fatigue with the participation of 57 European Air Navigation Services air traffic controllers (ATCO). They concluded that ATCO fatigue levels are not the main contributory factor associated with air traffic management occurrences. They recommended sufficient rest breaks and roster schedule optimization, as well as task loads that may induce fatigue. Choi (2024) studied risks air traffic controllers may create that cause airline pilots to commit errors during descent and identified understanding controller accents, changes of runway, and difficult clearance of altitude change.
Cyber-attacks are one of the most serious risks. Air traffic control operations, communications, and airport services (check-ins, baggage handling operations) can be disrupted, causing flight cancellations and many hours of flight delays. Cano et al. (2016) analyzed the impact of cyber-attacks whose main goal is to take hold of airport information technology and operations. Gopalakrishnan et al. (2013) recommended a defense-in-depth approach in securing airports from cyber vulnerabilities, where one does not rely on any one security mechanism to prevent all potential threats.
Runway incursions are defined as “Any occurrence at an aerodrome involving the incorrect presence of an aircraft, vehicle, or person on the protected area of a surface designated for the landing and takeoff of aircraft.” (FAA, 2025a). Omosebi et al. (2023) investigated the relationship between airport geometry, mitigating technologies, and the number of runway incursions at 30 large hub airports in the United States using a random effects Poisson model for analyses of panel data. Wang et al. (2018) investigated the factors that contribute to runway incursions.
Another runway risk is runway excursion (RE). “A runway excursion is a veer off or overrun from the runway surface. These surface events occur while an aircraft is taking off or landing and involve many factors ranging from unstable approaches to the condition of the runway” (FAA, 2025b). Lee (2023) investigated the most important causal factors of RE and proposed countermeasures to mitigate potential risks in Taiwan region.
Pyrgies (2019) studied unmanned aerial vehicle (UAV) or drone incidents around airports worldwide and found that “those incidents are more numerous than anticipated and happen higher and further from the airports than expected.” Kobaszyńska-Twardowska et al. (2022) proposed a risk management model for dealing with threats to aviation by UAVs. Lykou et al. (2020) presented a survey of drone incidents near airports and a literature review of sensor technologies able to prevent, detect, identify, and mitigate rogue drones. Habler et al. (2023) provide a review of aircraft systems and their various networks, emphasizing the cyber threats to which they are exposed and the impact of a cyber-attack on them and their networks.
Clearly, there are more risks that managers in three components of air travel must deal with, such as supply chain risks (e.g., parts, fuel, and food for airplanes), wildlife strikes, apron accidents, weather events (e.g., snow, hail, thunderstorms, lightning strikes, hurricanes, tornadoes, etc.), and disruptive passengers.
8. Risks in the Hotel and Resort Industry and Their Management
Hotels and resorts constitute another major industry in the service sector. Globally, their market size was estimated to be $1.5 trillion in 2023 (Bachman, 2025). The industry consists of a wide variety of establishments—from small independent hotels to luxury hotels and resorts. Their main functions include the provision of lodging, food services, information, recreation, and entertainment.
The most important risks in the hotel and resort industry are:
1) Natural disaster risk
2) Terrorist attacks
3) Physical/security risk/Theft of valuables
4) Operational risks
8.1. Natural Disaster Risk
Natural disasters like hurricanes, tornadoes, tsunamis, earthquakes put lives of customers and staff and property in risk especially at coastal areas. Managers of these establishments have the duty of reducing the vulnerabilities such as power systems, telecommunications, water, and food supplies. Managers must make sure their systems’ vulnerabilities have been reduced. This can be achieved by increasing resilience and robustness of their systems like stocking emergency supplies of food and beverages, constantly monitoring weather reports, having redundant power generation equipment, and maintaining healthcare support (e.g. doctors, nurses, medical emergency responders), arranging alternative lodging for guests and training staff for disaster response. Naturally, these will increase operating costs of a hospitality establishment, however staying vulnerable against natural disaster may have much higher costs in human lives and property damage.
Brown et al. (2019) investigated the measure of disaster resilience within the hotel sector in an exploratory quantitative study. Data were collected from hotel general managers and staff in two New Zealand tourist destinations. They found that hotels in the sample have positive attributes of disaster resilience. They also recommended areas of future focus for resilience-building. Brown et al. (2021) explored hotel disaster resilience with a multiple methods approach, utilizing a capital-based framework. They recommended the need to develop an all-hazards approach to training and exercises and to integrate staff fully in the process. They also stated that the development of multiple resources prior to a disaster and continued investment afterward can enhance and build disaster resilience over time.
Johnston et al. (2007) evaluated staff training for emergencies, emergency management exercises, and hazard signage within motels and hotels in Ocean Shores, Washington, USA. They also made suggestions on how to improve preparedness, including a natural hazard warning system, and training designed within the wider context of effective warning systems: early warning and notification, response planning, discussion and communication, and education. Orchiston (2013) examined tourism business disaster planning in areas at risk from low-frequency/high-consequence natural disasters. The author presented empirical findings from a tourism business survey in the Southern Alps of New Zealand, an area with high seismic risk that supports a tourism industry comprising many micro-sized, owner-operated businesses.
8.2. Terrorist Attacks
Terrorism has been a difficult word to define; there is no legal or scientific agreement on the definition of terrorism. Encyclopedia Britannica (EB, 2025) defines terrorism as the calculated use of violence to create a general climate of fear in a population and thereby to bring about a particular political objective. The FBI’s (2025) definition is “Violent, criminal acts committed by individuals and/or groups who are inspired by, or associated with, designated foreign terrorist organizations or nations.” According to a Heritage Foundation Report (Muhlhausen and McNeill, 2011), “Between 1969 and 2009, there were 38,345 terrorist incidents around the world. Of these attacks, 7.8 percent (2981) were directed against the United States.” Wernick and Von Glinow (2012) identify the reasons why terrorists target luxury hotels: 1) they are symbolic targets of Western affluence; 2) like restaurants and nightclubs, they are “soft targets”; 3) a successful attack on a five-star property can yield high rewards equivalent to an attack on an embassy; 4) changing organizational composition of the terrorist groups themselves.
Paraskevas (2013) proposed a six-step baseline strategy to address terrorist threats targeting hotels. Based on the generic crisis management literature, the study showed that there is a need to expand the understanding of the security function from its classic approach of “detect-deny-respond” to a model with six building blocks that can become the framework for the development of a strategy to protect hotels against terrorism.
Department of Homeland Security (DHS, 2010) has prepared a guide to protect the US lodging industry against terrorist attacks and cyber-attacks. The guide outlines the key vulnerabilities of hotels. It discusses manmade hazards, accidents, and natural disasters, and proposes protective measures including planning and preparedness, incident response, monitoring, surveillance, inspection, and information security and cybersecurity to reduce vulnerabilities and increase resilience and robustness. Another useful source for terrorism preparedness and prevention is a handbook edited by Schmid (2021), which contains papers on prevention of preparatory acts, prevention of, and preparedness for, terrorist attacks.
8.3. Physical/Security Risk/Theft of Valuables
Although rare, hotel and resort guests may be targets of physical attacks or their valuables may be stolen. Large hotels usually have security staff and closed-circuit television (CCTV) monitoring hallways of guest rooms and other critical parts of the hotel (e.g., garage, delivery areas), as well as well-designed lighting of hallways and corridors. Training for both the security and general staff and installing a state-of-the-art CCTV system would reduce the vulnerability of guests and their property.
8.4. Operational Risks
Hotels have many departments and systems to serve their guests. Some of these include front office, booking and reservation, restaurant(s), bar(s), kitchen, food and beverage, room service, housekeeping, laundry, heating and cooling, plumbing, electrical, telecommunications, maintenance, and event and conference management. Another particularly important operational risk is the supply risk. Hotels have a complex supply chain and a variety of suppliers like food, beverage, linen, toiletries, cleaning, and maintenance supplies. Establishing strong ties and partnerships with suppliers for timely delivery of supplies and maintaining optimal inventory levels goes a long way to reduce most of the operational risks. Smooth operation of these systems is essential for guest satisfaction and hotel profits. Like any system, failures may happen in one or more of them; consequently, constantly monitoring and updating these systems and staff training are critical duties of hotel management.
9. Summary and Conclusion
This paper presented a review of risks in organizations and specific risks in services. Risk definitions from the risk research area, together with frameworks proposed by risk professional societies, specifically risk management (RM) and enterprise risk management (ERM), have been reviewed. In addition, concepts of vulnerability, resilience, and robustness, and the important roles they play in risk management, were discussed. Tools and methods, mostly from manufacturing management, were proposed as potential aids in reducing vulnerability and increasing resilience and robustness of organizations in their struggle with various risks. Finally, risks and their management in air travel (i.e., airlines, air traffic control, and airports) and hotel and resort industries were discussed as two examples.
This paper is an attempt to contribute to the literature in a long-neglected area of services research, namely risks in services in general and their management. This paper also reviews and recommends the application of tools and methods to reduce the vulnerability of service organizations and improve their resilience and robustness in dealing with a variety of risks, thereby equipping service managers for the defense of their organizations.
As mentioned above, the literature survey revealed only one journal publication on risks in services in general and their management. Being the second journal article on the subject, this paper may revive interest among service researchers to focus on this long-neglected area of service management. It is hoped that this paper will alert researchers to a wide-open area of services research and will encourage them to investigate various aspects of risks in services.
Future research may focus on risks in other service industries, such as specific healthcare branches, in more detail. Also, some researchers may investigate the applications of management science/operations research techniques for optimizing the resilience and robustness of service systems.
Appendix Notes
SIDEBAR: ERM Frameworks by three professional societies:
COSO (2017)
1) Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
2) Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with the strategy; business objectives put the strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
3) Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
4) Review and Revision: By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
5) Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.
ISO (2018)
1) Communication and Consultation: Assist relevant stakeholders in understanding risk, the basis on which decisions are made, and the reasons why particular actions are required.
2) Scope, Context, and Criteria: Customize the risk management process, enabling effective risk assessment and appropriate risk treatment.
3) Risk Assessment (Risk Identification, Risk Analysis, Risk Evaluation): Conducted systematically, iteratively, and collaboratively, drawing on the knowledge and views of stakeholders.
4) Risk Treatment: Select options for addressing risk. Specify how the chosen treatment options will be implemented.
5) Monitoring and Review: Assure and improve the quality and effectiveness of process design, implementation, and outcomes.
6) Recording and Reporting: The risk management process and its outcomes should be documented and reported through appropriate mechanisms.
SIDEBAR: ERM Frameworks by three professional societies (continued):
CAS (2003)
1) Establish Context: Define the relationship of the enterprise with its external and internal environments. Identify the risk categories relevant to the enterprise.
2) Identify Risks: Document the conditions and events (including “extreme events”) that represent material threats to the enterprise’s achievement of its objectives or represent areas to exploit for competitive advantage.
3) Analyze/Quantify Risks: Calibrate and, wherever possible, create probability distributions of outcomes for each material risk.
4) Integrate Risks: aggregating all risk distributions, reflecting correlations and portfolio effects, and expressing the results in terms of the impact on the enterprise’s key performance indicators (i.e., the “aggregate risk profile”).
5) Assess/Prioritize Risks: Determine the contribution of each risk to the aggregate risk profile, and prioritize accordingly, so that decisions can be made regarding the appropriate treatment.
6) Treat/Exploit Risks: Develop strategies, including decisions to avoid, retain (and finance), reduce, transfer, or exploit risk.
7) Monitor & Review: Continually gauge the risk environment and the performance of the risk management strategies.