Assessing and Understanding Organizational Risk in the Vacation Ownership World

Organizational risk comes in many forms, encompassing many different types of risk – budgetary, investment, legal liability, security, safety, just to name a few – and also includes all of the risk concerns as defined by its stakeholders.  Many companies do not devote enough attention to determining these risks. Managing risk is often done reactively after a triggering event, not proactively through thoughtful consideration of “what if” and strategic planning.


Getting Started


A risk assessment and planning session is often perceived as a daunting task and that the end result will cause more work for team members who don’t have any more time to give.  However, the opposite is often true: the results of a session like this could result in time savings and allow people to perform their tasks more effectively and in less time, as well as offer a level of preparedness for the future and security for the present.  Regardless, though, it is important for members of governance and management to sit down and perform a risk assessment to determine where risks lie.  It is not probable that all of the risk areas identified can be addressed and changed in one, three or sometimes even five years.  Prioritizing the resulting areas identified is key to success.


The process can be started by an exercise as simple as asking the following questions and brainstorming the responses:

  • Where is the resort exposed?
  • Do we monitor and report risks regularly and effectively?
  • What is our risk tolerance?
  • Do staff throughout the resort understand the concept of assessing and managing risk?
  • Are we paying enough attention to operations?
  • What types of risks do we need to consider?
  • How do we mitigate our own risk?
  • Have our service providers done a risk analysis and do they have plans in the event of a disaster?


The answers to these questions and others are what will lead the risk assessment and eventually shape a plan to address the risks identified.


Inherent Risks


The travel and leisure business is susceptible to many risks inherently.  Part of the process is identifying a resorts particular set of inherent risks.  Performing this assessment with a group of staff, management and stakeholders at various levels and in various positions is beneficial as there are many points of view and experiences to be considered.  Some inherent risks for resorts are (but not limited to):


  • Information security and data privacy concerns
  • Technology and infrastructure and systems failures
  • Economic developments and their effect on the supply and demand cycle
  • Risk of litigation
  • Access to adequate and affordable insurance coverage
  • Ability to borrow funds if needed for projects or disasters
  • Public perception of brand identity
  • Hiring and availability of qualified staff
  • Guest behavior
  • Consolidation trends
  • Tax exposure
  • Effects of new regulations or accounting pronouncements


The participation of various team members will assist the process by providing a more complete picture of where risks lie.  But it is important to keep in mind that not all significant matters identified can be addressed quickly or economically.  The most important and potentially damaging risks should be considered the highest priority and those that are easy to fix should be addressed quickly.


Risk Rating Criteria and Making a Plan


Once risks are identified, they should be placed into groups.  One way is to use a scaled system with 1 being the lowest impact and most insignificant risks and a risk rating of 5 having the most impact and significance.  The following table describes a potential risk rating scale and the impact of the mitigation:


Risk Rating Impact Impact Description
1 Low No impact on operations; items can be delegated to staff
2 Low to Moderate Consequences can be absorbed in normal operations; items can be delegated to middle management
3 Moderate Short-term negative impact on administration or operations; financial impact is manageable;  senior and middle management must resolve
4 Moderate to High Short- to mid-term negative impact on administration or operations; financial impact is considerable; senior management and Board must be involved
5 High Long-term negative impact on administration or operations; financial impact is significant; probable Board action to address; major impact to implementing strategic plan


The next step is to determine the likelihood of an occurrence.  The following rating table can be used for this purpose:


Likelihood of Occurrence
1 – Remote Only in exceptional circumstances; less than 5% probability in upcoming year
2 – Unlikely Could occur at some time; more than 5% but less than 25% probability in upcoming year
3 – Possible Should occur at some time; more than 25% but less than 50% probability in upcoming year
4 – Likely Will probably occur; more than 50% but less than 90% probability in upcoming year
5 – Almost Certain Expected to occur; more than 90% probability in upcoming year


Obviously, the magnitude of the impact of a risk and the likelihood of its occurrence greatly vary and drive the course of action in cost, timing and planning.  The higher the risk rating and probability, the higher the impact to the resort and the greater need for decisive and well-planned action.


Follow Up


Once risks are identified, stratified and a plan is in place, the mitigation begins and risks are addressed.  However, the risk assessment process is not a one-and-done exercise, or even an every second or fifth year exercise.  The process should be performed every year as things change – previous risks identified may no longer be risks and risks that were not present previously can appear.  Further,  both market and physical conditions can change and a resort will need to address how these changes affect the risks identified.  Some of the changes that can occur which would affect risk assessment are:


  • Change in the leadership team or management
  • A natural disaster and minimal to large-scale damage
  • Market conditions for rentals, collection and general economic trends
  • Litigation threatened or pending
  • Change in competition in the operating market
  • Access to qualified labor
  • New identified risks found while mitigating other risks identified


It is also important to review the effectiveness of the actions taken previously and adjust the plan accordingly.  A resort that properly implements a risk assessment process and follows through with decisive and effective action is likely to be healthier and more nimble in the face of challenges that present themselves.  An added benefit of the process is the engagement of team members, management and stakeholders towards a common goal, which increases effectiveness and productivity.



Withum provides clients in the hospitality, vacation ownership and other industries with assurance, accounting, tax compliance and consulting services. For further information about Withum and the services they provide to the industry, contact Lena Combs ( at (407) 849-1569 or visit


By: Lena Combs, Partner – CPA, CGMA, RRP

WithumSmith+Brown, PC