Risk Management is an important element of any organization. The US military has written a lot about risk management and we can take these lessons and apply them to nonprofit organizations or other companies.
As JP 3-0 Joint Operations defines it, “Risk management is the process of identifying, assessing, and controlling risks arising from operational factors and making decisions that balance risk cost with mission benefits.”
Risk management is a skill that is useful in virtually every profession. The basic element of risk management is to identify situations that will lead to negative outcomes and putting in place strategies to mitigate or at least be aware of them.
Risk Management is a component in insurance (the risk of death from illness or reckless behaviour), psychotherapy (risk of suicide or homicide), self-defense (the risk that you’ll be attacked) and of course military and intelligence operations (the risk of military or civilian casualties, or sensitive political issues.)
Table of Contents
Risk Management Process
There is a simple risk management process suggested by ATP 5-19 Risk Management. It contains five steps:
- Identify hazards
- Assess hazards
- Develop controls and make risk decisions
- Implement controls
- Supervise and evaluate
Most risk management elements occur during the planning before an activity, however tactical risk management during an operation may become necessary to mitigate additional danger. After an operation or activity, an After Action Review (AAR) can help to further the risk process by examining what went right and what went wrong.
Principles of Risk Management
The four principles of risk management are:
- Integrate risk management into all phases of missions and operations.
- Make risk decisions at the appropriate level.
- Accept no unnecessary risk.
- Apply risk management cyclically and continuously.
These are reviewed below with a view of applying them to a one-man or small team intelligence operation rather than a large corporation or bureaucracy like the military.
Integrate risk management into all phases of missions and operations
It’s important to apply risk management to each activity you do, whether training or an actual operation. A failure to consistently apply risk management analysis will cause your skills to weaken and make future activities riskier simply by virtue of you forgetting previous lessons and avoiding obvious fixes.
Make risk decisions at the appropriate level
Decisions around risk tolerance, the level of risk the commander is willing to take are normally made at high echelons in a military bureaucracy; in a small team this may be made by one individual who might also be the individual making the decision.
In order to keep risk within the chosen risk tolerance, the use of “controls” will be employed. This includes policies and procedures (such as range safety rules) and also specific operational rules (such as not engaging with civilians while in a foreign land.)
Accept no unnecessary risk
Unnecessary risks are those that do not contribute to the mission success, or unnecessarily risk lives or resources. Benefit must be weighed against potential losses carefully.
Apply risk management cyclically and continuously
In order to get the best value out of risk management it must always be applied in a given activity or environment and the steps of the risk management process as identified earlier must be carried out. Performing only part of the risk management process or only performing it once or rarely will lead to unnecessary risk.
Types of Risk Management
ATP 5-19 identifies two types of risk management: deliberate risk management and real-time risk management. Deliberate risk management is performed analytically and systematically in order to identify risks and determine responses.
Real-time risk management follows the same five step process but is performed more “on the fly.” Rather than performing a comprehensive review, only the most immediate risks will be examined and controlled.
Performing Risk Management
JP 3-33 Joint Task Force Headquarters defines a hazard as “a condition with the potential to cause injury, illness, or death of personnel; damage to or loss of equipment or property; or mission degradation.” There exists risk wherever individuals perform missions, training, or other activities.
Identifying hazards can be accomplished by examining each sub-task involved in carrying out an activity and what error paths or alternative scenarios to the proper flow for each activity would look like. ATP 5-19 also explores the idea of an accident-loss scenario.
An accident-loss scenario has a source, mechanism and outcome that interact to produce a hazard.
The source or cause is a condition (such as a wet roadway) that is a prerequisite to a mishap. The mechanism, or effect, is how the source manifests itself (such as by a vehicle hydroplaning). The outcome, or undesired event, is the result of the mechanism occurring due to the source being present (such as the vehicle leaving the roadway and striking a tree).
Following hazards back to their original source is important. Someone tripping is not a hazard on its own, but the item that they trip on (such as an object left in an walkway) represents the original source. Although you might intervention to increase the safety of someone tripping (e.g. with knee pads) this would be an ineffective intervention when compared to the source of the hazard (e.g. moving the object out of the walkway.) Although this example was chosen for its absurdity the principle applies regardless.
Assessment of hazards involves examining what potential realities could result from the identified hazards. For example, wet roadways could result in car accidents, pedestrian falls and other harmful events.
At this stage it may be helpful to plot situations on a probability-impact matrix. This is a table or scatter plot that examines the probability of an event happening and its impact.
ATP 5-19 defines probability as “the likelihood an event will occur; it is assessed as frequent, likely, occasional, seldom, or unlikely” while severity is “the expected consequences of an event in terms of injury, property damage, or other mission-impairing factors” and is assessed as “catastrophic, critical, moderate, or negligible.”
Levels of Probability
There are specific levels of probability and severity so that individuals will always report it consistently. The four levels of probability are:
- Frequent (A) A hazard’s probability is defined as Frequent if it is likely to occur at least once in 500 exposures (e.g. during an activity where the hazard is present.)
- Likely (B) A hazard’s probability is defined as Likely if it is likely to occur at least once in 1000 exposures.
- Occasional (C) An occasional event happens sporadically but not frequently or unfrequently; it is difficult to assess but may occur once in 12 or 24 months of normal operations.
- Seldom (D) An event is defined as seldom when it rarely occurs but could, often as a result of several things going wrong at once. Situations resulting in death often qualify as Seldom or Unlikely (see below.)
- Unlikely (E) An unlikely event is possible but highly improbable. There must be some error flow where the event does occur.
Levels of Severity
The four levels of severity (how much the hazard would affect operations) from ATP 5-19 are:
- Catastrophic (I) Severity is estimated as catastrophic when consequences of an event, if it occurs, are expected to include death, unacceptable loss or damage, mission failure, or the loss of unit readiness
- Critical (II) Severity is estimated as critical if the consequences of an event, if it occurs, are expected to include severe injury, illness, loss, or damage; significantly degraded unit readiness; or significantly degraded mission capability
- Moderate (III) Severity is estimated as moderate if the consequences of an event, if it occurs, are expected to include minor injury, illness, loss, or damage; degraded unit readiness; or degraded mission capability
- Negligible (IV) Severity is estimated as negligible if the consequences of an event are expected to include minimal injury, loss, or damage; little or no impact to unit readiness; or little or no impact to mission capability
For instance, a car crash may have an occasional level of probability when performing vehicle operations at high speed, while death of a civilian might be assessed as unlikely in an intelligence collection mission. The impact of the car crash is critical while the death of the civilian might be assed as catastrophic. Both eventualities should be explored with the goal of identifying controls (such as having an exit plan if confronted by an individual.)
Risk Assessment Matrix
The below matrix is used to combine the estimated probability and severity to develop a risk level which ranks Extremely High (EH), H (High Risk), M (Medium Risk) and L (Low Risk):
Develop Controls and Make Risk Decisions
Following a comprehensive assessment of the hazards, it is important to develop controls that will eliminate/remove the hazard where possible, or mitigate its effects. Most controls fall into three categories:
- Hazard Elimination
Educational controls refers to knowledge, skills and training that increases awareness of hazards and how to deal with them. Workplace Hazardous Materials Information Systems (WHMIS) training is an example of an educational control to mitigate the hazard posed by working with dangerous chemicals.
Physical controls are barriers, guards, signs and other elements that help mitigate the impact of a hazard.
Hazard elimination refers to actions that mitigate or eliminate the hazard. These can be engineering-related, administrative, or personal (such as Personal Protective Equipment [PPE]).
Engineering refers to elements at the source such as ensuring a road is designed with sidewalks. Administrative include changes in procedures that reduce hazards such as restricting walking on roads after dark or requiring use of reflective vests for pedestrians.
Finally, PPE limits exposure to chemical exposure, while other personal methods may include attempts to avoid the hazard entirely.
Criteria for Effective Controls
|Feasibility||The unit has the capability to implement the control.|
|Acceptability||The benefit gained by implementing the control justifies the cost in resources and time. The assessment of acceptability is largely subjective. Past experience, the commander’s guidance, or other external restrictions influence the assessment.|
|Suitability||The control removes the hazard or mitigates (reduces) the residual risk to an acceptable level (determined by the responsible individual).|
|Support||Adequate personnel, equipment, supplies, and facilities necessary to implement the control are available.|
|Explicitness||The control clearly specifies who, what, where, when, why, and how each control will be used.|
|Standards||Guidance and procedures for implementing the control are clear, practical, and specific.|
|Training||Knowledge and skills of personnel are adequate to implement the control.|
|Leadership||Army leaders are ready, willing, and able to enforce standards necessary to implement the control|
|The individual||Individual personnel are sufficiently self-disciplined and capable of implementing the control.|
Once controls have been identified, the residual risk should be calculated using the Risk Assessment Matrix. This is part of the continuous risk assessment and management process.
Implementing controls describes the process of actually mitigating the hazards in question. Usually this will be done before the mission, operation or activity begins.
Supervise and Evaluate
Finally, the last set of the risk management process involves supervising the implementation of the controls as discussed above, followed by tweaks. In a small group operation this will be best achieved with an After Action Review (AAR).
In an After Action Review, following the completion of an activity, near-misses are discussed and analyzed in order to identify changes to make. Regular training and practicing, as well as a high degree of discipline helps reduce the impact of hazards.
The US Army recommends use of DD Form 2977 Deliberate Risk Assessment Worksheet in order to document the risk assessment process.