Dustin K MacDonald

Menu
  • Home
  • About
  • Economic and Community Development
  • Nonprofit Management
    • Counselling and Service Delivery
    • Suicide Prevention / Crisis Intervention
  • Politics and Governance
  • Math and Statistics
  • Salesforce
Menu

Introduction to Risk Management

Posted on July 20, 2017November 23, 2019 by Dustin

Risk Management is an important element of any organization. The US military has written a lot about risk management and we can take these lessons and apply them to nonprofit organizations or other companies.

As JP 3-0 Joint Operations defines it, “Risk management is the process of identifying, assessing, and controlling risks arising from operational factors and making decisions that balance risk cost with mission benefits.”

Risk management is a skill that is useful in virtually every profession. The basic element of risk management is to identify situations that will lead to negative outcomes and putting in place strategies to mitigate or at least be aware of them.

Risk Management is a component in insurance (the risk of death from illness or reckless behaviour), psychotherapy (risk of suicide or homicide), self-defense (the risk that you’ll be attacked) and of course military and intelligence operations (the risk of military or civilian casualties, or sensitive political issues.)

Table of Contents

Risk Management Process

There is a simple risk management process suggested by ATP 5-19 Risk Management. It contains five steps:

  1. Identify hazards
  2. Assess hazards
  3. Develop controls and make risk decisions
  4. Implement controls
  5. Supervise and evaluate

Most risk management elements occur during the planning before an activity, however tactical risk management during an operation may become necessary to mitigate additional danger. After an operation or activity, an After Action Review (AAR) can help to further the risk process by examining what went right and what went wrong.

Principles of Risk Management

The four principles of risk management are:

  • Integrate risk management into all phases of missions and operations.
  • Make risk decisions at the appropriate level.
  • Accept no unnecessary risk.
  • Apply risk management cyclically and continuously.

These are reviewed below with a view of applying them to a one-man or small team intelligence operation rather than a large corporation or bureaucracy like the military.

Integrate risk management into all phases of missions and operations

It’s important to apply risk management to each activity you do, whether training or an actual operation. A failure to consistently apply risk management analysis will cause your skills to weaken and make future activities riskier simply by virtue of you forgetting previous lessons and avoiding obvious fixes.

Make risk decisions at the appropriate level

Decisions around risk tolerance, the level of risk the commander is willing to take are normally made at high echelons in a military bureaucracy; in a small team this may be made by one individual who might also be the individual making the decision.

In order to keep risk within the chosen risk tolerance, the use of “controls” will be employed. This includes policies and procedures (such as range safety rules) and also specific operational rules (such as not engaging with civilians while in a foreign land.)

Accept no unnecessary risk

Unnecessary risks are those that do not contribute to the mission success, or unnecessarily risk lives or resources. Benefit must be weighed against potential losses carefully.

Apply risk management cyclically and continuously

In order to get the best value out of risk management it must always be applied in a given activity or environment and the steps of the risk management process as identified earlier must be carried out. Performing only part of the risk management process or only performing it once or rarely will lead to unnecessary risk.

Types of Risk Management

ATP 5-19 identifies two types of risk management: deliberate risk management and real-time risk management. Deliberate risk management is performed analytically and systematically in order to identify risks and determine responses.

Real-time risk management follows the same five step process but is performed more “on the fly.” Rather than performing a comprehensive review, only the most immediate risks will be examined and controlled.

Performing Risk Management

Identify Hazards

JP 3-33 Joint Task Force Headquarters defines a hazard as “a condition with the potential to cause injury, illness, or death of personnel; damage to or loss of equipment or property; or mission degradation.” There exists risk wherever individuals perform missions, training, or other activities.

Identifying hazards can be accomplished by examining each sub-task involved in carrying out an activity and what error paths or alternative scenarios to the proper flow for each activity would look like. ATP 5-19 also explores the idea of an accident-loss scenario.

An accident-loss scenario has a source, mechanism and outcome that interact to produce a hazard.

The source or cause is a condition (such as a wet roadway) that is a prerequisite to a mishap. The mechanism, or effect, is how the source manifests itself (such as by a vehicle hydroplaning). The outcome, or undesired event, is the result of the mechanism occurring due to the source being present (such as the vehicle leaving the roadway and striking a tree).

Following hazards back to their original source is important. Someone tripping is not a hazard on its own, but the item that they trip on (such as an object left in an walkway) represents the original source. Although you might intervention to increase the safety of someone tripping (e.g. with knee pads) this would be an ineffective intervention when compared to the source of the hazard (e.g. moving the object out of the walkway.) Although this example was chosen for  its absurdity the principle applies regardless.

Assess Hazards

Assessment of hazards involves examining what potential realities could result from the identified hazards. For example, wet roadways could result in car accidents, pedestrian falls and other harmful events.

At this stage it may be helpful to plot situations on a probability-impact matrix. This is a table or scatter plot that examines the probability of an event happening and its impact.

ATP 5-19 defines probability as “the likelihood an event will occur; it is assessed as frequent, likely, occasional, seldom, or unlikely” while severity is “the expected consequences of an event in terms of injury, property damage, or other mission-impairing factors” and is assessed as “catastrophic, critical, moderate, or negligible.”

Levels of Probability

There are specific levels of probability and severity so that individuals will always report it consistently. The four levels of probability are:

  • Frequent (A) A hazard’s probability is defined as Frequent if it is likely to occur at least once in 500 exposures (e.g. during an activity where the hazard is present.)
  • Likely (B) A hazard’s probability is defined as Likely if it is likely to occur at least once in 1000 exposures.
  • Occasional (C) An occasional event happens sporadically but not frequently or unfrequently; it is difficult to assess but may occur once in 12 or 24 months of normal operations.
  • Seldom (D) An event is defined as seldom when it rarely occurs but could, often as a result of several things going wrong at once. Situations resulting in death often qualify as Seldom or Unlikely (see below.)
  • Unlikely (E) An unlikely event is possible but highly improbable. There must be some error flow where the event does occur.

Levels of Severity

The four levels of severity (how much the hazard would affect operations) from ATP 5-19 are:

  • Catastrophic (I) Severity is estimated as catastrophic when consequences of an event, if it occurs, are expected to include death, unacceptable loss or damage, mission failure, or the loss of unit readiness
  • Critical (II) Severity is estimated as critical if the consequences of an event, if it occurs, are expected to include severe injury, illness, loss, or damage; significantly degraded unit readiness; or significantly degraded mission capability
  • Moderate (III) Severity is estimated as moderate if the consequences of an event, if it occurs, are expected to include minor injury, illness, loss, or damage; degraded unit readiness; or degraded mission capability
  • Negligible (IV) Severity is estimated as negligible if the consequences of an event are expected to include minimal injury, loss, or damage; little or no impact to unit readiness; or little or no impact to mission capability

Example

For instance, a car crash may have an occasional level of probability when performing vehicle operations at high speed, while death of a civilian might be assessed as unlikely in an intelligence collection mission. The impact of the car crash is critical while the death of the civilian might be assed as catastrophic. Both eventualities should be explored with the goal of identifying controls (such as having an exit plan if confronted by an individual.)

Risk Assessment Matrix

The below matrix is used to combine the estimated probability and severity to develop a risk level which ranks Extremely High (EH), H (High Risk), M (Medium Risk) and L (Low Risk):

Develop Controls and Make Risk Decisions

Following a comprehensive assessment of the hazards, it is important to develop controls that will eliminate/remove the hazard where possible, or mitigate its effects. Most controls fall into three categories:

  • Educational
  • Physical
  • Hazard Elimination

Educational controls refers to knowledge, skills and training that increases awareness of hazards and how to deal with them. Workplace Hazardous Materials Information Systems (WHMIS) training is an example of an educational control to mitigate the hazard posed by working with dangerous chemicals.

Physical controls are barriers, guards, signs and other elements that help mitigate the impact of a hazard.

Hazard elimination refers to actions that mitigate or eliminate the hazard. These can be engineering-related, administrative, or personal (such as Personal Protective Equipment [PPE]).

Engineering refers to elements at the source such as ensuring a road is designed with sidewalks. Administrative include changes in procedures that reduce hazards such as restricting walking on roads after dark or requiring use of reflective vests for pedestrians.

Finally, PPE limits exposure to chemical exposure, while other personal methods may include attempts to avoid the hazard entirely.

Criteria for Effective Controls

Criteria Descriptions
Feasibility The unit has the capability to implement the control.
Acceptability The benefit gained by implementing the control justifies the cost in resources and time. The assessment of acceptability is largely subjective. Past experience, the commander’s guidance, or other external restrictions influence the assessment.
Suitability The control removes the hazard or mitigates (reduces) the residual risk to an acceptable level (determined by the responsible individual).
Support Adequate personnel, equipment, supplies, and facilities necessary to implement the control are available.
Explicitness The control clearly specifies who, what, where, when, why, and how each control will be used.
Standards Guidance and procedures for implementing the control are clear, practical, and specific.
Training Knowledge and skills of personnel are adequate to implement the control.
Leadership Army leaders are ready, willing, and able to enforce standards necessary to implement the control
The individual Individual personnel are sufficiently self-disciplined and capable of implementing the control.

Once controls have been identified, the residual risk should be calculated using the Risk Assessment Matrix. This is part of the continuous risk assessment and management process.

Implement Controls

Implementing controls describes the process of actually mitigating the hazards in question. Usually this will be done before the mission, operation or activity begins.

Supervise and Evaluate

Finally, the last set of the risk management process involves  supervising the implementation of the controls as discussed above, followed by tweaks. In a small group operation this will be best achieved with an After Action Review (AAR).

In an After Action Review, following the completion of an activity, near-misses are discussed and analyzed in order to identify changes to make. Regular training and practicing, as well as a high degree of discipline helps reduce the impact of hazards.

Documentation

The US Army recommends use of DD Form 2977 Deliberate Risk Assessment Worksheet in order to document the risk assessment process.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Privacy Policy

See here for our privacy policy. This site uses affiliate links and Adsense ads to provide targeted advertising.

Tags

analytical technique assessment city council communication community development counselling crisis chat crisis intervention data science eastern university economic development education empathy evaluation forecasting fundraising governance humint intelligence intelligence analysis keokuk county language learning legal local government management peer support personal development politics professional development protective factors psychosocial risk factors safety planning salesforce sigourney social media statistics suicide suicide assessment suicide risk assessment technology terrorism training violence risk assessment youth

Recommended Posts

  • Conducting Psychosocial Assessments
  • DCIB Model of Suicide Risk Assessment
  • ABC Model of Crisis Intervention
  • My Friend is Suicidal - What do I do?

Recent Posts

  • ITS834 Emerging Threats and Countermeasures
  • Salesforce Flow that autonames records
  • Salesforce formula that calculates age
  • Earning the Project Management Professional (PMP)
  • ITS831 Information Technology Importance in Strategic Planning

Archives

  • September 2023 (3)
  • August 2023 (1)
  • July 2023 (1)
  • May 2023 (1)
  • March 2023 (1)
  • February 2023 (2)
  • January 2023 (4)
  • December 2022 (2)
  • May 2022 (1)
  • April 2022 (2)
  • March 2022 (1)
  • February 2022 (1)
  • December 2021 (1)
  • October 2021 (1)
  • August 2021 (2)
  • May 2021 (3)
  • December 2020 (1)
  • November 2020 (4)
  • July 2020 (1)
  • June 2020 (1)
  • April 2020 (1)
  • March 2020 (4)
  • February 2020 (7)
  • January 2020 (1)
  • November 2019 (1)
  • October 2019 (2)
  • September 2019 (4)
  • August 2019 (2)
  • March 2019 (1)
  • February 2019 (1)
  • January 2019 (1)
  • December 2018 (4)
  • November 2018 (3)
  • October 2018 (3)
  • September 2018 (19)
  • October 2017 (2)
  • September 2017 (2)
  • August 2017 (1)
  • July 2017 (39)
  • May 2017 (3)
  • April 2017 (4)
  • March 2017 (4)
  • February 2017 (4)
  • January 2017 (5)
  • December 2016 (4)
  • November 2016 (4)
  • October 2016 (5)
  • September 2016 (4)
  • August 2016 (5)
  • July 2016 (5)
  • June 2016 (5)
  • May 2016 (3)
  • April 2016 (2)
  • March 2016 (2)
  • February 2016 (2)
  • January 2016 (4)
  • December 2015 (2)
  • November 2015 (2)
  • October 2015 (2)
  • September 2015 (2)
  • August 2015 (1)
  • June 2015 (2)
  • May 2015 (5)
  • April 2015 (3)
  • March 2015 (8)
  • February 2015 (12)
  • January 2015 (28)

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Comments

  • ITS834 Emerging Threats and Countermeasures. - Dustin K MacDonald on University of the Cumberlands PhD in Information Technology
  • Earning the Project Management Professional (PMP) - Dustin K MacDonald on University of the Cumberlands PhD in Information Technology
  • Dustin on How I Got a Book Contract
  • Ananth on How I Got a Book Contract
  • Aly on Improving Your Helpline Work

Tags

analytical technique assessment city council communication community development counselling crisis chat crisis intervention data science eastern university economic development education empathy evaluation forecasting fundraising governance humint intelligence intelligence analysis keokuk county language learning legal local government management peer support personal development politics professional development protective factors psychosocial risk factors safety planning salesforce sigourney social media statistics suicide suicide assessment suicide risk assessment technology terrorism training violence risk assessment youth
© 2023 Dustin K MacDonald | Powered by Minimalist Blog WordPress Theme