Are you a risk manager who is tired of reading hyper-technical, statistically dense manuals of corporate policies and procedures? Are you looking for a conceptually vivid and highly readable alternative?
You might be surprised to learn that the United States Army has just released such a text. Army Tactics, Techniques, and Procedures Publication # ATP 5-19 walks the reader through a wide variety of high risk military scenarios, from: (a) leading troops in heavy vehicles over bridges in enemy held territories (see Figure 3-4 on page 3-6), to (b) planning air assaults with attack helicopters and field artillery on insurgent forces that have seized airfields (see Figures 4-1 and 4-2 on pages 4-4 and 4-5).
The fundamental framework of the risk management function closely follows the COSO cube paradigm that defines the business world’s approach to the discipline. For example, each potential risk event is evaluated and assessed in terms of its probability / expected frequency and its severity / expected consequence (see Table 1-1 on page 1-7).
Nevertheless, there are some intriguing differences between the military model of risk management and its analogous business model. For instance, the business model posits that organizations should plan preventive control activities to reduce unacceptably large probabilities, and should plan crisis response activities to manage unacceptable levels of severity.
The Army framework, though, refers to “controls” in a collective manner (see Figure 1-2 on page 1-4). It doesn’t differentiate between preventive controls and crisis response activities; instead, it simply refers to “controls and risk decisions” in a unified manner (see Figure 1-2 on page 1-4).
Why no distinction between prevention and responsiveness by the Army? It isn’t entirely clear why the Army adopts this approach, though it does distinguish between “deliberate” (i.e. long term, advance planning) and “real time” (i.e. immediate, time constrained) situations.
Although both situations are addressed in the manual, the vivid examples appear to call for more “real time” decisions, when it can be difficult to differentiate between preventive and responsive activities. Indeed, while crises are exploding around us, all we can do is make quick decisions and take immediate actions, while hoping for occasional opportunities to observe outcomes.
In any event, the Army manual provides a helpful illustrative guide for all risk management professionals. COSO itself has acknowledged public sentiment that its model is “overly theoretical … overly vague … (and) unnecessarily complicated … (producing a) need for more templates and tools to help with the implementation” of risk management. The Army’s ATP 5-19 publication certainly appears to heed the call for such tools.