Risk Management, Army Style

Are you a risk manager who is tired of reading hyper-technical, statistically dense manuals of corporate policies and procedures? Are you looking for a conceptually vivid and highly readable alternative?

You might be surprised to learn that the United States Army has just released such a text. Army Tactics, Techniques, and Procedures Publication # ATP 5-19 walks the reader through a wide variety of high risk military scenarios, from: (a) leading troops in heavy vehicles over bridges in enemy held territories (see Figure 3-4 on page 3-6), to (b) planning air assaults with attack helicopters and field artillery on insurgent forces that have seized airfields (see Figures 4-1 and 4-2 on pages 4-4 and 4-5).

The fundamental framework of the risk management function closely follows the COSO cube paradigm that defines the business world’s approach to the discipline. For example, each potential risk event is evaluated and assessed in terms of its probability / expected frequency and its severity / expected consequence (see Table 1-1 on page 1-7).

Nevertheless, there are some intriguing differences between the military model of risk management and its analogous business model. For instance, the business model posits that organizations should plan preventive control activities to reduce unacceptably large probabilities, and should plan crisis response activities to manage unacceptable levels of severity.

The Army framework, though, refers to “controls” in a collective manner (see Figure 1-2 on page 1-4). It doesn’t differentiate between preventive controls and crisis response activities; instead, it simply refers to “controls and risk decisions” in a unified manner (see Figure 1-2 on page 1-4).

Why no distinction between prevention and responsiveness by the Army? It isn’t entirely clear why the Army adopts this approach, though it does distinguish between “deliberate” (i.e. long term, advance planning) and “real time” (i.e. immediate, time constrained) situations.

Although both situations are addressed in the manual, the vivid examples appear to call for more “real time” decisions, when it can be difficult to differentiate between preventive and responsive activities. Indeed, while crises are exploding around us, all we can do is make quick decisions and take immediate actions, while hoping for occasional opportunities to observe outcomes.

In any event, the Army manual provides a helpful illustrative guide for all risk management professionals. COSO itself has acknowledged public sentiment that its model is “overly theoretical … overly vague … (and) unnecessarily complicated … (producing a) need for more templates and tools to help with the implementation” of risk management. The Army’s ATP 5-19 publication certainly appears to heed the call for such tools.

The Newtown Shootings: A Risk Management Perspective

On December 14th at 9:30 am, after shooting and killing his own mother at home, a heavily armed resident of Newtown, Connecticut forced his way into the Sandy Hook Elementary School. He killed twenty young children and six adults before committing suicide.

The global news media, of course, voraciously covered the tragedy itself, as well as the ensuing police investigation … and the funeral processions … and school security policies … and gun laws … and the violence that is embedded in American culture. All of these topics were debated relentlessly by commentators, pundits, politicians, and celebrities.

Interestingly, though, the press dedicated relatively little coverage to the government’s initial response to the immediate needs of the families of the victims. Was this response an appropriate one?

Delivering The News

At 3:00 pm on that fateful day, more than five hours after the shooting incident occurred, some of the parents of the slain children were still waiting in ignorance for news about their fate. Were their children taken to a hospital? To a morgue? Or were they still missing and unaccounted for?

The Connecticut authorities knew that the children had been taken to the local morgue, but no one had yet conveyed the heartbreaking news to all of the parents. So Governor Dan Malloy decided to speak to the families himself.

Some people have subsequently criticized the Governor for using “cold and callous” language while performing that emotionally wrenching task. Others have commended him for making the humane decision to assume the grievous responsibility of informing parents of the murders of their children.

Lost in this debate, though, is the fact that qualified human service professionals are specially trained to perform such tasks during times of crisis. Why weren’t such professionals already on the scene, communicating with the parents, by the time that Governor Malloy made his fateful decision at 3:00 pm that day?

CISM Teams

For more than fifteen years, the National Association of Social Workers and the American Red Cross have maintained a partnership “to deliver mental health services to the victims of disaster, rescue workers, military personnel and their families, and refugees.” Specifically, the partnership involves the maintenance of “a national network of … trained, licensed, or certified social workers to be mobilized in times of disaster.”

Although the network can be mobilized for “natural disasters such as hurricanes, floods, tornadoes, (and) fires,” it is also explicitly available for “school shootings, bombings, and biochemical threats.” And the Red Cross has developed crisis-specific functions as well, such as Aviation Incident Response teams to address the unique circumstances of airplane crashes.

These Critical Incident Stress Management (CISM) teams are available to work with people who are affected by natural catastrophes and other crises. Are mass shootings in public places now occurring at a level of frequency that would necessitate the development of specialized Firearms Incident Response Teams across the nation?

Enterprise Risk Management

The discipline of enterprise risk management identifies two primary considerations regarding prospective future crises. One is the anticipated frequency of such events; the other is the anticipated harm or damage that the events might wreak on society.

The general process of risk management is a simple one. If a potential crisis is a priority because it may frequently occur in the future, then society should strengthen the preventive control activities that may reduce its intolerably high frequency. Gun control laws might be strengthened, for instance, to reduce the future frequency of mass shootings.

However, if a prospective crisis is a priority because it may cause great harm or damage in the future, even though it may not occur frequently at all, then society should strengthen the crisis response activities that contain and minimize the harm. An Incident Response Team might represent one such response strategy.

Although any single mass shooting is indeed “one too many,” such incidents (thankfully) remain statistically rare events. New York City Police Commissioner Ray Kelly, for instance, has stated that he has “never seen anything” like the Newtown tragedy. A risk management analysis may thus conclude with a recommendation for the development of such Incidence Response Teams.

Prevention vs. Response

Many individuals are now focusing on new strategies for preventing school shootings in the future. California Senator Dianne Feinstein, for instance, is introducing new gun control legislation to ban certain weapons from society. Conversely, Wayne LaPierre of the National Rifle Association is proposing to increase the prevalence of such weapons by stationing armed guards in every school building in the United States.

Thus, on the one hand, there appears to be widespread agreement about the desirability of enhancing prevention activities. And yet, on the other hand, there is little or no agreement about the specific activities that should be implemented to achieve this goal.

The strengthening of the crisis response function would admittedly do nothing to prevent the recurrence of such tragedies. Nevertheless, it may indeed ensure that victims and their families, as well as first responders and other citizens who are directly affected by such events, are treated in a more humane manner during times of crisis.

Thinking Ahead: BP’s Risk Management Challenge

Environmentalists, oceanographers, and commercial fishermen were deeply worried this past week about an ominous side effect of BP’s chemical dispersal strategy to manage its catastrophic oil spill. Apparently, although the chemicals are helpfully dispersing the crude oil over a wide geographic area so that it can be more easily devoured by microbial bacteria, they inadvertently pose a threat to coral reefs and other undersea life.

Furthermore, although concentrated masses of bacteria are indeed digesting the crude oil, they are also draining the Gulf waters of the oxygen that is required to support undersea life. And the oil spill itself is apparently spreading eastward, where it threatens to enter the Loop and Gulf Stream Currents on a path around Florida and up the eastern coastline of the United States.

Fingers of blame are now being pointed among BP and its subcontractors Transcean and Halliburton. But is BP truly negligent for failing to implement an effective system of enterprise risk management?

A Simple Model

Enterprise risk management, as defined by accountants, engineers, and actuaries, relies on a fundamentally simple model of analysis and action. Competent risk managers must begin by defining and listing potential catastrophes before they occur and inflict any damage. Then they must prioritize each catastrophic scenario on the basis of: (a) its probability of occurrence and (b) its potential damage level. Finally, they must take action to implement preventive internal control systems that reduce intolerably high probabilities of occurrence, as well as crisis response systems that reduce unacceptably high potential damage levels.

But what should energy firms do with production sites that are so risky that such systems cannot possibly reduce probabilities of occurrence and potential damage levels to tolerable standards? In that case, the only rational plan of action is to simply walk away from the energy fields. In fact, this is why the United States has decided against relying more heavily on its estimated 100 to 250 year domestic supply of coal to serve its energy needs; it has determined that the environmental damage that would be generated by such a strategy simply cannot be managed in a prudent manner.

In the case of the Gulf oil spill, though, where did BP go wrong? Did it fail to implement any control systems at all, which would indicate that it managed its operations in a grossly negligent manner? Or, as Kentucky Senatorial candidate Rand Paul speculated last week, did BP take reasonable actions to manage this risk and simply fell victim to random chance?

Accidents Happen

Last week,  Rand Paul tersely declared that “accidents happen” and then vigorously defended BP’s business practices. And Paul’s perspective is indeed worthy of consideration; BP has been known, for instance, to stage global simulation exercises that require its managers in training to address critical challenges and make difficult decisions in virtual reality settings.

BP has also installed anti-spill switches on its at-risk equipment in the Gulf of Mexico, although the blowout preventer switch on the damaged field that caused the current spill failed to respond to activation commands. BP has also attempted to activate this switch with technologically advanced remote control submarines, although these efforts did not prove successful.

Nevertheless, BP has indeed performed the requisite analyses to identify and implement these risk management activities. Its manager training sessions, in fact, represent valuable primary crisis response capabilities, and its switch technologies likewise represent primary preventive control activities. But if this is true, then why hasn’t BP been able to control and contain the catastrophic Gulf spill, one that now threatens the entire Eastern coastline of the United States?

Thinking Ahead

The most successful Masters of the game of Chess share a specific critical skill: they are capable of thinking many moves ahead at any given time during a match. In fact, one reason why IBM’s Deep Blue computer program can now defeat the world’s finest Chess Masters is because software algorithms can assess and compare multiple potential future scenarios far more quickly than human minds.

BP, though, may have only planned its risk management strategy a mere two moves beyond its initial catastrophic spill. What should it do if crude oil begins to pour into the Gulf? Activate the preventer switch on the defective equipment. And what if the switch itself fails to halt the spill of oil into the sea? Disperse the spill with chemicals and allow bacteria to do nature’s work.

But what if the monstrous size of the spill itself, as well as the intense toxicity of the dispersal chemicals, threaten the entire environmental eco-system of the Gulf and the Western Altantic? That scenario requires a tertiary level of analysis, one that obviously has not been completed in advance by BP’s management team. And that’s why BP’s current array of ad hoc tertiary responses, ranging from the Top Hat to the Junk Shot, has exposed the firm to such withering attacks from so many different sources.