Composite Risk Management.pdf - UNC Charlotte Army ROTC

114 ■ SECTION 1The next time you see something that just doesn’t look right, take a moment,and ask yourself how this might impact you, or the Soldier next to you, or yourunit, or the family of four who might be driving down the road as your convoyapproaches. Safety is not a sometimes thing, and your actions don’t just affectyou. Exercise the courage to tell the truth about the hazards, and to face thepotential consequences. That way, you and your unit can avoid thoseconsequences.Army Safety Center WebsiteCritical ThinkingeDiscuss how you would assess and manage the risks described in the vignetteabove.risk managementthe process ofidentifying, assessing,and controlling risksarising from operationalfactors and makingdecisions that balancerisk costs with missionbenefitsriskprobability and severityof loss linked to hazardsRisk managementformulates balancedcontrols to eliminateor mitigate missionhazards.The Composite Risk Management ProcessComposite risk management (CRM) is the Army’s primary decision making process foridentifying hazards and controlling risks across the full spectrum of Army missions,functions, operations, and activities. (See Figure 1.1.)CRM is a decision making process used to mitigate risks associated with all hazardsthat have the potential to injure or kill personnel, damage or destroy equipment, orotherwise impact mission effectiveness. In the past, the Army separated risk into twocategories, tactical risk and accident risk. While these two areas of concern remain, theprimary premise of CRM is that it does not matter where or how the loss occurs, theresult is the same—decreased combat power or mission effectiveness.The Guiding PrinciplesThe guiding principles of CRM are as follows:• Integrate CRM into all phases of missions and operations• Make risk decisions at the appropriate level• Accept no unnecessary risk• Apply the process cyclically and continuously• Do not be risk averse.CRM is a five-step process:Step 1 – Identify hazardsStep 2 – Assess hazards to determine riskStep 3 – Develop controls and make risk decisionsStep 4 – Implement controlsStep 5 – Supervise and evaluate.

118 ■ SECTION 1TABLE 1.1continuedUnlikely (E)Single itemFleet orinventoryof itemsIndividualSoldierAll SoldiersexposedCan assume will not occur, but not impossibleOccurrence not impossible, but can assume will almost neveroccur in service life. Can assume will not occur during a specificmission or operation.Occurs very rarely (almost never or improbable). Incidents mayoccur over service life.Occurrence not impossible, but may assume will not occurin career or during a specific mission or operation.Occurs very rarely, but not impossible.Step 2 – Assess the HazardsAssess the hazards systematically using charts, codes, and numbers. These give you a wayto assess probability and severity and thus obtain a standardized level of risk. The fivestepCRM process is a method for expressing and depicting a normally intuitive andexperience-based thought process. The risk management process is a disciplined applicationof five steps to obtain and express a risk level in terms that all levels of command readilyunderstand. The methodology assesses and assigns risk in terms of how likely and howsevere the adverse impact of an event or occurrence would be. This step considers the riskor likelihood of an event or incident adversely affecting the mission, capabilities, people,equipment, or property. In other words, what are the odds (probability) of something goingwrong and what is the effect (severity) of the incident if it does occur?You assess hazards and associated risks during the mission analysis, COA development,analysis, and rehearsal and execution steps of the MDMP. You also consider both missionandnon-mission-related aspects that may have an impact. The result of this assessmentis an initial risk estimate for each identified hazard expressed as extremely high, high,moderate, or low as determined from your standardized application of the risk assessmentmatrix.This step has three sub-steps:1. Assess the probability of the event or occurrence2. Estimate the expected result or severity of an event or occurrence3. Determine the specified level of risk for a given probability and severity using thestandard risk assessment matrix.Assess Each Hazard on the Probability of the Event or OccurrenceProbability is the likelihood of an event. This is your estimate, given the information youknow and what others have experienced. The probability levels that you estimate for eachhazard are based on the mission, COA, or frequency of a similar event. For the purposeof CRM, there are five levels of probability—frequent, likely, occasional, seldom, andunlikely (see Table 1.1):

Composite Risk Management ■ 119Frequent – Occurs very often, known to happen regularlyLikely – Occurs several times, a common occurrenceOccasional – Occurs sporadically, but is not uncommonSeldom – Remotely possible, could occur at some timeUnlikely – Can assume will not occur, but not impossible.Estimate the Expected Result or Severity of an OccurrenceSeverity is the degree to which an incident will affect combat power, mission capability, orreadiness. You use the following four levels on the risk assessment worksheet to express thedegree of severity:1. Catastrophic2. Critical3. Marginal4. NegligibleDetermine Specified Level of RiskUsing the standard risk assessment matrix in Figure 1.3, you convert probability and severityfor each identified hazard into a specified level of risk. This matrix provides an assessmentof probability and severity expressed as a standard level of risk.This assessment is an estimate, not an absolute. It may or may not indicate the relativedanger of a given operation, activity, or event. The levels of risk are listed in the lower leftcorner of the matrix. You must make sure the appropriate level of command approves allaccepted residual risk.Extremely High Risk – You won’t be able to accomplish the mission if hazardsoccur.High Risk – Significant degradation of mission capabilities: you won’t be able toaccomplish all parts of the mission, or you won’t be able to complete themission to standard if hazards occur during the mission.Moderate Risk – Expected degraded mission capabilities: you won’t be able to meetthe required mission standard and will have more difficulty completing themission capability if hazards occur.Low Risk – Expected losses will have little or no impact on your ability to accomplishthe mission.Determining overallmission risk byaveraging the risks of allhazards is not valid. Ifone hazard has highrisk, the mission’s overallresidual risk is high, nomatter how manymoderate- or low-riskhazards are present.Figure 1.3Risk Assessment Matrix

120 ■ SECTION 1Critical ThinkingeThink of a situation in your ROTC training that involves risk of injury. Using thethree-part process of assessing hazards, estimate the risk of this situation.Step 3 – Develop Controls and Make Risk Decisionscontrolsactions taken toeliminate hazards or toreduce their riskIn Step 2, you assessed hazards and determined an initial risk level. In this step, you developand apply controls, then reassess the hazard to determine a residual risk. Continue theprocess of developing and applying controls and reassessing risk until you achieve anacceptable level of risk or until you can reduce all risks to a level where benefits outweighthe potential cost. You accomplish this step during the course of action (COA) development,COA analysis, COA comparison, and COA approval of the MDMP.Develop ControlsAfter assessing each hazard, you develop one or more controls that either eliminate thehazard or reduce the risk (probability and/or severity) of a hazardous incident occurring.In developing controls, consider the reason for the hazard, not just the hazard itself.Controls can take many forms, but normally fall into one of three basic categories:1. Educational (awareness) controls2. Physical controls3. Avoidance/Elimination.Find Control MeasuresOther sources for selecting controls include:• personal experience• after action reports (AARs)• accident data from automated risk management systems available through theUnited States Army Combat Readiness Center (USACRC)• standing operating procedures (SOPs)• regulations• tactics, techniques, and procedures (TTPs)• lessons learned from similar past operations.CRM worksheets from previously executed missions provide another source for selectingcontrols. The key to effective control measures is that they reduce the effect of, or eliminate,the identified hazard.Reassess RiskWith controls applied, you reassess risk to determine the residual risk associated witheach hazard, as well as the overall residual risk for the mission. Continue the process ofdeveloping and applying controls and reassessing risk until you achieve an acceptable levelof risk or until all risks are reduced to a level where benefits outweigh potential cost.Residual risk is the risk remaining after you select controls for the specific hazard.Residual risk is valid only if you have implemented the identified controls. As you identify

Composite Risk Management ■ 121and select controls for hazards, reassess the hazards as in Step 2. Then revise the level of risk.Available controls may not be sufficient to warrant lowering the risk level of a given hazard.Determine overall residual risk by considering the residual risks for all of the identifiedhazards. The residual risk for each hazard may be different, depending on the probabilityyou assess and the severity of the hazardous incident. You determine overall residual riskbased on the greatest residual risk of all the identified hazards. The overall residual risk ofthe mission will be equal to or higher than the highest identified residual risk.Consider the number and type of hazards present. In some cases you may determinethat the overall residual risk is higher than any one hazard. This is based on a number oflower-risk hazards if they present a greater hazard in combination. For example, a missionrisk assessment may result in moderate residual risk for all identified hazards. However,based on the complexity of required controls and the potential interaction of all hazards,you may determine that the mission’s residual risk is high.Make Risk DecisionsThe purpose of the CRM process is to provide you a basis for making sound decisionsregarding individual and leadership risk. A key element of the risk decision is determiningthe acceptable level of risk. You do this by balancing risk or potential loss againstexpectations or expected gains. Risk decisions must always be made at the appropriate levelof command or leadership based on the level of risk involved.Step 4 – Implement ControlsYou must ensure that controls are integrated into SOPs, written and verbal orders, missionbriefings, and staff estimates. The critical check for this step is to ensure that controls areconverted into clear and simple execution orders. Implementing controls includescoordinating and communicating with the following:• Appropriate superior, adjacent, and subordinate units, organizations, andindividuals• Logistics Civil Augmentation Program (LOGCAP) organizations and civilianagencies that are part of the force or may be impacted by the activity, hazard,or its control• The media and nongovernmental organizations (NGO) when their presenceaffects or is affected by the force.Be sure to explain how the controls will be implemented in areas such as the following:• Overlays and graphics• Drills for vehicle and aircraft silhouette identification• Rehearsals and battle drills• Refresher training on intensive threat and friendly vehicle identification for allanti-armor and air defense weapons crews• Orientation for replacement personnel• Installation and maintenance of communications links for key civilianorganizations• Operating convoys with a prescribed minimum number of vehicles• Provisions to carry weapons and wear body armor and helmets when outsidesecure compounds• Accident awareness, safety briefings, and warnings.The commander alonedecides if controls aresufficient andacceptable and whetherto accept the resultingresidual risk. If thecommander determinesthe risk level is too high,he or she directs thedevelopment ofadditional controls oralternate controls ormodifies, changes, orrejects a given plan ofaction.

122 ■ SECTION 1Step 5 – Supervise and EvaluateIn Step 5 of the CRM process you ensure that risk controls are implemented and enforcedto standard. You also make sure the selected control measures are adequate and supportthe objectives and desired outcomes. Like other steps of the CRM process, you mustsupervise and evaluate throughout all phases of any operation or activity. In this way, youwill be able to identify weaknesses and make changes or adjustments to controls based onperformance, changing situations, conditions, or events.SuperviseSupervision is a form of control measure. In Step 5 of CRM, supervision becomes anintegral part of the process. During supervision, you ensure subordinates understand how,when, and where there are controls. You also ensure that controls are implemented,monitored, and remain in place.Situational awareness is a critical component of the CRM process when identifyinghazards. Situational awareness is equally important in supervision. It will enable you tomake sure that complacency, deviation from standards, or violations of policies and riskcontrols do not threaten success. Monitor factors such as fatigue, equipment serviceability/availability, and the weather and environment. Then you can mitigate the hazards theypresent. Through supervision and oversight you can gain the situational awareness necessaryto anticipate, identify, and assess any new hazards and to develop or modify controls asnecessary.You must have an extraordinary degree of discipline to avoid complacency fromboredom or overconfidence when personnel are performing repetitive tasks. It can be easy,due to overconfidence or complacency, for people to ignore controls established andimplemented for a prolonged period. During stability operations, for example, at thebeginning of an operation, you may identify land-mine hazards and establish and enforcecontrols. However, over time and with success (no accidents or incidents), complacencymay set in. Established controls may lose their effectiveness. A terrorist threat and personalsecurity are examples. When personnel live or operate in an area that is not considered ahigh threat area or in cases where personnel have operated in a high threat area for anextended period without incident, they risk losing situational awareness and may fail toFigure 1.4Composite Risk Management Worksheet

Composite Risk Management ■ 123TABLE 1.2Worksheet InstructionsItemInstruction1 through 4 Self explanatory.5 Subtask relating to the mission or task in block1.6 Hazards – Identify hazards by reviewing METT-TCfactors for the mission or task. Additional factorsinclude historical lessons learned, experience,judgment, equipment characteristics and warnings, andenvironmental considerations.7 Initial Risk Level – Includes historical lessons learned,intuitive analyses, experience, judgment, equipmentcharacteristics and warnings, and environmentalconsiderations. Determine initial risk for each hazard byapplying risk assessment matrix (Figure 1.3). Enter therisk level for each hazard.8 Controls – Develop one or more controls for eachhazard that will either eliminate the hazard or reducethe risk (probability and/or severity) of a hazardousincident. Specify who, what, where, why, when, andhow for each control. Enter controls.9 Residual Risk Level – Determine the residual risk foreach hazard by applying the risk assessment matrix(Figure 1.3). Enter the residual risk level for eachhazard.10 How to Implement – Decide how each control will beput into effect or communicated to the personnel whowill make it happen (written or verbal instruction;tactical, safety, garrison SOPs, rehearsals). Entercontrols.11 How to Supervise (Who) – Plan how each control will bemonitored for implementation (continuous supervision,spot-checks) and reassess hazards as the situationchanges. Determine if the controls worked and if theycan be improved. Pass on lessons learned.12 Was Control Effective – Indicate “Yes” or “No.” Reviewduring AAR.13 Overall Risk Level – Select the highest residual risklevel and circle it. This becomes the overall mission ortask risk level. The commander decides whether thecontrols are sufficient to accept the level of residualrisk. If the risk is too great to continue the mission ortask, the commander directs development of additionalcontrols or modifies, changes, or rejects the COA.14 Risk Decision Authority – Signed by the appropriatelevel of command.

124 ■ SECTION 1remain vigilant. Other examples of long-term hazards include climatic extremes; nuclear,biological, and chemical (NBC) and hazardous-waste contamination; or diseases nativeto a particular area of operation or indigenous population.EvaluateContinue the evaluation process during all phases of the operation, and as part of the AARand assessment following completion of the operation or activity.• Identify any hazards that you did not identify as part of the initial assessment, oridentify new hazards that evolved during the operation or activity—for example,any time that personnel, equipment, environment, or mission change the initialrisk management analysis, re-evaluate the control measures• Assess effectiveness in supporting operational goals and objectives. Did the controlspositively or negatively impact training or mission accomplishment? Did thecontrols support existing doctrine, techniques, tactics, and procedures?• Assess the implementation, execution, and communication of the controls• Assess the accuracy of residual risk and effectiveness of controls in eliminatinghazards and controlling risks• Ensure compliance with the guiding principles of CRM. Was the processintegrated throughout all phases of the operation? Were risk decisions accurate?Were they made at the appropriate level? Were there any unnecessary risks, anddid the benefit outweigh the cost in terms of dollars, training benefit, and time?Was the process cyclic and continuous throughout the operation?Tools and TechniquesTechniques may include spot-checks, inspections, situation reports (SITREPs), back briefs,buddy checks, and close oversight. AARs provide a forum in which you can assess the entiremission or operation. Include the effectiveness of the CRM process and an assessment ofthe criteria as a part of any AAR.Based on your evaluation and assessment of the operation and the effectiveness ofCRM, develop and disseminate to others lessons learned for incorporation into futureplans, operations, and activities. The operations staff officer (S3) ensures that lessons learnedfrom the CRM process, to include CRM worksheets, are captured and retained for useduring future operations.Poor Training Leads to High RiskDuring an assembly area occupation, the overhead cover of a fighting positioncollapsed on a Soldier. The Soldier suffered a fractured spine, resulting in apermanent disability.The fighting position collapsed because it was not built to standard.Specifically, the overhead stringers were improperly emplaced to support theweight of the overhead cover. One common construction error is the lack ofsupport (beams) on which to stabilize the stringers. Another error is improperspacing (10” maximum) of overhead stringers. Eighteen inches of overhead coverprovided by sandbags could weigh almost 4,000 pounds, so it is critical thatfighting positions are built IAW the available appropriate references (FM 5-34).The Soldiers built this position as they had been trained—but not to standard.The design was similar to many they had built in the past; clearly, this accident

Composite Risk Management ■ 125was just waiting for a time and place to happen. The preconditions were set—training and leader failure.At least three training opportunities were missed that directly contributed tothis accident. First, although every Soldier receives instruction on this task duringBasic Training, hands-on performance is not a requirement. Most fieldcommanders assume Soldiers are proficient in this skill-level-one task. TheseSoldiers were not proficient, and the first opportunity to prevent this accident wasmissed. Second, the task, Construct Individual Fighting Positions, was required inboth the FY97 and FY98 Notice for Common Task Testing. Additionally, the skilllevel-twotask, Supervise Construction of a Fighting Position, was included in theFY97 Notice. Again, leaders missed an opportunity to prevent this accident byfailing to train to standard. Finally, prior to the exercise, the unit identified the taskas a weakness and programmed training to fix it. However, the train-up exercisewas not properly planned, resourced, or executed. Another opportunity missed.The end result was that Soldiers didn’t know what right looked like.The Soldiers’ supervisor checked on the position numerous times as it wasbeing built. He failed to correct the deficiency because he too was not trained tostandard. However, he did have at least two references readily available thatexplained the correct method for constructing overhead cover. This supervisor,and those leaders who did not certify his ability to supervise this task, failed toexercise their leadership responsibilities.Training and leadership should have ensured that a Soldier didn’t leave thatfighting position on a stretcher. By failing to train to and enforce establishedstandards, one Soldier paid an extremely high price. Soldier safety is a leaderresponsibility: they are our greatest asset, and we owe it to our Soldiers to do itright.Army Safety Center WebsiteCritical ThinkingeConsider the situation described above. Which of the controls is likely to be mosteffective? Would a combination be more effective than a single control?Critical ThinkingeDiscuss how you would convert a control measure into an order.

126 ■ SECTION 1eCONCLUSIONWhen leaders become skilled in the process of risk management, they effectivelyidentify, assess, and control risks inherent in training and combat operations.Through making calculated decisions that balance risk costs with the mission’sgoals, the vexing element of chance is reduced in dangerous training and combatsituations. Leaders and Soldiers at all levels use risk management during allmissions and in all environments in which Army operations take place. The abilityto manage risk using the five-step risk management process is fundamental toyour confidence and competence as an Army leader. It is critical to conservingcombat power and resources.Learning Assessment1. What five steps comprise the risk management process?2. What are the three basic types of controls?3. What is residual risk?

Composite Risk Management ■ 127Key Wordsrisk managementriskhazardrisk assessmentcontrolsReferencesField Manual 5-19, Composite Risk Management. 21 August 2006.Truth or Consequences. Army Safety Center Website. Risk Management Lessons Learned.Retrieved 23 March 2005 from https://safety.army.mil