Think Defense: Learning from the Defense Dept. About Operational Risk

Business continuity professionals can learn a lot from the U.S. Dept. of Defense’s approach to operational risk management. In today’s post, I’ll summarize the DOD’s five-step approach to ORM and explain how each step might be helpful to your organization.

 Related on BCMMETRICS: Driving Blind: The Problem with Skipping the Threat and Risk Assessment

Learning from the Military

I’ve always admired the U.S. military’s ability to take hundreds of thousands of young people, forge them into a cohesive organization, and bring out in most of them qualities of competence and maturity that their teachers in high school probably never suspected they had.

It turns out that the DOD also has some good ideas on the subject of operational risk management.

Organizations of all types could benefit by “thinking defense”—and taking a page from the Defense Department’s book in this area.

The Five-Step Approach to Managing Risk

Someone recently shared with me the DOD’s five-step approach to ORM. It’s short and sweet:

1. Identify hazards
2. Assess hazards
3. Make risk decisions
4. Implement controls
5. Supervise

(You can find the Navy’s approach to the five steps here.)

I think the DOD’s five steps are an excellent summation of the key tasks involved in evaluating and mitigating the threats in an organization’s environment.

Unfortunately, this step is skipped by way too many organizations (in my opinion, to their cost). But that’s a subject for another blog.

Today we’re talking about the military’s approach to ORM—and how businesses, educational institutions, and other civilian organizations can leverage it to help them manage operational risk.

Not every organization deploys naval vessels, ground troops, and combat aircraft. But every single one operates in an environment of risk and uncertainty.  

And given the current trends in terms of climate change, heat patterns, fire, drought, cybercrime, and so on, it’s safe to say that for most organizations the threat environment is growing ever more complex and challenging.

A Closer Look at the Five Steps

Let’s take a closer look at each of the five steps in the DOD’s model.

1. Identify hazards.

This is the most critical aspect. People have to achieve a clear understanding of the natural, human, and technological hazards that are most likely  to affect their organization. A surprising number of business continuity management (BCM) professionals do not have a good grasp of this. (I’ve seen people in the Upper Midwest obsessing about the danger from hurricanes.) A good way to get a handle on the threats in a particular area is to go to the local emergency management departments. Those departments are required by law to do threat and risk assessments for the area on a regular basis. Combine their list with one you create. Build your list up, then whittle it down. Run your list by senior management. Ask yourself, did I miss anything? Does this list make sense? The goal is to arrive at a valid list of the natural, human, and technological risks and hazards facing the organization.

2. Assess hazards.

There are many ways of doing this. Some organizations get into highly complex mathematical assessments (what we call Monte Carlo simulations). A simpler but good method is the Kaiser Permanente Hazards Vulnerability Analysis (free for download from Kaiser). (We use a modified version of this at MHA.) Whatever method you use, the goal is to give each risk a numerical score that reflects how dangerous it is to the organization. Basically there are three factors to consider: the probability of the hazard occurring, the impact if it did occur, and any mitigation that you have in place to protect against it. Once you score your risks, you can identify the main ones (the top five, say) and get to work mitigating them.

3. Make risk decisions.

In the previous step, you identified the most dangerous risks. In this step, you start deciding what you’re going to do about them. This is usually a matter of trying to get the most mitigation bang for your buck using a limited amount of resources. What kind of decisions are we talking about? At one organization, it might mean deciding to buy a generator for a certain critical facility. At another, it might mean deciding to break up a cluster of geographically centralized critical departments, putting them in different cities to reduce the chance that one event could take out all of them. 

4. Implement controls.

In the previous step we decided what we should do to mitigate our most dangerous risks. Now we have to follow through and do it. We have to buy the generator or disperse the departments. Many well-intentioned plans grind to a halt at this stage. Talk is cheap. Implementation is hard. It’s like when you go to the doctor and he tells you to eat less and work out three days a week. Many people say they’ll follow the doctor’s order but don’t. A few people with vision and discipline (or an intelligent fear of the consequences of continuing as before) do. The people in the second group are the ones you want to emulate, if you wish to make your organization resilient. 

5. Supervise.

This is the step where we look back and see how things are going.  Are the controls we implemented working? Did they reduce our risk? People in my line of work have a tendency to focus on gaps and shortcomings. But I’ve seen so many success stories. This is the stage where those emerge. People see how over time they’ve been able to mitigate against serious threats, such as loss of power or bad backups. And after you take time as an organization to savor your successes, you should go back to the beginning of the process and do it all again. Because operational risk management is not a one-and-done affair. It’s an ongoing process that should be a part of every organization’s culture. 

That’s how organizations like yours can leverage the DOD’s excellent risk-management process to bring down risk and improve their resilience.

Managing Risk, Increasing Resilience

The DOD’s approach to operational risk management is short but sweet: 1) Identify hazards, 2) Assess hazards, 3) Make risk decisions, 4) Implement controls, and 5) Supervise. 

Organizations of all types could benefit from “thinking defense”—by using the Defense Dept.’s five-step approach to ORM to reduce their risk and increase their resilience. 

Further Reading

For more information on operational risk management and other hot topics in BCM and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting:

• Checking It Twice: The Corporate Risk Mitigation Checklist
• Know Your Gaps: Manage Residual Risk to Keep Your Company Safe
• Every Single Day: Make Risk Management Part of Your Company’s Culture
• Solving the Puzzle of the Operational Risk Management Lifecycle
• Driving Blind: The Problem with Skipping the Threat and Risk Assessment
• Solving the Puzzle of the Operational Risk Management Lifecycle