Category Archives: Enterprise Risk Management

Risk Management, Army Style

Are you a risk manager who is tired of reading hyper-technical, statistically dense manuals of corporate policies and procedures? Are you looking for a conceptually vivid and highly readable alternative?

You might be surprised to learn that the United States Army has just released such a text. Army Tactics, Techniques, and Procedures Publication # ATP 5-19 walks the reader through a wide variety of high risk military scenarios, from: (a) leading troops in heavy vehicles over bridges in enemy held territories (see Figure 3-4 on page 3-6), to (b) planning air assaults with attack helicopters and field artillery on insurgent forces that have seized airfields (see Figures 4-1 and 4-2 on pages 4-4 and 4-5).

The fundamental framework of the risk management function closely follows the COSO cube paradigm that defines the business world’s approach to the discipline. For example, each potential risk event is evaluated and assessed in terms of its probability / expected frequency and its severity / expected consequence (see Table 1-1 on page 1-7).

Nevertheless, there are some intriguing differences between the military model of risk management and its analogous business model. For instance, the business model posits that organizations should plan preventive control activities to reduce unacceptably large probabilities, and should plan crisis response activities to manage unacceptable levels of severity.

The Army framework, though, refers to “controls” in a collective manner (see Figure 1-2 on page 1-4). It doesn’t differentiate between preventive controls and crisis response activities; instead, it simply refers to “controls and risk decisions” in a unified manner (see Figure 1-2 on page 1-4).

Why no distinction between prevention and responsiveness by the Army? It isn’t entirely clear why the Army adopts this approach, though it does distinguish between “deliberate” (i.e. long term, advance planning) and “real time” (i.e. immediate, time constrained) situations.

Although both situations are addressed in the manual, the vivid examples appear to call for more “real time” decisions, when it can be difficult to differentiate between preventive and responsive activities. Indeed, while crises are exploding around us, all we can do is make quick decisions and take immediate actions, while hoping for occasional opportunities to observe outcomes.

In any event, the Army manual provides a helpful illustrative guide for all risk management professionals. COSO itself has acknowledged public sentiment that its model is “overly theoretical … overly vague … (and) unnecessarily complicated … (producing a) need for more templates and tools to help with the implementation” of risk management. The Army’s ATP 5-19 publication certainly appears to heed the call for such tools.

In Connecticut, Has Risk Management Gone Awry?

Connecticut has always been known as the Land of Steady Habits. Last week, however, it also became known as the Land of Miserably Unhappy Commuters.

That’s because the high voltage feeder cable that powers the New Haven (Connecticut) to Grand Central Terminal (New York City) commuter train line failed last week. Stranded passengers were told to expect little or no train service for up to three weeks.

So why is this a prime example of risk management gone awry? It appears that the Metro-North rail system has always maintained a secondary electrical system. But two weeks before the failure, engineers removed the secondary system from service for maintenance upgrade work without replacing it with any other temporary resource. Thus, when the primary feeder cable failed last week, there was no other system in place to power the train line.

Regrettably, Connecticut Governor Dan Malloy noted that Metro North officials appeared to have been taken by complete surprise. He said that “there appears to have been little plan(ning) for this type of catastrophic failure.”

The discipline of Enterprise Risk Management (ERM) embraces a few key principles. Organizations must identify potential crises before they occur. For crises that are relatively likely to occur, preventive controls must be implemented to reduce the likelihoods. And for events that will be relatively costly if they occur, crisis response functions must be implemented to contain the costs of failure.

Did the folks at Metro North follow these principles? Because a failure of the primary feeder cable could inflict so much damage on commuters, one may question whether the secondary system should ever have been removed without the temporary implementation of another crisis response function. And because the severe aging of the electrical fleet and infrastructure makes such failures relatively likely to occur, one may ask whether the primary system (as well as, or perhaps in place of, the secondary system) should have served as the focus of preventive maintenance work.

In other words, Governor Malloy’s own observations reveal that the public transportation agency was following a risk management plan that was bound to go awry. And now the commuters of Connecticut are bearing the brunt of that failure.

Power Blackout: Mark Your Calendars!

Why do the managers and employees of our electrical energy companies always seem to be taken by surprise when catastrophic events black out the power grid?

In retrospect, so many of their improvised responses seem feckless. Who can forget the awkward attempts of the Japanese military to drop giant buckets of water from helicopters on the Fukushima nuclear power plants?

And what of Connecticut Governor Dan Malloy during the blizzard of Fall 2011? He demanded that utility executives meet their own self-defined deadline in the aftermath of the storm, and then reacted with frustration when they failed to do so.

If you have felt enraged by the inability of the power companies to plan for such events, you’ll be pleased to learn that they are taking steps to address these challenges. For instance, on November 13, the North American Electric Reliability Corporation (NERC) will conduct a simulation exercise called GridEx to practice its planned response to a massive cyber security attack.

Simulation exercises, of course, are not always constructive planning activities. Some of these protocols, such as the one that Tokyo’s Tama Zoo utilizes to practice its responses to dangerous animal escapes, have become exercises in silliness. But a serious simulation activity can help any organization identify weaknesses in its own emergency response plans.

In fact, the risk response planning process is a core activity of the COSO integrated framework of Enterprise Risk Management. It’s embedded in the front of COSO’s iconic cube as the fifth of eight core steps.

So on November 13, if you hear a news update about a power blackout, please don’t panic … it’s just a drill! And in fact, it will likely help the electrical energy companies respond to a crisis during the next monster storm.