Risk Management article

The ground, more about even more so than the sky and sea, visit is unforgiving when you are falling towards it without the assistance of a properly functioning parachute.



There is a very detailed and thorough set of steps incorporated into a Jumpmaster’s parachute inspection that takes place for every military parachutist prior to every airborne operation. Participating in an airborne operation is a risky business in itself and further elevates the chance (or risk) of injury when the parachute jump is simply a non-traditional way to get to work. Especially when your work is combat or some other military mission.

Risk management is an integral part of hazardous operations and is expected, but in reality, risk management is practiced in every aspect of life. In the US Army’s Intelligence Analysis manual (FM 34-3) risk is defined as a voluntary exposure to danger, however unavoidable it might be under the circumstances.



In other words, risk is a deliberate (if unwanted) exposure to danger. It is amplified as the threat increases. Conducting airborne operations has an inherent risk factor that requires risk to be mitigated by managing it. Conducting detailed equipment inspections prior to a jump is a demonstrated way of lowering the risk.



To mitigate risk, the threat can be decreased. In this instance, jumping from an aircraft while in flight and eventually impacting with the ground is the threat. It is generally agreed upon that the threat is not controlled by the concerned party and that removing the threat from the risk equation is not an option. To lower risk, one must increase the warning time by decreasing the detection and response times. In this case the detection time is decreased by ensuring the jumper is alert. The response time is lowered by repetitive training (muscle memory) and correctly functioning equipment. As boots hit the ground and the paratrooper goes quickly about his mission, properly performed risk management has positively impacted this operation.



Risk management is a tool that has become especially important and more widely discussed by security professionals ever since the events of September 11, 2001. Overnight, many Federal and State Governmental departments, to include even more areas inside the Department of Defense, as well as many civilian organizations became energized towards developing or locating existing methods of managing risk more effectively.



With the current (and warranted) emphasis on protecting our nation’s assets from attacks by terrorists or other adversaries, an understandable and effective means of performing risk management that any organization will be able to use is required. Whether developing a risk management process from scratch, or deciding to use a risk management methodology currently available, the basic questions need to be asked and answered. As a security manager or responsible staff officer charged with ensuring the safety of your organization you need to accurately and completely fill in certain blanks in the risk equation.



Your ASSETS applied to the THREAT which is applied to the VULNERABILITIES equals your RISK. (A x T x V = R) This ongoing process is considered RISK MANAGEMENT.



During the more than 20 years I served our nation as a soldier in the US Army, I worked in many assignments that required risk management activities to be conducted as a matter of fact and often without any formal methodology. Many times there was no formal system, but depending rather on the intuition and experience of the mission commander. I have found that these hard-learned and often inconsistently applied lessons can be included in a formalized and repeatable risk management methodology that can then be used by security and decision-making personnel at all levels of various organizations.



To let you know just a bit about myself and my credentials in the field of Risk Management, I wish to share this with you. I retired from the United States Army where I served for fourteen years in the Special Forces Branch. During my time in the Green Berets, I spent nine years as an “A-team” Operations Sergeant which is the A-team’s Noncommissioned Officer in Charge (NCOIC). I have operated extensively in Southern Africa and the Mideast where the task of Risk Management was a constant factor in all daily operations. During the Gulf War, I was the NCOIC of an A-team that had the primary duty of liberating the American Embassy and a subsequent mission of providing security for the Embassy Grounds and personnel as well as the Embassy’s considerable consortium of VIPs. This required me to refine old accepted methods and develop many new aspects in the field of analyzing risk and applying this information towards Risk Management.



More recently, I completed a 6-month tour of duty in Bosnia-Herzegovina, where my team had the responsibility of monitoring the compliance to the Dayton Peace Accords by the Former Warring Factions in both the Federation (Muslim) and RS (Serbian) areas of the country. Our mission required us to not only conduct official meetings with the local leaders and identify force protection information for other friendly units (SFOR), but to actually live in the areas to which we were assigned. This provided an official military presence within the communities that could be seen as less threatening and more accessible to the formal and informal leadership of the local population. Risk Management for my own men as well as those Indigenous personnel that interacted with Americans on a daily basis was a continuing priority task for me.



All of this required many of the Risk Management processes to be used and improved upon constantly. From the security posture of the two-man teams during normal operations, to the defensive countermeasures put into place at the safe house we lived in and based operations from, to the vulnerability assessments of the meeting places where high-level talks between senior military and government officials were carried out required continuous Risk Management procedures be used.



For example, our A-team’s security posture for official meetings was developed as the threat was analyzed and presented for a decision. We might decide to carry only concealed sidearms and lower our personal security (increased risk), or carry long guns and wear body armor (less risk) and present a less amiable appearance. Once a decision was made and implemented, I would evaluate the results and readjust as required. The threat level changed from mission to mission and Risk Management had to be reevaluated and continuously readjusted as required. This process took place at my level of operations in every area of our mission and provided the members of my A-team (and myself) with an immeasurable amount of real-world experience to be applied in the future to similar situations.



While I was not as concerned with the dollar cost of security as most government and corporate security managers would be, I was very conscience of the price that the appropriate security (acceptable risk) would cost the mission.



I’ve learned while dealing in higher level management circles that to begin risk management, one must decide what level of security you can financially afford while continuing to follow an acceptable business plan. The security level you maintain must be supported by the level of acceptable risk you (or your organization) are willing to allow. Mission requirements must be evaluated against actual risk. Mitigation of that risk to acceptable levels that still allow for mission success is the bottom-line of risk management.



This process I’ve demonstrated using a couple of simple examples can be mirrored using a highly developed and versatile continuous risk management methodology that is now available from a select few security professionals. It is available as a skill to be taught to organic security personnel or as a service to be provided for organizations by highly trained and experienced security consultants such as the ones that are found in the company I belong to.





William A Easterling

Senior Security Consultant