THE UNITED STATES NAVAL WAR COLLEGE
U.S. Navy Senior Enlisted Academy
RISK MITIGATION: DIVERSE CHALLENGES
FOR THE RISK PRACTITIONER
By
Prof. Ronald E. Ratcliff (Jan 2006)
Edited by Prof. Bud Baker (Nov 2017)
RISK MITIGATION: DIVERSE CHALLENGES
FOR THE RISK PRACTITIONER
It's tough to make predictions, especially about the future.
─ Yogi Berra
INTRODUCTION
Risk and risk management are concepts that leaders and their staffs have come to appreciate in
increasing levels of sophistication. Operational Risk Management (ORM) is a process taught at
all levels in the Department of Defense. Yet, and somewhat ironically, senior civilian Defense
Department leadership has often been quite critical of the military services for their limited
understanding of, and general aversion to, risk. While one can build a defensible case for the
military’s penchant to avoid risk, the purpose of this paper is to examine more fully the
challenges that make astute risk management so difficult. As part of that discussion, we will
briefly examine the difficulties inherent in determining risk for low-probability but catastrophic
events. We will also examine briefly the processes used in risk management and the challenges
leaders face in making risk management decisions. Finally, we will address the challenges all
organizations face when communicating the rationale for their choices given the risks involved.
RISK
In a July 2004 study commissioned by the British government entitled Public Perception of Risk,
J. Richard Eiser noted that: “Risk is a feature of all human activity that results in some probable
benefit but also includes a potential cost or harm.”1 He further noted:
[E]verything that is important about risk arises from actual or perceived uncertainty ...
it is only because we need to act under conditions of uncertainty that the concept of risk
is of interest. If we felt there was nothing we could ever do to affect what might
happen to us, we would have no decisions to take and there would be no point in
worrying about the likelihood or value of future events. ... It is because these
consequences are uncertain, and may leave us better or worse off, that we talk about
risk.2
Risk is typically defined as “the combination of the probability of an event occurring and its
consequences.”3 Usually, organizations perceive those consequences in a negative context.
Within the Department of Defense, the term risk clearly has a negative implication defined as
“the probability and severity of a potential loss that may result from hazards...”4 Similarly, the
Naval War College characterizes risk as “the likelihood of failure and the consequence of
failure…”5 These definitions equate risk to the probability that an organization’s vulnerabilities
or weaknesses will permit an unwanted and/or harmful event to occur that will limit its ability to
achieve a.
Science 7 - LAND and SEA BREEZE and its Characteristics
THE UNITED STATES NAVAL WAR COLLEGE U.S. Navy.docx
1. THE UNITED STATES NAVAL WAR COLLEGE
U.S. Navy Senior Enlisted Academy
RISK MITIGATION: DIVERSE CHALLENGES
FOR THE RISK PRACTITIONER
By
Prof. Ronald E. Ratcliff (Jan 2006)
Edited by Prof. Bud Baker (Nov 2017)
2. RISK MITIGATION: DIVERSE CHALLENGES
FOR THE RISK PRACTITIONER
It's tough to make predictions, especially about the future.
─ Yogi Berra
INTRODUCTION
Risk and risk management are concepts that leaders and their
staffs have come to appreciate in
increasing levels of sophistication. Operational Risk
Management (ORM) is a process taught at
all levels in the Department of Defense. Yet, and somewhat
ironically, senior civilian Defense
Department leadership has often been quite critical of the
military services for their limited
understanding of, and general aversion to, risk. While one can
build a defensible case for the
military’s penchant to avoid risk, the purpose of this paper is to
examine more fully the
challenges that make astute risk management so difficult. As
part of that discussion, we will
3. briefly examine the difficulties inherent in determining risk for
low-probability but catastrophic
events. We will also examine briefly the processes used in risk
management and the challenges
leaders face in making risk management decisions. Finally, we
will address the challenges all
organizations face when communicating the rationale for their
choices given the risks involved.
RISK
In a July 2004 study commissioned by the British government
entitled Public Perception of Risk,
J. Richard Eiser noted that: “Risk is a feature of all human
activity that results in some probable
benefit but also includes a potential cost or harm.”1 He further
noted:
[E]verything that is important about risk arises from actual or
perceived uncertainty ...
it is only because we need to act under conditions of uncertainty
that the concept of risk
is of interest. If we felt there was nothing we could ever do to
affect what might
4. happen to us, we would have no decisions to take and there
would be no point in
worrying about the likelihood or value of future events. ... It is
because these
consequences are uncertain, and may leave us better or worse
off, that we talk about
risk.2
Risk is typically defined as “the combination of the probability
of an event occurring and its
consequences.”3 Usually, organizations perceive those
consequences in a negative context.
Within the Department of Defense, the term risk clearly has a
negative implication defined as
“the probability and severity of a potential loss that may result
from hazards...”4 Similarly, the
Naval War College characterizes risk as “the likelihood of
failure and the consequence of
failure…”5 These definitions equate risk to the probability that
an organization’s vulnerabilities
or weaknesses will permit an unwanted and/or harmful event to
occur that will limit its ability to
achieve a desired goal or objective. Thus risk is perceived to
increase as either the probability of
5. the unwanted event increases or the severity of the
consequences rise.
Often overlooked in an organization’s treatment of risk are its
positive aspects. Risk usually
entails the possibility that a future event could have a positive
effect or be advantageous to the
organization. This aspect of risk, while acknowledged by most
organizations, is just as often
likely to be ignored, as their aversion to risk too greatly
discounts the potential benefits of a risky
2
choice. Many organizations fail to appreciate that risk is more
than a simple articulation of the
bad things that could happen; it is also about the good things
that will not happen.
Organizational success or failure is not simply dependent on the
ability to identify and avoid
harmful risk, but is also reliant on the ability to recognize and
“to capitalize on fleeting
opportunities.”6
UNCERTAINTY
6. Risk occurs because the precise likelihood of a future event is
unknowable. If we knew with
certainty that an event was going to happen, there would be no
discussion about risk.
Unfortunately, the future is simply and unequivocally
unknowable. We are frequently forced to
make choices about the future without really knowing how
things will turn out. As the
consequences of those choices increase, so too does the
perceived need to eliminate as much
uncertainty as possible.
Organizational uncertainty arises from three basic
circumstances: 1) uncertainty about how the
organization’s environment is changing; 2) uncertainty about
how those changes will harm or
benefit the organization; and 3) uncertainty about the best way
to respond to those changes to
either limit the harm or assure the benefits occur.7 Uncertainty
is further complicated by the very
nature of the doubt that creates the risky situation under
consideration. Uncertainty results from
two basic conditions: vagueness and ambiguity.
7. • Vague uncertainty occurs when there is a lack of clear or
definitive information
about the range of probable future outcomes.
• Ambiguous uncertainty, which occurs when there is clear but
conflicting information
on (or general disagreement about) the range of future
outcomes.8
While uncertainty due to vagueness can be reduced by gathering
more information about the
situation, uncertainty due to ambiguity usually cannot be
resolved by additional or new
information. Clearly, it behooves the risk practitioner to first
seek to understand the basic nature
of the uncertainty faced by the organization before deciding
how to diminish it. How we identify
relevant data, develop information and act on that knowledge is
dictated by how we perceive and
judge risk as either a danger to be avoided or an opportunity to
be seized. Judgment about risk is
influenced by two elements: risk perception and risk propensity.
RISK PERCEPTION
8. Risk is not a physical entity into itself, but rather is a concept
or a way of thinking about the
impact of something that has yet to happen. As such, risk is a
subjective judgment of the likely
consequences of a future uncertain event. Yet risk is more than
merely a function of uncertainty.
It is also a judgment about how we value the different possible
results (good and bad) that might
occur. Those judgments color and bias our perceptions of risk.9
Value judgments play an
especially large role in the way we estimate risk for low
probability, but highly destructive
events. Thus, risk perception is the product of one’s judgment
about the likelihood an event will
occur, the extent of harm or benefit that future event is likely to
bring, and the level of
confidence one has in those estimates.10
3
RISK PROPENSITY
Risk propensity is often defined as “an individual’s current
tendency to take or avoid risks…”11
9. It is usually viewed in one of two ways:
• Risk averse characterizes those who view risk as a harmful
consequence to be avoided
at all costs regardless the potential benefits. As a result, those
who are risk averse
usually seek to avoid risk in the decisions they make.
• Risk tolerant characterizes those who value the potentially
beneficial consequences of
an event more than they fear the associated potential harm.
Hence, those who are risk
tolerant are willing to accept risk commensurate with the
potential gain in the
decisions they make.
Our perceptions of risk are relative to our basic tendencies
towards risk. While perception of
risk may drive one person’s risk tolerance, another’s propensity
to assume risk probably drives
their perception of the risk involved. Decision makers must be
aware of both aspects in order to
fully appreciate which element is most influencing their
decision or the estimates of others. To
be too risk averse forgoes opportunity, while being too risk
tolerant may be foolhardy.
10. The Risk Dilemma. Adding to the complexity of organizational
perception of risk is the
influence of important key stakeholders. Returning to Eiser’s
report on risk perception for the
British government:
Risk-mitigation decisions may be influenced by public
perceptions of risk in ways
that may distort priorities away from actual risk reductions.
Policy makers may
feel the need to be seen to be doing something about particular
risks, even where
the risks are relatively small and the actions undertaken are
more visible than they
are effective. The other side of the story is that the general
public can sometimes
appear frustratingly complacent about the seriousness of other
kinds of risks, and
so be resistant to policies and actions that could lead to risk
reduction.12
How people perceive risk depends on: what they value, how the
risk is framed, and their level of
trust in the organization or institution responsible for
identifying and characterizing the risk.
11. Studies have shown that there appears to be a clear inverse
relationship between perceived risk
and perceived benefit and an individual’s evaluation of a
hazard. That is to say, where an
activity or issue is perceived in a positive light, people tend to
judge its benefits as high and its
risks as low. But where the situation or endeavor is seen in a
negative light, people are likely to
dwell on the dangerous or harmful aspects of the issue and
perceive the risks as high.13 As a
consequence, the astute risk decision maker must always strive
to understand which aspect of
risk (potential harm or benefit) is being emphasized or
minimized to ensure that how a problem
has been framed does not prejudice the risk decision.
The “Wicked” Problem14 – Low Probability-High Consequence
(LP/HC) Threat. One
of the most perplexing problems that confronts national security
organizations like DoD and the
Department of Homeland Security is how best to identify and
characterize the risk associated
4
12. with low-probability events that have highly dangerous or
catastrophic consequences should they
occur. LP/HC threats include such things as the release of a
Weapon of Mass Destruction
(WMD) in a metropolitan area like New York City, or global
pandemics like drug-resistant
Tuberculosis, Smallpox or the Avian Flu.
As the diagram at the right shows, when the
severity of the consequences of an event is
judged to be relatively low, the risk is
usually judged to be “low” regardless of the
likelihood that the event will occur. If the
event is highly probable and its
consequences are highly harmful, the risk is
judged appropriately to be “high.” Problems
arise, however, when we are forced to
characterize events that have a very low
probability of occurring, but if they do occur
have disastrous consequences. Identifying
13. appropriate criteria to characterize such risk as either high or
low is not only highly problematic,
but equally difficult to explain.
LP/HC threats are by their nature complex ─ complex in the
sense that the cause-and-effect
chain is usually dynamic, often not well understood, and
generally is open to reasonable
debate. When the complexity of a threat exceeds the
layperson’s ability to understand the
important technical issues, cultural values and the public’s trust
of national institutions become
an integral part of the risk calculus. As a result, expert
opinions or scientific analysis often are
insufficient in and of themselves to provide universal or wholly
accepted characterizations of
the risk.15 When the issues are complex, public perceptions of
risk are influenced by two
dimensions: the extent and clarity of the knowledge about the
threat and the level of
conformity among stakeholder values that shape perceptions
about how much risk is involved.
Such problems have been called “wicked problems” because:
14. 1) The problem and solutions exist in the “eye of the beholder,”
hence there is no
single accepted formulation of the problem;
2) Outcomes are not scientifically predictable;
3) The decision maker cannot know when all feasible and
desirable solutions have
been explored; and
4) The decision-maker is not allowed to be wrong.16
DIFFERENT KINDS OF RISK
When addressing risk, frequently there is a tendency to assume
that others see and understand the
context of risk the same way that we do. Such a presumption is
ill-founded and lays at the heart
of most misunderstandings about risk. As one author noted
when researching the subject, an
internet search engine recently took 0.18 seconds to identify
510 million written works on the
single word “risk.” It is highly doubtful that all of those
authors were using it in the same way or
in the same context.17
16. in
g
(U
n
c
e
rt
a
in
ty
)
None Severity of the Consequence Catastrophic
0%
100%
Low Risk
Low Risk High Risk
?
5
There is no commonly accepted standard that establishes the
categories or kinds of risk that
17. confront decision makers. For many, risk is basically
comprised of the inherent or pure risk that
naturally emanates from our environment as opposed to assumed
risk that springs from
individual or collective activity or behavior. For others, risk is
simply comprised of individual
risk or societal risk. Within those broad constructs, risk can
also refer to the potential harm to a
physical asset (building, information system, transportation
system, etc.) or to intangible but real
assets (victory, profit, market share, reputation, etc.). Some
commonly used categories or
descriptions of risk include the following:
• Organizational risk (technical, personnel, systems/process,
performance);
• Business risk (credit, product/market, regulatory/legal,
transactional, investment);
• Project management risk (cost, schedule and performance);
• Operational risk (mission, resources, processes, tactics);
• Strategic risk (competitive environment, risks that arise in the
pursuit of enterprise
objectives);
• Political risk (constituencies, alliances, coalitions); and
18. • Security risk (public safety and health, information systems,
infrastructure).
The Defense Department categorizes risk into four groups
(personnel management,
operational, future challenges and institutional). These lists are
by no means exhaustive, but
serve to show why, when speaking about risk, it is imperative to
ensure all participants in a
risk decision are proceeding with a common understanding of
the risk that is under
consideration.
RISK MANAGEMENT
In 2002, the National Infrastructure Protection Center defined
risk management as the:
Systematic and analytical process by which an organization
identifies, reduces, and
controls its potential risks and losses. This process allows
organizations to determine
the magnitude and effect of the potential loss, the likelihood of
such a loss actually
19. happening, and counter-measures that could lower the
probability or magnitude of
loss ... countermeasures should be identified and evaluated to
select those which
offer an optimal trade-off between risk reduction and cost.18
The term risk management is often (and incorrectly) used
interchangeably with risk assessment,
but the terms are not synonymous. Risk management is the
administrative process designed to
manage an organization’s exposure to risk to an acceptable
level. From a military perspective, it
is often useful to consider two aspects of risk: risk to mission
and risk to forces. Risk
assessment is a component part of risk management that
describes the process used to identify
and prioritize the risks that confront an organization. Risk
management is comprised of four
basic phases: assessing risk, deciding how to control the risk,
implementing risk control
6
measures, and measuring risk control effectiveness. According
to Shortreed, et al., in
20. Benchmark Framework for Risk Management:
The objective of risk management is to ensure that significant
risks are identified and
that appropriate action is taken to manage these risks to the
extent that is reasonably
achievable [emphasis added]. Appropriate actions are
determined based on a
balance between: risk treatment (or control) strategies; their
effectiveness and cost;
and the needs, issues and concerns of stakeholders.19
Implicit in the statement above is recognition of a critical point:
in all risk management
decisions, risk can only be minimized, but it can never be
eliminated. The reason is quite
simple, risk is comprised in part by uncertainty and while we
can reduce uncertainty, we can
never completely do away with it. Risk itself cannot be
managed, only the operations and
decisions that respond to the perceived risk can be managed.20
RISK FRAMEWORK – SEVEN WAYS TO DEAL WITH RISK
21. Once an organization has completed its risk assessment, it must
decide how best to control the
risk that comes with a choice to either proceed with an activity
that holds the possibility of
causing desired effects or to forego such activity. Often we
have a choice to engage in risky
behavior, but it’s also important to note that some risks are
unavoidable (weather or other natural
disasters like earthquakes). Responses to risk can be divided
into four basic approaches:21
Avoid: Some risks may only be treated or contained to
acceptable levels by terminating
the intended operations or activity. A military operation whose
potential benefits or gains
do not outweigh the potential negative consequences of failing
should be terminated or
cancelled.
Transfer: For some risks, the best response may be to transfer
wholly or partly the
activity to another organization that has the capacity to better
handle the risk and
uncertainty. An infrastructure reconstruction project might
better be transferred to a
22. civilian contractor rather than assigned to a military
construction battalion that has
capability but marginal expertise. That said, one should
proceed with caution when
attempting to transfer any kind of risk because in most cases,
responsibility and
accountability for the results will likely remain with the
original organization.
Tolerate: At times an organization’s ability to do anything
about some risks may be
limited, or the cost to mitigate negative consequences may be
disproportionate to the
potential benefit gained. In this circumstance, the only course
of action may be to endure
the potential negative consequences of the decision. In large
scale military operations,
casualties are inevitable, sometimes even extensive, but often
the operational or strategic
goals are so important that casualties must be endured.
Assume and Control: When the decision is made to pursue a
course of action that is
inherently risky, steps are usually taken to mitigate as much as
possible any negative
23. consequences that may result from that action. Such steps are
not taken necessarily to
eliminate the risk, but to contain or limit the negative
consequences to a tolerable level.
Said another way, the purpose of this category of control is to
contain the potentially
7
harmful effects of risk rather than to eliminate it. Controls can
be classified in one of
four ways:22
• Redundancies: These controls are designed to ensure that a
particularly important
outcome is achieved or an intolerable event is avoided. The
opposite of this is putting
all of one’s eggs in a single basket. Generally this consists of
backup plans and
redundant systems. However, it can also include elements of
hedging and
diversifying. Hedging is putting into place safeguards to
protect against undesired
outcomes. For example, one way to hedge against the possible
negative
24. consequences with building a lighter, smaller conventional
force is to maintain a
nuclear strategic capability to assure a country’s national
survival. Another
redundancy approach to limit risk is by diversifying. Using the
example of a nuclear
strategic capability, the United States uses three different
weapon delivery systems
(land-based missiles, sea-based missiles and bombers) to
complicate an adversary’s
defense mechanisms.
• Directive Controls: These controls are designed to limit the
possibility of an
undesirable outcome from occurring. Procedures designed to
prevent mishaps in
organizations belong in this category. Examples include
prohibition against the entry
of cargo or individuals coming from a particular country or port
of origin that does
not have sufficient controls in place to assure the security of
follow-on ports of entry.
• Detective Controls: These controls are designed to identify
instances of undesirable
outcomes occurring. Detective controls are, by definition,
“after the fact” and only
25. appropriate when it is possible to bear the negative
consequences incurred. Examples
include monitoring devices in ports of entry to detect the
presence of WMD or
passport control systems to detect attempted entry by illegal
immigrants or unwanted
visitors.
• Corrective Controls: These controls are designed to correct
the undesirable outcomes
which have occurred. They describe the planned response to any
loss or damage that
result from the organization’s actions. An example of these
controls includes the
response of local, state and federal officials to contain or limit
the effects of a WMD
device or the effects of a particularly virulent and widespread
disease or pandemic.
Since every control action has an associated cost, the benefits of
control must be judged
against those costs. Seldom, if ever, is it possible to afford all
the controls that could
limit or contain the risk involved in a situation. Hence, the risk
practitioner must choose
a balance between implementing controls (e.g., redundancies,
26. directive controls, detective
controls, and corrective controls) and doing nothing (i.e., avoid,
transfer, and tolerate).
LIMITS TO PLANNING FOR AND MANAGING RISK
While everyone generally recognizes that things rarely ever turn
out exactly as expected, there is
a natural tendency to expect that they will. While most leaders
and managers assume they are
proficient in handling risk and uncertainty, they probably are
not as good at risk management as
they think they are.23 There are several possible reasons for
this:
8
• Overly narrow or misguided perceptions of what might happen
in the future;
• Insufficient relevant knowledge and/or poor situational
awareness;
• Pressure from stakeholders to ignore or assume away critical
uncertainty; and
27. • Lack of a systemic and logical framework to collect and
process all relevant information
that influences perception of the inherent uncertainties and
risks.24
Risk practitioners must take care to guard against cognitive
errors that cloud or bias their
judgments about risk and uncertainty. People are prone to error
when estimating probabilities
and/or thinking about future events for a number of reasons:25
• Wishful thinking. Estimates of particular outcomes may
reflect personal preferences
concerning those outcomes. Sometimes those responsible for
planning and executing an
operation are more optimistic than uninvolved individuals.
• Selective perception. People may not include all the factors
that matter when estimating
subjective probability.
• Experiential bias. When considering a risky situation,
knowledge about similar previous
events may lead people to prejudice their perception of risk in
the current situation even
though the circumstances may be completely different.
• Framing effects. The way people define the issue or problem
28. usually influences their
estimation of the probability of either a beneficial or harmful
outcome occurring.
• Overconfidence. People often overrate their ability to
estimate the probability of future
events. Research has shown that individuals are not as good at
making predictions as
they think they are.
• Confirming evidential bias. People sometimes have a
preferred outcome at a
subconscious level, before they decide how they will justify
their choice. In such cases,
their biases affect the kinds of evidence they search for, and
how they interpret the
evidence they find.26
While the issues raised above seem pretty straightforward,
“recognizing that we are prone to bias
and errors of reasoning is one thing, but knowing what to do
about it is quite another ... The
problem is that we don’t typically know when we’re making a
mistake until afterwards, and
sometimes not even then. Even bad decisions can feel right.”27
As noted above, the reasons for
29. our mistakes are myriad, if for no other reason than we truly
believe we are acting as rationally
and objectively as possible. The danger, however, lies in the
fact that,
... it is extremely difficult to unlearn habits of thought and
action that have been built
up over a longer time. ... Our previous experience ‘got us here;’
on the other hand,
we generally have very little insight into how we got here or
what we have missed
out on in the process. ... We don’t know what we don’t know,
and find it difficult to
imagine how things could be otherwise than as they appear to
us.28
9
MORAL AND ETHICAL ISSUES
Individual or collective choices that involve risk pose potential
harm to others. As a
consequence, they are irrevocably influenced by the moral
30. values and ethical characteristics of
the organization and the individuals who make such decisions.
Moral and ethical considerations
are rarely black or white, but encompass many shades of gray
based on the perceptions of all
involved in risk decisions. As such, there are no absolutes or
hard guidelines or checklists to
guide a leader faced with difficult choices. Hence, decision
makers might do well to reflect on
the following:
• How will the consequences affect various individuals or
groups;
• How perceptions of the likelihood or the consequences of a
threat will likely vary among
those affected;
• When the consequences will likely occur (in the near-term or
distant future);
• Where the consequences of a decision will be felt (outside as
well as inside the
organization); and
• The likelihood that there will be a wide range of opinion about
what is morally or
ethically just.29
31. In the final analysis, the decision maker must be able to answer
a basic question: “What factors
define what should be done to assure the well-being of the
organization and the individuals who
are a part of that organization?” Further: “What are our
obligations to those outside the
organization who will be affected by our choices?” Such
judgments are wholly enveloped by
individually and collectively held values that influence our
perceptions of a situation.30
COMMUNICATING RISK
This article has concentrated on the issues that inform the risk
management process and dealing
with uncertainty and the complex nature of risk. Decision
makers must be ready to explain their
choices, given the risks involved, to key stakeholders including
the public. Felix Kloman, noted
author of several articles on risk management observed: “Few
organizations take the time to
reduce what they know ─ and what they do not know ─ about
risk, its organizational
implications, and its responses into terms understandable to
stakeholders.”31 He further and
32. strongly asserts that organizational leaders have a basic
responsibility to simplify our
descriptions of risk in ways that most people can understand.
To assure the public trust, he
notes: “It is essential to communicate to stakeholders our
understanding of risks, their
interactions and our planned responses. When we obfuscate
definitions with jargon and
convoluted prose, we lose the audience we must reach.”32
CONCLUSION
Uncertainty and risk are the constant companions of all leaders.
As organizations and their
competitive environments expand in scope and complexity, the
uncertainty and the risk inherent
in those surroundings will correspondingly increase. Leaders
must provide their followers as
10
much clarity about the future as possible (within the constraints
and limitations posed by the
basic unknowable nature of the future) and offer guidance that
33. bounds where and how much risk
will be tolerated, and gives guidance about how to manage or
control the risk assumed. To do
that well, requires the astute risk practitioner to have a good
understanding of the complexity
inherent in any decision about risk and uncertainty.
ENDNOTES
1 J. Richard Eiser, “Public Perception of Risk,” report prepared
for the British Government Foresight Office of
Science and Technology, July 2004, 2, available online at
<http://www.foresight.gov.uk/Intelligent
%20Infrastructure%20Systems/Reports%20and%20Publications/
Public%20Perception%20of%20Risk/long_paper.p
df> [accessed 4 December 2005].
2 Ibid, 4.
3 Definition provided by he International Standards
Organization (ISO).
4 FM 100-14 Risk Management, Headquarters, Department of
the Army, (Washington D.C.: U.S. Government
Printing Office, 1998), 1-1.
5 Richmond M. Lloyd, “Strategy and Force Planning
Framework,” Strategy and Force Planning, 3rd ed., eds. Lloyd
et.al., (Newport, RI.: Naval War College, 2000), 13.
6 Jan Emblemsvag and Lars Endre Kjolstad, “Strategic Risk
Analysis – A Field Version,” Management Decision,
34. 40/9 (2002), 843, available online at
<http://www.dnv.com/binaries/StrategicRiskAnalyses_tcm4-
10751.pdf>
[accessed 3 December 2005].
7 Jean Hartley, “Leading and Managing Uncertainty of Strategic
Change,” Chapter 8, Managing Strategy
Implementation, 109-121, eds. Tony Dromgoole, Patrick Flood,
Liam Gorman, and Stephen Carroll, (Oxford:
Blackwell Publishing, 2000). 110-111.
8 For a greater understanding of vague or ambiguous
uncertainty the reader is encouraged to refer to the work of
Daniel C. Molder and E. Tory Higgins in “Categorization Under
Uncertainty: Resolving Vagueness and Ambiguity
With Eager Versus Vigilant Strategies,” Social Cognition, Vol.
22:2, 2004, 248-277 available online at
<http://www.psych.northwestern.edu/~molden/documents/RFCat
egorize_SC04.pdf> [accessed 5 December 2005].
9 Eiser, 58.
10 Sim B. Sitkin and Luarie R. Weingart, “Determinants of
Risky Decision-Making Behavior: A Test of the
Mediating Role of Risk Perceptions and Propensity,” Academy
of Management Journal, 38:6 (December 1995):
1573-1575.
11 Sitken and Wiengart.
12 Eiser, 5.
13 Walters, Lawrence C., Peter J. Balint, Anand Desai, and
Ronald E. Stewart, “Risk and Uncertainty in
35. Management of the Sierra Nevada National Forests,” a Report
submitted to Jack Blackwell, Regional Forester
USDA Forest Service, Pacific Southwest Region, 6-7, Available
online at: <http://classweb.gmu.edu/
pbalint/Final%20report.pdf> [accessed 7 December 2005].
14 Adapted from Walters, et.al.
15 Ibid, 7-9..
16 Ibid.
17 Eiser, 3.
18 National Infrastructure Protection Center, “Risk
Management: An Essential Guide to Protecting Critical Assets,”
November 2002. Available online at
<http://www.psaudit.com/images/images_updated/
white_paper.pdf>
[accessed 5 December 2005].
19 J.H. Shortreed, L. Craig, and S. McColl, “Benchmark
Framework for Risk Management,” Network for
Environmental Risk Assessment and Management, available on
line at <http://www.irr-neram.ca/pdf_files/
Benchmark2001.pdf,> [accessed 3 December 2005].
20 McNamee, David, “The New Risk Management,” Mc2
Management Control Concepts. Available online at
<http://www.mc2consulting.com/riskart5.htm> [accessed 4
December 2005].
21 Department of Defense, Defense Acquisition University,
Risk Management Guide For DOD Acquisition,
February 2001, available online at
36. <http://www.dau.mil/pubs/gdbks/RMG%20June%2003.pdf>
[accessed 13 June
2005].
11
22 British Government, Management of Risk-A Strategic
Overview, Her Majesty’s Treasury Department, January
2001, available online at: <http://www.hm-
treasury.gov.uk/media/EC612/orange-book.pdf> [accessed 13
June
2005].
23 Matthew Leitch, “Risk Management – The Basics,” 18 March
2003. Available online at
<http://homepage.ntlworld.com/ m.leitch1/mluck/basics/>
[accessed 31 December 2003].
24 Ibid.
25 For a more detailed discussion of errors mentioned in the
text, and related errors, see Max Bazerman, Judgment in
Managerial Decision Making, 4th Edition. (New York: John
Wiley & Sons, 1998). See also Hammond, Keeney and
Raiffa, Smart Choices, (New York: Broadway Books, 1999),
189-216.
26 Hammond et al., 1999.
27 Eiser, 35.
37. 28 Ibid.
29 Douglas R May, Timothy D. Hodges, Adrian Y.L.Chan, and
Bruce Avolio, “Developing the Moral Component of
Authentic Leadership,” Organizational Dynamics, 32:3, 2003,
251.
30 Ibid.
31 Kloman, Felix, “Four Cubed,” Risk Management, September
2001, 23-24.
32 Ibid.