Every year, the Chairman of the Joint Chiefs of Staff completes a risk assessment of the nation's military strategy, called the Chairman's risk assessment (CRA), and sends it to the Secretary of Defense, who then submits it to Congress and the President. While the CRA has improved steadily since its inception in 2001, particularly in terms of risk assessment, the risk mangement component still has not reached its full potential. Due to the tension between military and civilian leadership, however, such improvement will continue to be difficult to achieve.
The ultimate responsibility for U.S. strategic decision-making rests in the hands of civilian political leadership rather than professional military officers. The President defines the vital national interests and broad policy goals while the military protects these interests and executes these goals. To help accomplish this objective, the Chairman of the Joint Chiefs of Staff is required by U.S. Code to submit a risk assessment of the national military strategy to the Secretary of Defense.
Based of the Chairman's determinations, the Secretary of Defense may then be required to submit a risk mitigation plan to accompany the report to Congress. Unfortunately, the interplay between military determinations on risk and mitigation strategies developed by civilian leadership tends to marginalize the eventual risk assessment outcome.
The Civilian/Military Disconnect
For the U.S. Armed Forces, the concept of risk specifically addresses different probabilities: threat (the probability that a specific target is attacked), vulnerability (the probability that damages occur, given a specific threat at a specific time) and consequence (the expected magnitude of damage). For the purposes of the CRA, risk is neither good nor bad, but a necessary measure of uncertainty in any action or opportunity.
Meanwhile, the Department of Defense defines risk management as "the process of identifying, assessing and controlling risks arising from operational factors and making decisions that balance risk cost with mission benefits." Shifting ground forces from Iraq to Afghanistan, for example, is a type of risk management--the Afghanistan theater of operation was assessed to be riskier than the Iraq theater, therefore the risk was balanced out by shifting forces from one to the other.
Difficulties can arise, however, because civilian and military leadership think differently about threat and vulnerability. The civilian leadership tends to see threat as the actual scenario that a specific Operation Plan (OPLAN) was designed to combat and vulnerability as the probability of the scenario actually occurring. Paradoxically, military leadership tends to define threat as the OPLAN requirement and vulnerability as any resourcing shortfalls to accomplish the mission. The differing definitions of vulnerability is a critical disconnect in the CRA and one of the contributing factors to why process improvements will not automatically lead to better risk management. Threat, vulnerability and consequence are not independent; they are in fact correlated, and this makes it difficult to determine how each variable affects the overall risk assessment.
It is unlikely that civilian and military leadership will overcome their disagreement on the basic definitions of threat and vulnerability. But without this agreement it will be difficult to link vulnerability to resources (i.e., Congressional funding). Increased funding does not directly translate to reduced risk, however. As stated earlier, risk is an accumulation of probabilities and is very uncertain; managing that uncertainty is messy business. It is impossible to draw a straight line between identified risks, management priorities and Congressional funding--too many uncertainties exist. So while the military does an excellent job of identifying the risks, it is not able to accurately translate the risks into prioritized requirements that Congress should fund. …