Operational Risk Management
CAP Approach




Top-down leader backing
Decentralized implementation
Moderate implementation tempo
Safety lead role for crossfunctional implementation
CAP ORM Vision
“Create a Civil Air Patrol
in which all personnel
manage risk such that
all operations are
successfully completed at
the least possible cost.”
CAP ORM Mission
“Enhance mission
effectiveness at all levels
while minimizing risk.”
The CAP ORM Concept
All
are responsible for using
ORM.
Risk is inherent in all
operations.
Risk can be controlled.
The Compliance Culture
 My
job is to comply with the
standard.
 I am told what the standard is.
 If I am not told, I don’t usually act.
 When I am given a standard, the
standard is my objective.
 When I meet a standard, that’s it.
The Performance Culture
 My
job is to optimize risk - to
perform.
 I’m given a standard, but that is
only a baseline. I use ORM to
exceed it.
 Standards are only a start point.
 Meeting a standard means little. I
continuously improve.
ORM Principles
 Accept
no unnecessary risks.
 Make risk decisions at the
appropriate level.
 Accept risks when benefits
outweigh costs.
 Integrate ORM into doctrine and
planning at all levels.
Accept no unnecessary risk
 What
are the three main reasons
that “unnecessary risks” are
sometimes taken?
 How can the taking of
unnecessary risks be minimized?
 Corollary is “Accept Necessary
Risk”.
Three reasons for taking
unnecessary risks
#1
- Not aware of the risk.
#2 - An incorrect assessment
of cost versus benefit.
#3 - Interpreting “bold risk
taking” to mean gambling.
Procedures for minimizing the
taking of unnecessary risk
 Improve
hazard detection procedures
and awareness of risks.
 Improve risk decision making skills at
all levels of the organization.
 Train personnel at all levels regarding
the risk management “credo” not
“Mission accomplishment at any
cost”, but “Mission accomplishment at
the least cost.”
Make risk decision at the
appropriate level
 What
is the “appropriate” level?
 How do field leaders know if they
are the appropriate level?
 Is the appropriate level a constant
or does it change?
Finding the appropriate level
 Who
will answer in the event of an accident?
 Who is the senior person at the operational
scene?
 Who possesses best insight into the full
benefits and costs of a risk?
 Who has the resources to mitigate the risk?
 What level makes the most operational
sense?
 What level makes these types of decisions in
other operational activities?
THE MAKING OF
IMPORTANT RISK
DECISIONS SHOULD BE
PREPLANNED WHENEVER
POSSIBLE
ACCEPT RISKS WHEN
BENEFITS OUTWEIGH COSTS
What happens when organizations
stop taking risks ?
It becomes “bureaucratized”
WEBSTER: “BUREAUCRACY: A system of administration
characterized by lack of initiative and flexibility, by indifference
to human needs or public opinion, and by a tendency to defer
decisions to superiors or to impede action with red tape.”
•
•
•
•
It loses its competitive position.
Innovation is minimized.
It becomes reactive to events.
Morale and esprit decline.
The ORM 6 - Step Process
6. Supervise
and Review
5. Risk Control
Implementation
4. Make
Control
Decisions
1. Identify
the Hazards
2. Assess
the Risks
3. Analyze
Risk Control
Measures
Using the ORM process
Apply
the steps in sequence.
Maintain balance in the
process.
Apply the process as a cycle.
Involve people fully.
STEP 1
“HAZARD ID”
Hazard: Any real or
potential condition that
can cause mission
degradation, injury,
illness, or death to
personnel or damage to
or loss of equipment or
property.
1. Identify
the Hazards
6. Supervise
and Review
5. Risk Control
Implementation
4. Make
Control
Decisions
2. Assess
the Risks
3. Analyze
Risk Control
Measures
MISSION TASK ANALYSIS
Action 1
What is at risk?
Focus on the critical
components of the mission.
They will be primary targets
for Hazard ID.
OVERALL MISSION
USING AN OPERATIONS FLOW OR
TIMELINE TO IDENTIFY HAZARDS
Watch for
issues between
phases, at the
interfaces.
OPERATION ALPHA
PHASES
START
1
2
3
4
5
6
RISK
LEVELS
H
L
H
M
EH
M
FINISH
FINDING THE
IMPORTANT TARGETS
 Review
the mission statement.
 Focus on key capabilities and the
associated equipment.
 Look at past patterns of mishaps to
detect high impact issues.
 Ask operational personnel what is
important.
 Use the timeline.
LIST HAZARDS
Action 2
Sources
of Information
The 7 Primary Hazard ID Tools
BASIC SOURCES
 There
are three basic sources:
- Experts and References
- Traditional Techniques - (Inspections,
Mishap Reports, Interviews, Audits)
- Hazard Analysis Tools
SOURCES AT UNIT
 Unit
personnel
 A lessons learned database or file
 A safety survey and/or fire inspection
hazard inventory
 An inventory of hazardous materials
with locations
 Mishap reports and Annual Mishap
Analyses
PRIMARY HAZARD
IDENTIFICATION TOOLS
Operations Analysis
 Preliminary Hazard Analysis
 What If Tool
 Scenario Process Tool
 Logic Diagrams
 Change Analysis
 Cause and Effect Tool

(See tutorial or AFPAM91-215 for
more detail)
LIST CAUSES
Action 3
Use the 5M model to detect root (systemic) cause
factors.
Man root causes - Doesn’t know - Training, Doesn’t
care - Motivation, Can’t do - Selection.
Machine - Poor design, faulty maintenance,
procedures.
Media - Weak facility design, lack of provisions for
natural phenomena.
Management - Inadequate procedures, standards
and controls.
Mission - Poorly developed, weak understanding,
incompatibilities.
RISK ASSESSMENT
The Process which associates “hazards” with “risks”.
6. Supervise
and Review
1. Identify
the Hazards
2. Assess
the Risks
5. Risk Control
Implementation
4. Make
Control
Decisions
3. Analyze
Risk Control
Measures
ASSESS THE RISK
Action 1:
Assess hazard
exposure
Action 2:
Assess hazard
severity
Action 3:
Assess mission
impact
Action 4:
Complete
assessment
HAZARD VERSUS RISK
HAZARD
RISK
A description of a condition that
can impair mission accomplishment.
No indication of its mission
significance.
A hazard for which we have
estimated the severity,
probability, and scope
with which it can impact
our mission.
EXPOSURE
Action 1
Expressed in terms of time,
proximity, volume, or
repetition.
SEVERITY
Action 2
 What
impact on mission?
 What impact on people?
 What impact on things (materiel,
facilities, environment)?
SEVERITY CATEGORIES
CATASTROPHIC - Complete mission failure, death, or loss of system
CRITICAL - Major mission degradation, severe injury, occupational illness, or
major system damage
MODERATE - Minor mission degradation, injury, minor occupational illness,
or minor system damage
NEGLIGIBLE - Less than minor mission degradation, injury, occupational
illness or minor system damage
PROBABILITY
Action 3
 Use
the cumulative probability of all
causation factors.
 Express in descriptive or quantitative
terms.
 Use experience data when possible.
 Acknowledge uncertainty.
PROBABILITY CATEGORIES
 Frequent
 Likely
 Occasional
 Seldom
 Unlikely
THE RISK ASSESSMENT
INDEX
Probability
Frequent
A
S
E
V
E
R
I
T
Y
Catastrophic
I
Critical
II
Moderate
Negligible
Likely
B
Occasional Seldom
C
D
Unlikely
E
Extremely
Hig
III h
High
Hig
h
Medium
Low
IV
Risk Levels
ASSESSMENT PITFALLS
 Over-optimism
 Misrepresentation
 Alarmism
 Indiscrimination
 Prejudice
 Inaccuracy
THE RISK TOTEM POLE
Biggest hazard
By ranking the hazards, we can
work them on a worst first basis.
This is vital because risk control
resources are always limited and
should be directed at the big
problems first to assure maximum
bang for the buck.
Least hazard
worthy of action
THE TOTEM POLE
DEMOCRACY MOVEMENT
In the fully mature ORM world, every individual
benefits from the knowledge of the priority of hazards
(totem pole) that exist in their life. A key obligation of
leaders is to see that their subordinates
possess this knowledge .
Traditional RM - Personnel can’t name or prioritize hazards -- can only
name generic hazards.
ORM - Personnel can name and prioritize RISKS that impact them and
their mission.
ANALYZE RISK CONTROL
MEASURES
6. Supervise
and Review
5. Risk Control
Implementation
4. Make
Control
Decisions
1. Identify
the Hazards
2. Assess
the Risks
3. Analyze
Risk Control
Measures
ANALYZE RISK CONTROL
MEASURES
Action 1:
Identify control
options
Action 2:
Determine control
effects
Action 3:
Prioritize risk
control measures
IDENTIFY CONTROL
OPTIONS Action 1
 Tools
Available:
– The Major Risk Control
Options
– Risk Control Options
Matrix
MAJOR CONTROL OPTIONS
Reject
Avoid
Delay
Transfer
Spread
Compensate
Reduce
CONTROL OPTIONS
MATRIX










Engineer
Guard
Improve Task Design
Limit Exposure
Selection of Personnel
Train and Educate
Warn
Motivate
Reduce Effects
Rehabilitate
DETERMINE CONTROL
EFFECTS Action 2
 What is the impact on probability?
 What is the impact on severity?
 What will the risk control cost?
 How will various risk control options work together?
CONSIDERATIONS IN
CONTROL EFFECTS
 Some risk controls impede each other.
Example: Security and Safety
 Some risk controls reinforce each other.
Example: Training & Motivation
 When cost effective, use risk controls in depth.
 Be sure to evaluate the full costs.
PRIORITIZE RISK CONTROL
MEASURES Action 3
 Get
operator input.
 Focus risk controls where they have
maximum impact.
 Benchmark already existing risk controls.
MAKE CONTROL
DECISIONS
6. Supervise
and Review
5. Risk Control
Implementation
4. Make
Control
Decisions
1. Identify
the Hazards
2. Assess
the Risks
3. Analyze
Risk Control
Measures
MAKE CONTROL DECISIONS
Action 1:
Select Risk
Controls
Action 2:
Make Risk
Decision
SELECT RISK CONTROLS
Action 1
SOME IMPORTANT DECISION MAKING
CONSIDERATIONS
 Make
decisions at the right time.
 Make decisions at the right level.
 Always make the mission supportive
risk decision
WHEN IS THE RIGHT TIME?
 AS
LATE AS POSSIBLE. WHY?
- More time to improve ORM
- The need for the risk may go
away
 BUT NEVER TOO LATE
- Miss the operational train
- Radically increase costs.
WHAT IS THE RIGHT LEVEL?
 What
are the operational realities?
 Who will take the heat if it goes
bad?
 Who has the best grasp of the risk
and the opportunity issues?
 Who would make the decision in
combat?
 Who can commit the risk control
resources?
A BASIC OBJECTIVE
Endeavor to push the average risk
decision down the chain of
command over time
WHY? Because the detail and understanding of
the implications of the decision increases the
closer to the operator you get…IF THE
LEADERS AT THE LOWER LEVELS HAVE
GRASPED THE OVERALL IMPLICATIONS OF
ORM.
MAKE RISK DECISIONS
Action 2
ALWAYS GO FOR THE RISK WHEN
TOTAL BENEFITS OUTWEIGH
TOTAL COSTS
ALWAYS REJECT THE RISK WHEN
TOTAL COSTS OUTWEIGH
TOTAL BENEFITS
WHAT IS THE DIFFERENCE
BETWEEN A BOLD, DECISIVE RISK
AND A GAMBLE?
IMPLEMENT RISK
CONTROLS
6. Supervise
and Review
5. Risk Control
Implementation
4. Make
Control
Decisions
1. Identify
the Hazards
2. Assess
the Risks
3. Analyze
Risk
Control
Measures
IMPLEMENT RISK CONTROLS
Action 1:
Make implementation clear
Action 2:
Establish
accountability
Action 3:
Provide
support
RISK CONTROLS MUST BE INTEGRATED
 Should
be integrated fully within the
plans, processes, and operations with
which they are associated.
 Within the area in which they are
integrated, risk controls should compete
for resources and time based on their
relative significance to the mission.
 Risk control should be compatible with
the “system”.
WHY MUST RISK CONTROLS BE FULLY
INTEGRATED?






Integration forces balancing of mission needs.
Integration captures more of the knowledge and
experience of large numbers of operators.
Integration reduces the number and diversity of
references needed to do the job right.
Integration eliminates redundancy and gaps
between functions.
Integration strengthens accountability.
Integration (in plans, regulations, etc..) reduces
costs and workloads.
MAKE IMPLEMENTATION
CLEAR Action 1
 Factors
to consider:
– Fully involve operational personnel.
– Frame the control within the
organizational culture.
– Provide specific task-oriented
guidance.
– Test it on small sample of the target
audience.
– Coordinate as necessary.
ESTABLISH ACCOUNTABILITY
Action 2
 Factors
to consider:
– Use the power of command and
leadership.
– Use the motivation model.
– Create meaningful, positive
incentives.
– Assure accountability is vertically
integrated.
PROVIDE SUPPORT
Action 3
 Factors
to consider:
– Avoid the common problems.
– Provide complete packages (clear,
policy, job aids, decision tools,
models, databases, training,
motivation).
– Provide sustained feedback on
results.
SUPERVISE AND REVIEW
6. Supervise
and Review
5. Risk Control
Implementation
4. Make
Control
Decisions
1. Identify
the Hazards
2. Assess
the Risks
3. Analyze
Risk Control
Measures
SUPERVISE AND REVIEW
Action 1:
Supervise
Action 2:
Review
Action 3:
Feedback
SUPERVISE
Action 1
 Factors
to consider:
– When properly integrated, supervision
of risk controls is exactly the same as
supervision of any leadership action.
A primary reason for integration
of Operational Risk
Management is so that risk
controls are supervised just
like any other leadership
action.
REVIEW
Action 2

Factors to consider:
– Use rates and numbers when they have a
sound statistical basis.
– Use direct measures of risk to supplement
rates and numbers or when rates and
numbers are not statistically valid.
– Systematically assess the results of the
ORM process in De-briefs, lessons
learned, etc. Was the benefit worth the
cost?
– Adapt and reapply ORM as the mission
unfolds.
DON’T USE RATES AND
NUMBERS UNLESS
 You
have an adequate exposure
base.
 You have statistically significant
changes.
 You make fair comparisons.
 You “peel” them back.
AUGMENT LEGITIMATE DATA
WITH MEASURES OF RISK
 Critical
behaviors
 Critical conditions
 Critical attitudes
 Critical skills and knowledge
 Critical programmatic elements
Critical means clearly connected to loss potential, i.e., high risk
THE ORM CONTINUUM
PLANNING
Deliberate ORM
Detailed Hazard ID
Integration
We try to get
most ORM done
here
OPERATIONS
Largely Time-critical
Change Analysis
Real Time
Highly Decentralized
AFTERACTION
Assess metrics
Deliberate ORM
Integration
Feedback to Planning
FEEDBACK
Action 3
Factors to consider:
– Cross talk regarding successes and
failures.
– Feedback to leaders and other
members.
– Input to established databases (lessons
learned).
 Tie back into Step 1 to continue.

Questions