RISK MANAGEMENT IN DEFENSE

ESTABLISHMENTS
Asim qayyum, Dr Zahoor Sarwar
INTRODUCTION
Insurance, which started 3900 years ago
in Mesopotamia, is one of the oldest strategies
for dealing with risks. In 1950 B.C., the Code of
Hamurabi formalized bottomry contracts
containing a risk premium for the chance of loss
of ships and cargo. By 750 B.C., Greeks also
practiced bottomry. In 1583, the first life
insurance policy was issued in England. In
contemporary society, insurance has developed
to deal with a wide variety of phenomena
associated with adverse effects, from health
insurance to mortgage insurance. 1
Risks can impact an organisation in the
short, medium and long term. These risks are
related to operations, tactics and strategy,
respectively. Strategy sets out the long-term
aims of the organisation, and the strategic
planning horizon for an organisation will
typically be 3, 5 or more years. Tactics define
how an organisation intends to achieve change.
Therefore, tactical risks are typically associated
with projects, mergers, acquisitions and product
developments. Operations are the routine
activities of the organisation.2
To ensure sustainable profitability and
development
in
a
thought-provoking
environment, defence organizations must have a
1 Fundamentals of Risk Analysis and Risk
Management Edited by Vlasta Molak.
2 A structured approach to Enterprise Risk
Management (ERM) and the requirements of ISO
31000 pub by The Association of Insurance and Risk
Managers.

thorough knowledge and understanding of the

risks that they face. It should also be
supplemented by comprehensive strategy to
manage those risks. The purpose is protection of
the industry which supplements the defence of
country, but there can be an upside too.
However, as uncertainty and change often lead
to new openings and markets, the monitoring of
risk can also unveil new prospects that prepared
organizations can exploit to competitive benefit.
The depth, scope, and scale of events the
defense establishments take on every day are
unequalled. From engaging forces in operations
to providing Military Operation Other than War
(MOOTW) i.e. education, health care, and
housing for civilian people, to researching,
developing, testing, and fielding new
technologies, the organizations have a unique set
of
responsibilities.
Dynamic
security
environment requires defense setups to be
supple and shrinks the value of formulaic risk
assessments. The challenges related with
measuring risk and performance downgrades the
use of quantitative metrics to an important but
supporting role in any defense risk assessment.
Donald Rumsfeld served as the 13th
Secretary of Defense from 1975 to 1977 under
President Gerald Ford, and as the 21st Secretary
of Defense from 2001 to 2006 under President
George W. Bush explained risk management in a
very interesting way: There are known knowns. Things we know
we know.
There are known unknowns. We know that
we dont know as Y2K.
There are unknown unknowns. We dont
know we dont know as 9/11. These are
usually the difficult matters.
Risk Management Categories
A Nobel Laureate economist, Dr. Friedrich
Hayek, expressed the dangers of applying
science that dealt with essentially complex

phenomena (such as risk analysis or

development programs in recent years. Causes
economics) for sweeping policy decisions
include scheduling delays, shortages of skilled
(Hayek 1991). His assessment of economics
labor, systems integration issues, management
could be translated into a cautionary note on risk
errors and increased materials costs. In addition,
analysis:
firms face a future of
Name of Risk
There is as
reduced
defense
Scope of Risk
Qualitative description of the events, their
much reason to be
budgets, to reduce
size, type, number and dependencies
apprehensive about
maintenance
and
Nature of Risk
Eg. strategic, operational, financial,
4
long-run dangers
inventory costs.
knowledge or compliance
created in a much
Some of the risk
Stakeholders
Stakeholders and their expectations
wider field, by the
management
Quantification
Significance
and
Probability
uncritical
categories
which
of Risk
acceptance of
Risk Tolerance/ Loss potential and financial impact of risk offshoots from above
Appetite
assertions which
mentioned
three
Value at risk
have the
categories are short
Probability and size of potential
appearance of
listed
after
going
losses/gains
being scientific.
Objective(s) for control of the risk and through different risk
Risk may
related
publications
desired level of performance
have positive or Risk Treatment
Primary means by which the risk is and research papers.
currently managed.
negative outcomes & Control
These are mentioned
Mechanisms
Levels
of
confidence
in
existing
control
or may simply
in tabular form for
Identification of protocols for monitoring better understanding:-5
result
in
and review
uncertainty.
Potential
Action
Therefore,
risks
Recommendations to reduce risk
to Improve
may be considered
Strategy Policy Identification of function responsible for
to be related to an Developments
As a principle one
developing strategy and policy
opportunity or a
should respects the
loss or the presence of uncertainty for an
right of countries to produce and use legitimate
organization. Every risk has its own
means for self-defense and to preserve internal
characteristics
that
require
particular
and, if need be, international peace and security.
management or analysis. In Fundamentals of
However, importance of the risks in defence
Risk Management, Understanding, evaluating
industry and impacts associated with these
and Implementing Effective Risk Management
activities must be understood in totality. Some of
by Paul Hopkin and in the Guide 73 definition,
the salient in this are as under:risks are divided into three categories:3
Arms are a key factor in facilitating, prolonging
Hazard (or pure) risks.
and intensifying armed conflicts.
Control (or uncertainty) risks.
Opportunity (or speculative) risks.
4 Enterprise Risk Management for the
Almost all segments of defense industry
Aerospace and Defense industry published by
have suffered costly failures in their
Thomson Reuters Accelus
3 Fundamentals of Risk Management,
Understanding, evaluating and implementing
effective risk management by Paul Hopkin.

5 A Risk Management Standard pub by The

Institute of Risk Management.

The misuse of arms contributes to violations

of peoples economic, social and civil rights
and international humanitarian law and
hinders development.
The proliferation of small arms plays a role
in facilitating and intensifying terrorism and
organised crime.
Arms trading may often be closely linked to
bribes payment, fuelling corruption.

Establishment of Risk and its Management

In order to evaluate risk and is
management following key factors should
always be kept in mind: A comprehensive, structured, strategic risk
management policy, framework and culture
should be implemented using a top-down
and incremental approach.
Identifying, analyzing and understanding
each of the material risks at all levels of the
institution.
Ensuring that appropriate strategies,
policies and effective operating controls are
in place.
The ability to provide reliable and
meaningful information to the board and
senior management.
Ensuring that there is adequate oversight of
the risk profile supported by the senior
management framework, and that the
institution has a proactive risk culture.

process, constitutes a risk management

standard.
There
are
several
risk
management standards in existence,
including the IRM Standard and the
recently pub- lished British Standard BS
31100. There is also the American COSO
ERM framework. The latest addition to the
available risk management standards is the
international
standard,
ISO
31000,
published in 2009. The well established and
respected Australian Standard AS 4360
(2004) was withdrawn in 2009 in favour of
ISO 31000. AS 4360 was first published in
1995 and ISO 31000 includes many of the
features and offers a similar approach to
that previously described in AS 4360.6
ISO 31000 describes the components of a
risk management implementation framework.
Figure 1 provides a simplified version of this
implementation framework. It includes the
essential steps in the implementation and
ongoing support of the risk management
process. The initial component of the ISO 31000
framework is mandate and commitment by the
Board and this is followed by:
Design of framework.
Implement risk management.
Monitor and review framework.
Improve framework.

BS 31100 also proposes a version of the

risk management process and this is also
presented as a continuous cycle of activities
represented by the following five stages:
Identify.
Assess.
Respond.
Report.

Review.

ISO 31000 describes a framework for

implementing risk management, rather than a
framework for supporting the risk management
process. Information on designing the
framework that supports the risk management
process is not set out in detail in ISO 31000.
Any organisation has to describe its framework
for supporting risk management by way of the
risk architecture, strategy and protocols for the
organisation. It also sets out the roles and
responsibilities of the individuals and

Risk Management Standards

The combination of risk management
processes, together with a description of the
framework in place for supporting the

6 Fundamentals of Risk Management,

Understanding, evaluating and implementing
effective risk management by Paul Hopkin.

committees that support the risk management

process. The risk strategy should set out the
objectives that risk management activities in the
organisation are seeking to achieve. Finally, the
risk protocols describe the procedures by which
the strategy will be implemented and risks
managed.7
Risk management operates on a set of principles,
and there have been several attempts to define
these principles. British Standard BS 31100 sets
out 11 risk management principles and the
international standard ISO 31000 also includes a
detailed list of the suggested principles of risk
management. The following list is a
consolidated version of these documents. It is
suggested that a successful risk management
initiative will be8: Proportionate to the level of risk within the
organization;
Aligned with other business activities;
Comprehensive, systematic and structured;
Embedded within business processes;
Dynamic, iterative and responsive to
change.
This provides the acronym PACED and
provides a very good set of principles that
are the foundations of a successful
approach to risk management within any
Mandate and Commitment
organization.

An Enterprise Risk Management (ERM) version

of the Committee of Sponsoring Organizations
of the Treadway Commission (COSO)
framework was produced in 2004 and this has
both risk management and internal control
within scope. The COSO ERM cube is a very
influential risk management framework and it
consists of eight interrelated components. These
are derived from the way management runs an
enterprise and are integrated with the
management process.9

Design of Framework
Organisation and its context
Risk management policy
Embedding risk management
7 A structured approach to Enterprise Risk
Management (ERM) and the requirements of ISO
31000 pub by The Association of Insurance
and Risk
Implement Risk
Managers

Improve Framework

Fig2.
Management
Implement framework
Implement RM process The

8 Fundamentals of Risk Management,

Understanding, evaluating and implementing
effective risk management by Paul Hopkin.

COSO ERM Framework and Cube diagram

approach adopted by the Canadian

Criteria of Control (CoCo) framework
9 Enterprise Risk Management Integrated Framework
pub by COSO in 2004

Monitor and Review Framework

Fig1. Framework for managing risk (based on ISO 31000)

produced by the Canadian Institute of

Chartered Accountants is based on the idea
that the risk culture of the organization is the
most important consideration. If the risk
culture is correct, then the successful
management of risks should follow.
Proposed Defence Risk Management
Framework
The proposed Framework of Risk
Management (FRM) in Defence Establishments
can have following four stages:-

First tier risk barrier in defence

establishments are the front-line employees
who must understand their roles and
responsibilities with regard to processing
transactions and who must follow a
systematic risk process.
Identify and assess risks and to ensure that
the control activities and other responses
that treat risk are enforced and monitored
for compliance.10
Incidents and breakages (including
historical/trend analysis/statistics, status of
mitigation actions and lessons learned).

Second Tier
Enquiry Committee Adv Guard
4

Generally,
3 it is the middle managers of
an agency who are responsible for aligning
the strategic objectives with the agencies
operations in order to achieve outcomes.
The strategic plans developed at this level
outline what each business unit must do to
achieve their outcomes.

Fig3. Four Tiers of FRM in defence establishments

First Tier
Departmental Evaluation Vanguard
The first tier of the FRM is the business
operators which perform day to day risk
management activity. Vanguard has the
responsibility to identify and assess risks and to
ensure that the control activities and other
responses that treat risk are enforced and
monitored for compliance. The information that
line management should report to Main Guard
(Business
Units
Risk
Management
Committee) to enable it to achieve this
objective includes:

Evaluation Paradigm

10 Standards Australia/Standards New Zealand

Standard Committee, AS/NZS ISO 31000:2009, Risk
Management-Principles and Guidelines August 2010

Proposed Roles of Different Lvls

Departmental

Evaluation.

These
managers are involved in development of
criteria Risk
against
which process
risk is
Fig3. Comparison between
management
fromtoISObe
31000 and proposed Three Stage Top Down Evaluation Paradigm Model for defenc
evaluated. The managers at this pedestal
usually evaluate the interests of the
stakeholders and the objectives of the
organisation..
The
criteria
under
evaluation with these people are
operational, technical, financial, social,
environmental, legal, humanitarian, etc.
Here thee also define acceptable level for
Stage II Enquiry Paradigm
each risk.
Worker Level Monitoring/ Stagewise

Evaluation/Result
Incentives.

Oriented

Departmental
Departmental
Risk Analysis
Risk
Analysis

Incentive
Incentive
Evaluation
Evaluation

Enquiry
Enquiry
Paradigm
Paradigm

Cause
Cause
Evaluation
Evaluation

Solution
Solution Option
Option
and
Analysis
and Analysis

4 Communication and Consult

1 Establishing the context

2 Risk Assessments
Risk identification

Risk Analysis

Risk Evaluation
Risk analysis

tion

AA ss ss ee ee ss ss mm ee nn tt DD ee pp aa rrttmm ee nn tt

Stage III Assessment Paradigm

Risk
Risk
Appettite
Appettite
Matematical
Matematical
Modelling
Modelling
Comparative
Comparative
Analysis
Analysis
Risk
Risk
Estimation
Estimation
Policy
Policy
Drafting
Drafting
Proposed
Proposed
Framework
Framework
Audit
Audit
Recommendations
Recommendations

Stage IV Management Paradigm

Finanacial
Decision
Policy
Finalization
Risk
Management
Board

Audit
Decisions
Framework
Approval
Futuristic
Evaluation

Risk management should be integrated

into all planning, approval, review and
implementation processes, at all levels,
to ensure that risk is one of the major
considerations in decision making.
When a risk assessment must be
undertaken namely when an initiative
is proposed or there is a major change
to the way functions or activities are
undertaken.
Risks that must be brought to the
attention of the Secretary and CEO.
FRM
Key risk terms that Defence is to use to
help facilitate clear risk discussions across
Groups and Services; and Responsibilities
for the implementation of the framework,
including specific responsibilities for
supervisors (clerks, project managers and
contract managers.
The directive does not mandate a
specific approach for risk management in
Defence. This is because a key element of
successful risk management is to ensure it is
tailored to your business objectives and
context. Due to Defences wide variety of
functions, the Secretary and CDF have
decided not to implement a one size fits all
approach. Committee estimation

Bibliography

HM Treasury (2004) Orange Book:

Management of risk principles and
concepts, www.hm-treasury.gov.uk.
The Three Lines of Defence Related
to Risk Governance by Ken
Doughty, CISA, CRISC, CBCP
United States is the Sarbanes-Oxley
Act of 2002.
Supply Chain Vulnerability, Risk,
Robustness & Resilience by Helen
Peck, Cranfield University In
Mangan, Lalwani & Butcher, Global
Logistics
and
Supply
Chain
Management John Wiley & Sons
[2008]
The three lines of defence by Audit
Committee Institute KPMG in
Belgium
International
Electrotechnical
Commission, International Standard,
ISO/ IEC 1010:2009, First Edition,
2009.
Risk Management on operations by
Major Henry Stimson Officer
Commanding
17
Construction
Squadron
Australian
Defence
Risk
Management
Framework:
A
Comparative Study by Svetoslav
Gaidow and Seng Boey Land
Operations
Division
Systems
Sciences Laboratory
The Three Lines of Defense in
Effective Risk Management and
Control pub by Institute of Internal
Auditors Jan 2013