Small Wars Journal

Using Risk Management to Solve Strategic Problems

Thu, 10/25/2012 - 5:30am

Risk Management, within the field of Project Management, provides a useful paradigm to understand, categorize and develop approaches to solve complex situations. This paradigm can be applied to institutional goals, such as the development and acquisition of superior technical capabilities. I believe it can be applied to National goals such as determining the right strategy for Afghanistan, and look forward to readers’ thoughts on this.   

The article briefly introduces the paradigm using examples from the world of engineering and acquisition, then brings it to topic of Afghanistan. The paradigms come from the work of David Hancock in his book Tame, Messy, and Wicked Risk Leadership. The reason behind the article is to expand the way we look at problems. Gerald Weinberg, an early thinker on systems engineering, once opined that finding the right analogy (in this case, the paradigm from risk management) can open doors to new and improved ways of approaching a situation.

Risks on a project represent unknowns. By analogy, this can be applied to the uncertainty in a system. Meaning, risks are those events or interactions for which we do not have a defined, known outcome. It is this uncertainty that makes deciding upon a solution challenging.

Risks can be classified into three categories, based on where the complexity, and therefore uncertainty, comes from in the system.

Tame risks are found in systems with relatively low levels of system complexity. Consider building a new bathroom.  There are a number of things that can go wrong, but we have a pretty clear handle on what they are and how they can be handled should they come up.  The potential outcomes of building the bathroom are not known at the start, we don’t know what will go wrong.  But, we can derive the range of outcomes and plan potential responses. Picking a solution and preparing for unknowns is a matter of getting people with the right skills, applying experience, and doing the work.

Messy risks are found in systems with relatively high levels of system complexity. These are systems where there is interdependency and a relationship among many elements, such as systems of systems, numerous sub-systems or multiple components that must all interoperate. Consider the challenge of designing a new airplane. We understand all the parts. We have an understanding of how all the parts should work together. But, we are not sure of all the things that good go wrong.  Luckily, engineering, mathematics and physics offer an extensive tool set for determining the range of potential outcomes and potential solutions. Risk can be reduced by “working the problem.” Picking a solution is a matter of getting people with highly specific skills and tools, applying experience and doing the work. Even though risks may be higher (and costlier), there is still a single set of solutions that analysts can determine and that rational decision makers can converge upon and agree to.

Wicked risks are found in systems with high levels of behavioral complexity. Wickedness introduces people into the equation. People do not act in predictable ways. There are countless motivations behind, and influences on human action, particularly in situations where the goals of various stakeholders are not aligned. Consider the challenges of contracting out salt supplies for a national military. The people who cook the food may have one opinion on which salt to use. The people who eat the food may have another opinion. The scientists who study soldier nutrition another.  The acquisition folks yet another opinion and the legislatures who apportion the money to buy the salt (and who may have a salt producer in their constituency) yet another. This is called a wicked problem.

The risks are difficult to quantify and a range of “right” solutions even harder to predict beforehand.  With Wicked risks, the range of solutions that could be selected may be divergent. That is, what works for one set of stakeholders may not work for others. The challenging part is, that in these kinds of situations, there’s got to be some level of buy-in from everyone for a solution to work.  The chef has to cook with the salt and the soldier’s going to eat that salt, and so on.   How that buy-in comes about, then, becomes the determining factor in predicting which solution gets implemented and likewise is the determining factor in reducing risk.  With Wicked risks, picking a solution and reducing risks is about leadership and using available power. It is about deciding who gets a seat at the table, finding out their top priorities and satisficing—finding what’s good enough for everyone, even if it is not optimal.

With wickedness, it is impossible to see everything that could go wrong and prepare for it using a model-based approach (using tools from engineering, mathematics or physics) and “working the problem.”  Since the complexity comes from people, we need to rely on, communicate with, and influence people to arrive at a stable solution.  

We are often faced with, Wicked Messes, a combination of messy and wicked risks. These are systems that have both a high degree of system complexity and behavioral complexity. Most significant policy challenges can be categorized as Wicked Messes. Take, for example, design, then production, procurement and fielding of a new airplane.  Or, perhaps, picking the right strategy for Afghanistan.

Applying it to Afghanistan, the following questions are raised: Who should get a seat at the table when deciding strategy, what are their top priorities, can we satisfice the right people, what communication mechanisms are in place and are the communication mechanisms effective?

The power of using this paradigm is that it expands our view on the variables that influence and affect a stable solution.  It also gives us a better understanding of which tools will work best, how they work and their limits.  With wickedness, stakeholder determination, communication and the exercise of available forms of authority are the most powerful tools. Understanding their interconnectedness can help enhance our ability to resolve wicked problems. 

About the Author(s)

Mark Phillips, PMP is a project management theorist and independent consultant in the defense industry with over 15 years experience managing leading edge technology projects. He has presented original research at conferences and webinars held by NDIA, PMI and the College of Performance Management. The opinions expressed are his own and do not reflect those of his clients or affiliated organizations. The examples used are purely for illustration and hypothetical. Any similarity with real programs is coincidental.



even the most optimum decision specific task contains a portion of the risk (or planned losses). Everything is determined by the end result, if it coincided with the goal


Tue, 10/30/2012 - 3:47am

In reply to by Mark Phillips

Mark, I did like your article. My point is simply this. The first thing that needs to be defined is the desired endstate... What do we hope to accomplish? The next item on the list should be the stratagy or tactics we believe will be the most successful or that we want to use in accomplishing the endstate. Third is risk management and mitagation. Now that we know what we want our endstate to be and how we want to conduct the operation, how can we reduce the risk?

Given an unlimited amount of time your method has real merit. Where I see the problem laying is not with your procribed method... But with the the strangle hold that risk aversion currently has on the majority of leaders.

According to US doctrine, we want to have 3 to 1 at least when conducting an attack. Because of this not too many commanders are going to send a rifle squad to attack a company. But could that squad do it? Yes, history is full of examples and our enemies have done it for a long time. Could that squad ever be success full in attacking a company? Yes they could. They would likely want to conduct an ambush or a series of ambushes in terrain favorable to them. They would need plenty of mines and demo. But could absolutely be done.

Why don't we? Because of the fear of taking some risk.

What I am trying to say is currently given the fear of risk aversion so much of the force is gripped with, by using risk management as you propose, I believe that what will happen is that whatever is found to be the least risky, will be the COA selected, regardless of whether it is the most likely to be sucessful... or not.

If you take out the crippling fear or risk we seem to have, then I REALLY think what you propose could be really good.

Mark Phillips

Sun, 10/28/2012 - 9:16pm

In reply to by Hammer999

I would agree that strategic decision making can be enhanced by taking into consideration risks other than those which are traditionally considered in a classic risk reduction approach.

To your point that some risk is a good thing: risk is inevitable. It pays to get it as close to right as we can.

Accurately identifying risks and determining which ones have the biggest impact on our chances of success, influence the strategies planned for and selected. Getting that right increases the likelihood of planning and executing a strategy that gets us to a desired, and sustainable, end-state.

Thanks for the input.


Sun, 10/28/2012 - 6:55am

I do not disagree that the author has shown value in this article. However the core problem with risk managment is the methodolgy and how it is applied. For the most part whatever COA is the least risky, becomes "the way", regardless of its chances for success. Combine this with unclear goals, political correctness, lib media etc. and you will soon find yourself in the "swamp of failure" mired down, because of risk aversion. I think the entire idea of risk managment, needs to be dumped. Instead we should use something like "risk identification and mitigation process". First clear goals and objectives are stated and defined. Then we apply our "Risk Identification and Mitagation process" to our plan, COA etc. In doing so we stick to the plan that we believe has the best chance for success, that gets us our desired end-state, perhaps uses the least amount of resouces, troops etc, in the least amount of time, while attempting to identify all the risks we can and resonably remove or mitiagate what risk we can. This is not to say that risk cannot render our plan a bad one and take us back to the drawing board, but current trends are we will go with whatever plan has the least amount of risk, regardless of the chances of success.

We have got to get back to starting with a plan we believe has the best chance for success and gets us to get to our desired end-state or darn close to it, while reducing what risks we can. And some risk is a good thing.

Outlaw 09

Sat, 10/27/2012 - 1:26am

Just a side comment---when one watches saw the staff operational planning process either at the operational or tactical levels--just how much time is built into the planning process focusing on the issue of risk management?

Risk management was always a core element in the military decision making process .

Risk management has become more or less a simple "check the blocks" drill and not one of truly analyzing the identified risk/risks and thus senior leaders have to a degree become risk adverse simply becuase they never really get a true staff risk analysis in our staff 2012 checklist mentality.

If one then focuses on risk analysis in MDMP one automatically focuses on risk during the Design process.

In order for Cmdrs to reverse the current risk adverse environment and move towards prudent risk as envisioned in Mission Command---I really do not care whether the process is copied from the civilian PM or we return to what we use to do well---just do something.

Next to the deep lack of trust and massive micromangement that one calls 2012 staff processes--being risk adverse is number three in the ranking of problems facing 2012 staffs at all levels.

Mark Phillips

Fri, 10/26/2012 - 12:24am

In reply to by rmihara

Thank you for your thoughful comment.

I would propose that the suggested approach expands what strategy can deliver to meet policy.

The project management based approach to risk management starts with planning (system design) but continues through execution and continual fine tuning. Rather than look at a desired end state and design towards the end-state, the proposed project management based approach focuses on the need to continually engage stakeholders in the process on an ongoing basis. The challenge comes in figuring out how to do that. It takes a specific type of leadership ("risk leadership" to use David Hancock's term) and an institutional context that allows it to occur. While "tame" and "messy" risks are quantitatively different levels of the same type of complexity, "wicked" risks are qualitatively different. The tools to work with these different types of risk follow from the source of the uncertainty. Strategic outcomes to wicked messes are not watchmaker end-states (one can't put all the pieces together, wind it up and let it run on its own). The strategic outcomes require continual involvement and the appplication of unpredictable tactics/facilitation techniques.

Wicked risks stem from the vagueries and unpredictability of human behavior. System design cannot accurately account for this element of uncertainty. It moves too much, as it were. Since it is based on human behavior, David Hancock focuses on a communication as a fundamental tool for arriving at and maintaining outcomes where wickedness exists. He calls it "talk therapy" and it relies on well known project management approaches to risk such as risk workshops and stakeholder management.

This has direct application to strategy. It broadens the range of elements that must be considered as part of potential outcomes. It does so by explicity recognizing and bringing in factors that affect the stability of a system that has a high degree of behavioral complexity. These factors include stakeholder identification, choices on the exercise of available authority and variables that impact communication.

In the current environment for Afghanistan, for example, there are constraints on using authority and power to maintain an outcome. We will not be exercising unlimited force (nor unlimited funds) for an unlimited period of time, as would be required to maintain a predictable outcome through authority alone. With authority constrainted, there is a greater range of individual action. Behavioral complexity increases and becomes a highly relevant factor when considering strategy.


I think there is a great deal of value in considering questions of strategy with the risk perspective you outline here. In its fundamentals, much of what you discuss in this article has entered into the ongoing discussion on strategy and some aspects of doctrine. Design method (Naveh) has been modified and then incorporated into U.S. operational doctrine to address this idea of complexity. Some scholars and military professionals (Paul van Riper, et al.) have advocated the use of a more systems-based approach to strategy.

I would suggest, however, that what you recommend is better suited for reconsidering how we approach national security policy rather than how we construct military strategy. It is not to say that understanding the different manifestations for risk in planning is irrelevant to strategy. It is only to say that the determination of national goals and the development of the means required to achieve those goals falls within the domain of policy. So, it is useful to ensure that strategists are well-versed in the theory of risk management for institutions, but it is to equip them as policy advisors, ensuring that policy does not ask what strategy cannot deliver.

Lastly, I think what Weinberg describes as being "tame" and "messy" would be better described as complicated problems. When the interactions can be modeled, albeit with great effort, to generate the same results with set inputs the complexity label no longer applies. Complex systems, by definition, do not reliably produce the same results with the same inputs because the interactions are dynamic.

This is good material for discussion, and I do believe that an understanding of this kind of theory would benefit strategists. I think you should consider reading through the work of the Project on National Security Reform (if you haven't already) and see if it addresses some of your recommendations.