A Lesson from the Army: Composite Risk Management for Corporations

A Lesson from the Army Composite Risk Management for Corporations

When it comes to risk management, the U.S. Army has plenty of lessons to offer.

With more than 1 million soldiers, plus support staff, spread across the U.S. and throughout the world, the sheer scale of risk management for the Army is mind-boggling. Add to that the number and variety of hazards that face the agency, and you start to understand why effective risk management is a top priority for Army leadership.

The CRM Approach

The U.S. Army uses what it calls composite risk management (CRM) as its primary decision-making process for identifying and managing all hazards that have the potential to “injure or kill personnel, damage or destroy equipment, or otherwise impact mission effectiveness.” According to the Army’s Composite Risk Management guide, these risks include factors such as mission complexity, enemy threat, physical obstacles such as mountains and water, weather, and soldier fatigue, among many others.  


Since the Army must plan for a huge number and variety of risks, the agency requires a risk management technique that is highly effective; after all, lives are at risk. At the same time, the CRM program cannot be overly complicated, since it needs to be easily referenced and utilized by thousands of people around the globe at any given time. Finally, it must be fairly streamlined so it can be applied to both tactical risk and accident risk.


The extremely demanding nature of the Army’s risk landscape means that the agency has been pushed to create a CRM program that truly works for its people. A level of risk is assigned to each hazard in its step-by-step process, which is meant to help decision-makers focus their efforts and save time. This begs the question: Could such a highly effective, streamlined CRM system also work for risk management in the corporate world?  Improve risk management planning with our interactive toolkit. Download now>>

Applying CRM to Corporation Risk

Although a corporation varies greatly from a branch of the military—in its goals, organization, specific hazards, and more—the former still has plenty to learn from the latter in terms of CRM.

To incorporate the core of the Army’s CRM program into your company, follow its five-step process:  

  1. Identify hazards. First, identify any risk that could “cause injury, illness, or death of personnel; damage to or loss of equipment or property; or mission degradation.” In the case of a corporation, mission degradation might be loss of revenue or customers, failure to meet business goals, or other relevant factors.
  2. Assess hazards to determine risk. Estimate the impact of each hazard in terms of potential cost and loss by calculating its probability and severity. For example, an act of terrorism at your facility would rank high for severity, but the probability is low. Meanwhile, your organization might be more likely to get hit with a lawsuit, the impact of which could also be severe.
  3. Develop controls and make risk decisions. Work with your crisis management team to create control measures that will eliminate each hazard or at least reduce its risk. For instance, you might form an oversight committee to mitigate the potential and severity of litigation, or improve facility security to decrease the chance of terrorism. As you work through control measures, re-evaluate risks until the risk is mitigated and the benefits outweigh the cost. Then, decide which control measures to implement and to what extent.
  4. Implement controls. Roll out the control measures and ensure they are communicated to the appropriate employees and members of management and leadership.
  5. Supervise and evaluate. After controls are implemented, it’s time to manage the CRM program. Enforce controls and evaluate their effectiveness, updating them as necessary. When you or the crisis management team discover lessons learned, be sure to incorporate them into future planning efforts.

Assess Your Risk

One of the reasons the Army’s approach to CRM is so effective is that it assigns a “risk score” to each hazard. This can help you to prioritize the hazards facing your organization and to easily evaluate them as you implement control measures.

To calculate your risk, use the following formula for each hazard:

Probability + Severity = Level of Risk

Assign each hazard a probability score from the following options:

  • Frequent: 5
  • Likely: 4
  • Occasional: 3
  • Seldom: 2
  • Unlikely: 1

Then, assign the hazard a severity score from the following options:

  • Catastrophic: 4
  • Critical: 3
  • Marginal: 2
  • Negligible: 1

The resulting number is that hazard’s level of risk. To use the examples above, litigation may happen very frequently and rank as “critical” on the scale of severity, which would result in a score of 8. On the other hand, an act of terrorism is unlikely but would have a catastrophic effect, resulting in a score of 5. By quantifying these risks, you are better equipped to move through the rest of the CRM steps and track their progression over time.

Learning from the Best

No doubt the U.S. Army has learned some valuable lessons about risk management over its many years of protecting this country. Although your corporation may be the furthest thing from a military organization, it can still benefit greatly from the Army’s approach to CRM, both now and over the years to come.

Issue and Crisis Management Monthly Newsletter