Download PDF

Risk is an enduring reality in strategic decisionmaking. The rigorous assessment of risk is—or should be—a critical step in strategy development. There is always risk in any strategy thanks to the unrelenting reality of uncertainty in human affairs.¹ Yet it is often a weak link in U.S. strategy formulation and decisionmaking. Thus, this article is focused on the role of strategic risk, how we define risk and operationalize it, and how senior leaders employ risk analysis to improve strategic performance.

The thesis for this article is simple: strategic risk is not well understood, and risk analysis should be a routine and continuous part of the strategy-formulation process. The central research question is How well do senior-level national security decisionmakers incorporate risk as an element in strategic decisions, and, if needed, what risk management steps could improve strategic effectiveness?

The article is organized into three parts. The background section covers the literature and joint doctrine, including a discussion about the definition of risk. The second section summarizes a few brief cases from recent experiences in the campaigns in Iraq and Afghanistan. The final section offers recommendations to advance risk-management practices in the national security community.

This effort builds on insights by numerous practitioners who considered this topic in pioneering studies.² One contributor concluded that the under- standing of this issue has been too often “ill-defined and misleading” and urges greater effort in understanding the issue of risk at the highest levels to improve effective strategy.³

Background

An era of strategic competition without overwhelming military superiority requires a disciplined approach about choices by policymakers. In an age of Great Power competition, the U.S. Government must acquire and manage a sharper appreciation for strategic choices and the risks attendant to those.⁴ Looking back on U.S. strategic performance, many scholars and practitioners have searched for the lodestone of strategic competence at the senior policymaking level.⁵ Only a few, however, have identified the importance of risk within the strategy-formulation process. One veteran policy analyst captures the current situation well:

Corporately, the Department of Defense [DOD] does not effectively allocate risk when formulating strategy, and this shortcoming can make senior U.S. decisionmakers alternatively either risk-blind or risk-confused. In combination, these two tendencies have yielded rash, wasteful, and anti-strategic U.S. responses when confronting some hazards and inaction, paralysis, and loss favoring U.S. rivals when confronting others.⁶

This concept of risk blindness captures something missing in earlier studies of strategic competency and lessons- learned efforts. Despite excellent military doctrine in planning military operations, coverage of this topic is limited in the strategy community, which focuses narrowly on policy aims and troop counts.

Some scholars of risk believe that policy preferences, fixed ideas, and emotive appeals are too often substitutes for any real analysis. As Michael Mazarr concludes, “The biggest national security disasters and risk calamities often stem from a willful disregard of consequences.”⁷ In Mazarr’s study, too often policy decisions are made based on preferences and biases without a sober reflection on the probability of events and adverse consequences of an advocated policy aim. Critical assumptions are made that could be challenged or subject to further discovery and debate. “Too often unexamined premises color initial decisions to pursue a policy and shape the strategies a leader employs to achieve their goals,” another scholar concluded, “with grave consequences for their countries, organizations, and potentially the world.”⁸ In sum, objectives are asserted as highly desired imperatives, regardless of possible costs or consequences.⁹ This is simply risk blindness.

In discussing the challenge of rigorous risk management with seasoned U.S. policy practitioners, there is a sense that risk is a badly misunderstood issue.¹⁰ Risk management is a topic of intense interest in the business community since the 2008 financial crisis and lessons from the COVID-19 pandemic. The private sector and government now realize that risk and resilience are important when it comes to supply chains and cyber security. Each community could learn from the other, as shown by leading scholar/practitioners from the national security community.¹¹ The critical lesson drawn to date is that the greatest source of risk is not the unknown or the unknowable. There is no swarm of black swans waiting to suddenly appear. In fact, retired General Stanley McChrystal insists that the greatest risk to our organization is not an external source; it is ourselves.¹² Our lack of empathy, curiosity, and critical thinking leaves us open to surprise from foreseeable hazards.

Defining Risk in Joint Doctrine

Strategy involves decisionmaking under conditions of uncertainty in a contested environment. This mandates a disciplined approach including options, tradeoffs, and choices. There are risks inherent to these choices, some of which can be recognized. But there remains uncertainty about external forces including decisions made by our competitors. There are also risks generated by our own decisions and their implementations. There is no such thing as risk-free strategy.¹³

The Joint Staff has a formal methodology and associated lexicon for assessing strategic risk as well as military risks to missions and forces.¹⁴ This is recognized as a critical element in joint planning and important to the Chairman of the Joint Chiefs of Staff’s role in providing risk assessments to DOD and Congress. The Chairman’s instruction on methodology is a clear and practical treatment of risk in terms of thinking about both consequences and probabilities. The instruction offers the joint community a clear conception of risk management and a common language that can be used in the schoolhouse and in practice.¹⁵

But what do we mean by the word risk? Some conflate risk with threats. But these are external actors. They are not a risk, per se. In its most simple conception, risk refers to things that can go wrong in relation to something we seek to gain or secure. These can be acts of omission internally or commission by external sources. Broadly speaking, risk is the potential for something bad to happen, an event that is inimical to assigned objectives or national interests. Risk analysis is the identification of these hazards, and risk management is the deliberate effort to assess and mitigate those things (or accept them as low probability or inconsequential).

The Joint Staff defines risk as “the probability and consequence of an event causing harm to something valued.” This definition does meet the classical understanding of risk as a function of a probability of occurrence and the severity of the consequences. Joint doctrine classifies risk at four levels (low, moderate, significant, or high) and four categories of consequence.¹⁶ One valuable element of joint methodology is the employment of a risk matrix to map out the risks that may affect a strategy (see figure 1). This technique reveals the projected probability of a risk and its possible consequences. The plotted risk assessment can also depict trends by directional arrows. A clear lexicon facilitates a common understanding in analysis and discourse. Such a presentation helps summarize several possible issues that a serious strategic decision should consider and should stimulate the principal decisionmakers to assess their assumptions and the proposed strategy decision before them.

The joint directive distinguishes between military strategic risk and military risk. The Joint Staff defines military strategic risk as the “probability and consequence of current and contingency events with direct military linkages upon the United States. This includes U.S. population, territory, civil society, institutional processes, critical infrastructure, and interests.”¹⁷ This definition is limited, as “direct military linkages upon the United States” relates only to those risks with some coercive military impact. The national security community, more complex and nonlinear than ever, requires a slightly broader definition beyond direct military linkages. Military risk is somewhat clearer and more operational. It is usually classified in two ways, risk to the force and risk to the mission.¹⁸ Most military planners are familiar with this construct and its associated risk levels.

Some top-level schools in the joint professional military education system stress the incorporation of risk in strategy formulation but employ a different analytical framework. These schools have students consider “risk to the strategy” and “risk from the strategy” in the assessment phase of strategy development.¹⁹ The former category addresses events that could negatively affect the strategy’s implementation or effectiveness. These are often uncertainties or assumptions that turn out to be invalid. The latter category includes implementing a strategy, which results from tradeoffs. This could include an explicit recognition of higher risks that a strategy creates by allocating forces or resources to another region. These schools are largely interested in national-level strategy, which requires considerations of all instruments of power beyond just the use of military force. This “to/from” framework appears to be more valuable for strategy and interagency deliberations than “risk to the force” or “risk to mission.”

Regrettably, the rest of the national security community lacks such a common framework. Thus, key terms and techniques are not used consistently across departments and agencies, making it difficult for the National Security Council (NSC) staff steering the interagency community to arrive at a shared understanding of a crisis and its risk parameters as they seek to advise the President on how to advance the Nation’s interests.

As there is no definition for strategic risk applicable to the broader national security enterprise, one must be constructed. For this article, strategic risk is defined as a potential event that negatively affects the Nation’s important interests or negatively affects the execution of a chosen strategy, including unknown hazards, flawed assumptions, blind spots, or bureaucratic preferences, or arises from flawed or poorly implemented strategy.²⁰ The definition includes more explicit sources of risks, which are either external or internal, including deficiencies in strategy formulation or execution. This more holistic definition is a good starting point for creating an understanding shared across the wider national security enterprise. Ideally, a good definition captures various kinds of risk, including political, diplomatic, economic, or reputational risk.

The Joint Staff highlights the importance of risk in both strategy and planning doctrine. A joint doctrine note on strategy associates risk with the implementation of strategy or plans and their assessment over time. It states that “Implicit to the implementation of a strategy is the identification of its associated costs and risks.”²¹ This is limiting and slightly problematic. Risk considerations should be explicit and start with the development of a strategy as well as execution and refinement from assessments. The Joint Staff is acutely aware of the importance of risk and tradeoffs in joint operations, as well as in its latest concepts, which stress the integration across all instruments of national power.²² This makes having a common understanding of strategy and risk even more important.

Recent U.S. Case Histories

Various studies and critiques of U.S. strategic performance have been spawned by the onset and results of U.S. interventions in Iraq, Pakistan, and Afghanistan. In these cases, the United States faced complex situations that required the government and its coalition partners to adapt to nontraditional challenges that required comprehensive solutions that did not play to American strengths.

Iraq. Decisionmaking in the run-up to the Iraq War stressed the grave risks posed by Saddam Hussein but ignored other warnings. Mazarr considers it a classic example of what happens when assumptions and policy options are not deeply interrogated and where a leadership culture makes dissent or debate worthless.²³ His analysis is consistent with another author who looked over a longer set of U.S. case histories:

Despite the violence in the wake of the invasion of Iraq, leaders in the [George W.] Bush administration did not readily challenge its basic premises regarding the aftermath of the war. The President’s projection of absolute confidence, and the fierce loyalty he bestowed and demanded, limited critical thinking, as did his rejection of advice that ran counter to his instincts.²⁴

Policymakers held on to their mental models and preferred options despite available evidence, unwilling to accept the possibility that previous assessments of weapons of mass destruction could be wrong and that the war would prove harder and more expensive than imagined. It should be admitted that the shadow of 9/11 hung over perceptions and judgments the Bush team had to make.²⁵

Our allies are not strangers to the critical importance of risk-management techniques.²⁶ After the Iraq War, the United Kingdom’s Parliament commissioned a formal inquiry, led by Sir John Chilcot. That investigation into London’s decisionmaking noted the absence of a vital and fundamental element including “a hard-headed assessment of risks,” rather than idealistic rationales based on overly optimistic assumptions.²⁷ The report went on to conclude that “At no stage did Ministers or senior officials commission the systematic evaluation of different options, incorporating detailed analysis of risk and UK capabilities” before the United Kingdom committed to its Iraq intervention.²⁸ The inquiry was quite clear where to lay blame for the lack of detailed risk and capability analyses: “It was the responsibility of officials to identify, analyze, and advise on risk; and Ministers’ responsibility to ensure that measures to mitigate identifiable risks, including a range of policy options, had been considered before significant decisions were taken.”²⁹

If the United States were to hold a similar formal review, it would likely come to a similar conclusion. A veteran Army planner, the late Richard Sinnreich, summarized his assessment about operations Iraqi Freedom and Enduring Freedom in stark terms: “U.S. and alliance leaders were slow to acknowledge that crucial contextual assumptions under- writing both military commitments were wrong.”³⁰ One could add that the reason they were slow to recognize and respond to the dynamic and unexpected circumstances was a lack of prior structured analysis and exploration of basic assumptions and risks.³¹

To his credit, before the war Secretary of Defense Donald Rumsfeld offered the White House a detailed litany of 29 problems or risks that could occur in the aftermath of the Iraq invasion.³² The Secretary had Pentagon staff assemble this informal risk assessment to help the President appreciate the uncertainty involved in such a major undertaking. But the administration did not wrestle with this set of potential issues. It remained focused on supporting the President’s internalized risk assessment of a world with Saddam possessing and sharing weapons of mass destruction. This was a risk he did not believe he could accept. But as noted by Melvyn Leffler in Confronting Saddam Hussein, “Bush disliked heated arguments and therefore did not invite systematic scrutiny of the policies he was inclined to pursue.”³³ The magnitude of the task or the inherent difficulties involved was not fully grasped, and the risks and costs that might be incurred were largely suppressed. Here, the need for structured process, including contrasting views, to trump personality and human psychology is evident.³⁴

Operation Neptune’s Spear. The decision to conduct a raid into Pakistan to capture or kill Osama bin Laden is another case study of risk analysis.³⁵ The Intelligence Community (IC) developed indicators that bin Laden could be hiding in a compound in Abbottabad, a small town in northeastern Pakistan. The IC briefed the President in late 2010 that it had unconfirmed information that suggested the compound was hosting a high-value guest that could be the al Qaeda leader. This information became one of Washington’s most guarded secrets, shared with only the most senior officials. It was not until January 2011 that the Central Intelligence Agency (CIA) was di- rected to brief then Vice Admiral William McRaven, the commander of the Joint Special Operations Command (JSOC), about the compound.

The first of five meetings of the NSC on the potential operation occurred on March 14, with President Barack Obama chairing. The agenda that day was to review the options; the President understood the importance of time and security. Concerned that a major operation could be compromised by exposure, he desired to move as quickly as possible.

Seven options were originally raised by the NSC (see table 1). The first two involved air strikes to destroy the compound with B-2 stealth aircraft or a drone-delivered small bomb that would attack only what the CIA called the “Pacer” walking in the garden. At the next NSC meeting, President Obama was leaning toward the B-2 strike.³⁶ Defense Secretary Robert Gates expressed doubts as to whether it was bin Laden in the compound and whether a raid was worth the risk. He was also concerned that the Pakistanis might be so upset by the surprise raid that they could suspend cooperation and logistics access to Afghanistan. He noted that over half of U.S. fuel and supplies transited through Pakistan.³⁷ Secretary Gates suggested that the intelligence collected to date might be a lure to ambush the raid.³⁸

At the end of the first meeting, the President was leaning toward the special operations raid course of action. The strike options did not provide confirmation of success and left any chance for crucial intelligence behind.³⁹ Some military staff were assigned to explore that option in detail, and the Vice Chairman of the Joint Chiefs of Staff began studying a more precise attack option to reduce risks.⁴⁰

Concerns were raised about penetrating Pakistani air space and what the necessary air package would be to successfully place the assault force in or around the compound. There were always major concerns about the Pakistani military and political response. JSOC began working with the CIA to plan the raid. Working groups strived to improve the intelligence to confirm bin Laden’s presence as well as assess the ramifications for U.S.-Pakistan relations.⁴¹

President Obama elected to set the large strike option aside at the next NSC meeting due to the risk of high civilian casualties. He directed that Admiral McRaven continue to flesh out the raid in detail.⁴² Veteran JSOC planners had been developing and executing such missions for nearly a decade, and they used a mockup of the compound to refine their plan in April.⁴³ The idea was straightforward and boldly conceived. The planners believed the assault force could use modified Black Hawk helicopters to penetrate all the way to the target and back without being intercepted by the Pakistanis.⁴⁴ The proposal was to exfiltrate with bin Laden, if captured, back to Bagram Air Base. The raid option leveraged JSOC’s well-honed expertise in attacking compounds and executing night raids. It also offered unique risks since bid Laden’s hideaway was in Abbottabad, a city of 300,000 positioned over 160 miles inside Pakistan. Any raid force would have to avoid detection and operate quickly before the local police force or a battalion-sized garrison 4 miles away could react. McRaven’s plans and rehearsals minimized most of the risks involved to an acceptable level.⁴⁵

The NSC met again on April 19 to hear McRaven brief the plan.⁴⁶ Secretary Gates was still uncomfortable with the mission’s risk.⁴⁷ His concerns could be characterized as “risk to the strategy”— the strategy being the larger conflict in Afghanistan. After hearing out the positions of the principals from the NSC, Obama gave provisional approval for the raid by the SEALs.

President Obama was concerned that the plan did not address the potential for a Pakistani military response, and JSOC was directed to ensure that the assault team would be able to defend itself if necessary. Admiral McRaven prepared contingency plans for additive air support and reinforcements. This not only mitigated the risk that Obama identified but also increased risk in detection and political ramifications if a firefight between the SEALs and Pakistani troops occurred. These risks do not appear in the extensive record of this decision in open-source materials.

On April 28, the NSC reviewed the final plan, and each principal was asked to explicitly register his preferred options. They were diverse in their views.⁴⁸ The next day, President Obama gave the final go-ahead. The raid was successfully executed on May 2. This appears to have been a deliberative decision process with risks considered from several perspectives. The President asked for a range of options and collectively received diverse counsel and cautions. The CIA used “red teaming” on the collected intelligence to independently review the available evidence that bin Laden was living at the Abbottabad compound.⁴⁹ In this case, the President asked for and reviewed the CIA’s red-team analysis.

Risks to the force and risk to the mission (Islamabad’s reactions) were foremost in many debates held by the policy-level leaders. Probabilities and contingency plans to mitigate risk were considered, and President Obama studied the risks and decided, despite the uncertainty, as strategic leaders must do.⁵⁰ Overall, the case study exemplifies a positive example of risk management.

Afghanistan End Game. The withdrawal from Afghanistan is just the most recent case where risk assessment was a crucial element in the outcome. Upon taking office in January 2021, President Joe Biden directed his team to conduct a review of the situation. After a thorough and inclusive interagency process, the President elected to uphold the Doha Accord signed by the former administration with alterations to the timeline.⁵¹ The decision to reduce the U.S. military presence to zero was announced by he President on April 14, but it was subsequently modified to staff a security contingent for the U.S. Embassy in Kabul. There were costs and benefits for staying in Afghanistan and risks to U.S. interests by staying and for withdrawing.

During the summer of 2021, the situation on the ground was in flux. NSC officials were faced with a confluence of conflicting demands to support the Ashraf Ghani government while also preparing to deal with a large-scale evacuation of tens of thousands of U.S. forces, citizens, Embassy personnel, allies and partners, and many Afghans. There was little agreement on the scale of that evacuation, with U.S. Central Command (USCENTCOM) planning on around 150,000 possible evacuees, including many Special Immigrant Visa applicants and their families.⁵² This capacity was central to planning the noncombatant evacuation operation (NEO) processing and airlift requirements.

Throughout the spring and summer of 2021, the NSC staff hosted dozens of high-level planning meetings, formal rehearsals of the withdrawal, and tabletop exercises to explore scenarios for an evacuation as part of responsible planning for a range of contingencies.⁵³ Of particular interest in this article is how adaptive U.S. planning efforts were and the apparent divergence of the appreciation for risk over the course of the summer of 2021. Many observers predicted that the Afghan military would not hold given the President’s announcement that the U.S. military was withdrawing. The issue to most analysts was not if the Afghan army would collapse but when. As former Chairman General Mark Milley has testified, the IC consensus on the erosion of the effectiveness of the Afghan army was 12 to 24 months, while he and others thought it could be late fall 2021.⁵⁴ The Chairman’s personal assessment was that the Afghan military would likely collapse around late November.⁵⁵

The U.S. Government did not appreciate and was not positioned to understand the melting cohesion of its Afghan partners. The cumulative impact of withdrawing advisors, rapidly closing airfields, limiting supporting air strikes against the Taliban, and pulling out contract aviation maintenance would severely weaken the resolve of the Afghan military. Without lower level advisors, the various U.S. intelligence agencies lost their collective ability to check on the pulse of the Afghan military and its cohesiveness.⁵⁶ Ultimately, the Taliban swept through Afghanistan, the Ghani government fled the country, and the Afghan army collapsed. The long- anticipated NEO that USCENTCOM hedged against became necessary and was an operational success, extracting 124,000 U.S. personnel, allies, and at-risk personnel in 10 days. The withdrawal was chaotic as expected. Despite months of prior coordination by local military commanders with the Embassy, State Department officials brought in to reinforce the Embassy and help execute the NEO found no plans to work from and drew up plans on the fly since the crisis was “beyond the scope of anything that was contemplated.”⁵⁷

Regrettably, the so-called Islamic State–Khorasan Province (ISIS-K) sought one last chance to attack the United States. This was a well-anticipated risk, one that the IC and USCENTCOM sought to deflect or mitigate. ISIS-K placed a suicide bomber close to the last open gate at Kabul’s Hamid Karzai International Airport. The explosion at Abbey Gate killed over 170 Afghans pressing to get into the airport, and 13 U.S. Servicemembers died from the blast.

In retrospect, the character of the U.S. withdrawal adversely affected the Afghan military’s will to fight.⁵⁸ By the summer of 2021, as U.S. and coalition forces were pulled back, Afghan morale and resolve quickly dissolved.⁵⁹ It happened faster and sooner than was expected. Table 2 lists some of the various risks that could have been identified and tracked in the summer of 2021 with greater fidelity that may have helped the NSC staff question key assumptions and appreciate the growing and converging character of that risk. The risk matrix visualizes five possible hazards and their direction over the summer of 2021 and employs the Joint Staff’s methodology. It includes a set of risks with a rough risk trend assessment reflected by the arrows regarding what direction the risk was moving (see figure 2).

The matrix maps out a set of converging or reinforcing risks, many of which were the direct product of national strategy. Some of these were understood as risks, but when they would occur was uncertain. Such an assessment earlier in the summer might have produced changes to either limit the military withdrawal or accelerate the State Department’s NEO planning to be better aligned with the changing facts on the ground.

Clearly, the interagency community did not share a common perception of the potential risks. The State Department inexplicitly failed to consider the risk to the diplomatic mission in Kabul, given the withdrawal of U.S. and coalition forces. NEO preparations were negligible, including consideration for partner nations. The State Department never appreciated the need to establish some alternative method of vetting Special Immigrant Visas for the tens of thousands of at-risk Afghan personnel who had served with or supported the United Nations and the United States in the two-decades-long intervention. This represented a large percentage of the population that would be lifted out in a NEO, and several at-risk groups would be left behind.

The Embassy was working at an entirely different pace and threat assessment than the military, and its plans were not well coordinated.⁶⁰ The State Department’s desire to preserve an embassy presence while resisting the prospects of a large-scale NEO posed a serious risk to U.S. interests despite repeated warnings by DOD and joint commanders. The State Department’s position resulted in a belated decision to call for the NEO, a decision that came “too late and too slow.”61 Even a week before the State Department called for assistance, military leaders in Kabul reported a lack of any sense of urgency at a crucial inter- agency coordination meeting on August 6, 2022.⁶² State’s position on Embassy security should have been informed by the political fallout of the attack on the Benghazi consular office in 2012.⁶³

The White House acknowledges learning lessons from the crisis of August 2021 related to strategy development and risk.⁶⁴ It concluded that in contingency planning there is a need to plan early and extensively for low-probability, high-risk scenarios. It also endorsed “creative analytic exercises in planning.”⁶⁵ The NSC’s overview revealed that valuable insights were absorbed during the contingency, derived from coordination sessions and simulation exercises, the most significant of which occurred a mere several days before the Ghani government fell.⁶⁶

The State Department’s postconflict after-action assessment was also more critical: “there was insufficient senior-level consideration of worst-case scenarios and how quickly those might follow.^”67 In that report’s recommendations, policy leaders should “hear the broadest possible range of views including those that challenge operating assumptions or question the wisdom of key policy decisions.”⁶⁸ This appears to be diplomatic speak acknowledging a lack of appreciation for potential risks by senior leaders. One senior U.S. military official, who had commanded U.S. forces in Afghanistan, was highly critical of the State Department’s lack of understanding of risks that it was taking by not planning sufficiently for a large-scale NEO.⁶⁹

Not all the blame can be dumped on U.S. diplomats. The outcome in Afghanistan, as noted by General Milley, was the cumulative effect of many decisions made over time and was not the product of a single causal factor.⁷⁰ However, if there was one common problem evident over the entire last few years of the conflict, it was a lack of shared understanding of looming risks that could undercut desired outcomes for a responsible drawdown. The NSC staff learned some valuable lessons in the process as well. Institutionalizing this experience seems to be of great value, rather than having successive administrations relearn the same les- sons. Expanding the lessons absorbed throughout the interagency community would also be of benefit.

Assessment

The literature review, concise cases, and inputs from practitioners support a major conclusion: There is too little understanding or appreciation of risk and adverse consequences in developing major U.S. strategy options. While the military has incorporated deliberate analytical processes to identify and minimize military risk, the policy community seems focused on ends and means. Recently, this conclusion was reinforced by the release of a complete set of NSC policy papers from one administration. These are excellent position papers and regional strategies, but they are devoid of any discussion of risk.⁷¹

The evidence reviewed herein confirms Mazarr’s observation that risk is too often brushed away or perceived as something to avoid, lest it upset policy officials. Too often reservations or questions about key assumptions are seen as bureaucratic resistance, instead of what professional planners expect from a rigorously structured method. Instead of applying rigorous processes, such as structured analytical techniques, to help senior decisionmakers make the best decision, staffs focus too often on the policy option they think the commander in chief wants. Yet to do so in the absence of a sound risk process only ensures that leaders make strategically consequential judgments with their eyes blindfolded. What a structured risk analysis should do is promote better decisions and greater awareness of possible risks.

The U.S. experience, including more than the cases here, underscores the value of formal process to sharpen options, uncover weak assumptions or metaphors, and overcome personality and individual or institutional predispositions. In short, structured debates are needed to pare away illusions and address uncertainty and risk. Before they come to a judgment on war or some other major issue, decisionmakers need to peel back the underlying assumptions and hidden consequences in courses of actions they are presented with. They should question projected causal effects and address potential consequences and scenarios. They should also be aware of and seek to avoid uncertainty absorption (or what could be termed “risk diffusion”), which involves the erosion of nuance and uncertainty as information climbs higher into the national security enterprise.⁷² Experts lower down the chain are more aware of the relative credibility of sources and the rigor of analysis behind judgments. They should be clear about what is factually known and what is a judgment drawn from analysis.⁷³ Decisionmakers should tap into experts lower down the chain to find where the uncertainty and questionable assumptions are buried. They should also study the habits of “master thinkers,” especially a sharpened ability to challenge assumptions.⁷⁴

Structured processes minimize the dysfunctional aspects of human dynam- ics, which are often the source of risk failures.75 The solution to weak logic and poor strategic thinking is found in what the historian Macgregor Knox stressed in The Making of Strategy:

[policymakers] must weigh imponderables through structured debates that pare away personal, organizational, and national illusions and conceits. They must squarely address issues that are bureaucratic orphans . . . and in the end, makers of strategy must cheerfully face the uncertain- ties of decision and the dangers of action.⁷

To address human and institutional biases, it helps to exploit creative analytical techniques and simulations.  The list represents a suite of techniques used in many decisionmaking environments to refine analysis. These represent a range of creative problem-solving tools drawn from the strategic management and cognitive sciences literature that could be applied to improve the strategy process and facilitate the management of human factors that influence decisionmaking and risk analysis.⁷⁷ These aspects are recognized in the Joint Staff risk methodology.⁷⁸

An increased familiarity with these techniques could improve risk analysis and sharpen efforts to identify and mitigate possible undesired outcomes.⁷⁹ Moreover, these techniques would assist in building a risk-informed culture across the interagency community. This kind of planning should occur routinely in national security forums, where decisions are often made under conditions of uncertainty.⁸⁰ A strong risk culture and supporting processes should provide analytical scaffolding to determine how best to obtain desired outcomes while minimizing the chances of a policy failure from foreseeable consequences.

Recommendations

One is tempted to simply suggest that risk be added to the canonical “three- legged stool” of strategy, expanding the classical concept of ends, ways, and means.⁸¹ But a more substantive change is needed to instill and sustain a risk-informed culture. The following recommendations focus on the NSC staff. The NSC typically “does not do risk very well” according to former Secretary of Defense James Mattis, who as a Cabinet secretary and combatant commander has participated in more than a few meetings in the White House Situation Room. He noted that terminology like “low” or “moderate” risk has little meaning since each community at the table defines risk differently.⁸² A second reason for focusing on the NSC is that its structure, divided into regional and functional directorates, requires extra effort to ensure integration and coordination.⁸³ The following recommendations are offered to generate and institutionalize such a culture and enhance risk analysis across the national security community. The successful adoption of this set of recommendations should make strategic risk analysis a core competency in U.S. strategic planning and decisionmaking.

1. Develop an Interagency Risk Framework. The interagency community needs a common approach to risk. DOD has made real strides in assessing risk in the recent past. Joint doctrine has always promoted serious risk evaluations and mitigation actions at the operational level. This competency has been a valuable component of joint operational planning. But national security challenges require more than just the tools and techniques developed for assessing military risk. The interagency community, however, does not share a common understanding of risk, much less have an integrated vocabulary or doctrinal approach.

The national security establishment needs to ground a risk-informed methodology in policy and actual practice. As the central mechanism for interagency coordination and for its principal task of coordinating the development of policy decisions by the President, the NSC staff is the appropriate activity for developing a more unified and common set of techniques. This would be the first evolution toward a culture of robust risk analysis that must be established across the national security community. Reportedly, the NSC staff has tried to advance an interagency risk methodology but did not produce an agreeable approach.⁸⁴

This effort may start by building on the existing joint methodology discussed earlier to create a lexicon and associated processes to be used inside the larger interagency community. A common language and a familiarity with risk analysis is an important reform to strategic decisionmaking. It would facilitate both the formulation and execution of strategies and their continuous (re)assessment. The objective is to create and implement a suite of risk analysis activities to catalyze senior-level discourses on the character of risk in strategic planning. For improved debate and discourse, the NSC should formalize a clear terminology and methodology for presenting risk analyses to promote a shared understanding and enhance transparency over options.⁸⁵

In addition to the techniques of the joint strategy and planning community, any relevant risk analysis techniques used by the intelligence and interagency communities should be incorporated.⁸⁶ This recommendation promotes greater dialogue among the different cultures of the major contributors (the IC, State, DOD, and political leadership).

2. Embed and Apply a Risk-Informed Framework Into Core Strategy Processes. The purposeful examination of risk must be routinely integrated into all major strategic processes.87 When one examines the cases discussed here as well as other scholarly efforts to study major national security disasters, it is hard to avoid the conclusion that policymakers spend little time, much less a focused debate, over potentially bad consequences.

The NSC should be committed to animating a high-level risk dialogue that focuses less on either process or committee meetings and more on comprehensive understanding of the relationships between objectives and risk.⁸⁸ The emphasis should be on the rigorous identification of consequences and costs—what could occur that would impact the proposed options.⁸⁹ Moreover, it cannot be delegated to staff or occur only at the end game, when much of the consensus building and compromises around a selected course of action have already taken place.

Good risk management should force decisionmakers to confront biases, bad mental models, or cognitive anchors that limit the appreciation of risk. Structured debates and planning mechanisms like tabletop exercises, wargames, and red teams should help shed more light on blind spots or blinkered thinking from ambitious but underdeveloped policy aims. As a minimum, every major strategy decision should include:

• a formal red-team analysis

   

• a risk matrix

   

• a premortem that diagnosed risks to and from the strategy.⁹⁰

   

At the end of the day, this is a task that principals should not delegate to staff or merely receive a one-page memoranda about. What is intended is a rigorous dialogue about the projected and potential consequences of strategic options. “An effective risk process,” Mazarr stresses, “should force decisionmakers to talk about potential consequences in rigorous and nuanced terms, with the goal of informing and shaping their judgment.”⁹¹ This should help to identify dangers and lay the groundwork for a careful evaluation of the complicated interplay of risk and reward at the core of any complex strategic judgment. It should be more central to any strategic decision made by the principals at the NSC and documented in formal strategies and statements of conduct from NSC meetings.

3. Augment the NSC Staff. The professional but overworked NSC staff should be assisted by risk specialists and facilitators to promote evaluation of risk and to develop a risk analysis for the principals committee before and during crisis situations.⁹² This would be more than a red team from an intelligence agency since it should identify friendly/“blue” shortfalls.⁹³ Arguments have been made in the past for a policy and strategy board at the NSC to enhance strategy development and stimulate more critical thinking.⁹⁴ Other scholars have looked at the Eisenhower-era strategy board as a model for applications.⁹⁵ These proposals have merit but as offered would tie up busy Cabinet and sub-Cabinet officials with additional duties.

These proposal choices, making risk-informed decisions, and implementing strategy. The problem afflicts many enterprises. As Taleb Nassim states, “We overestimate our abilities and underestimate what can go wrong. The ancients considered hubris the greatest defect, and the gods punished it mercilessly.”⁹⁸ National security leaders are advised to stop “mocking the gods” and take the ever- present reality of risk more seriously.⁹⁹

Alternatively, the existing NSC strategic planning cell could be expanded and augmented to support the National Security Advisor to develop risk assessments and track risk.⁹⁶ This cell should assist the National Security Advisor to challenge assumptions, anticipate spin-off effects, present premortems, and offer diverse options.⁹⁷ These would still be presented within the existing NSC meeting framework to senior leadership.

Conclusion

Risk is not well understood, and risk management is not applied consistently and explicitly at the policy and strategic decisionmaking levels. The U.S. policymaking community needs to expand and sharpen its appreciation for risk as a requisite step in testing strategic choices, making risk-informed decisions, and implementing strategy. The problem afflicts many enterprises. As Taleb Nassim states, “We overestimate our abilities and underestimate what can go wrong. The ancients considered hubris the greatest defect, and the gods punished it mercilessly.”⁹⁸ National security leaders are advised to stop “mocking the gods” and take the ever-present reality of risk more seriously.⁹⁹

Risk analysis is a senior leadership function. Decisionmakers need to wrestle with the potential bad outcomes that come from the choices they make and the total risk portfolio that they are carrying over time. To do so we must establish both the culture and the mechanisms to inject risk into decisionmaking earlier and institutionalize risk analysis. The result would be better decisions, timely adaptations strategies, and improved strategic effectiveness. JFQ

The author would like to acknowledge the significant contribution of two anonymous peer reviewers as well as assistance from Michael Mazarr, Kaley Scholl, Lieutenant Colonel Ashely-Marie Cook, USAF, Mike Donofrio, Bryce Loidolt, T.X. Hammes, and Colonel Thomas Greenwood, USMC (Ret.).