Michael J. Mazarr (April 13, 2015)
Admiral William Gortney, commander of the North American Aerospace Defense Command (NORAD) and Northern Command, was recently discussing the threat posed by advanced Russian long-range conventional cruise missiles. These weapons, Gortney testified, provided Russia with deterrent options “short of the nuclear threshold.” As a result, “NORAD will face increased risk in our ability to defend North America against Russian air, maritime and cruise missile threats.”
That term—“risk”—is cropping up more and more frequently in national security assessments. Senior military and civilian leaders constantly refer to the importance of dealing with risk. Just about every piece of testimony now employs the term. Dozens of risk management frameworks crowd the national security enterprise. The 2001 Quadrennial Defense Review (QDR) introduced a framework for assessing risk in the national security enterprise that has since become a standard approach throughout various parts of Department of Defense.
All of this is based on the idea that institutional or procedural risk management can be a powerful tool. So it can, and many sophisticated risk frameworks are making useful contributions to defense planning, for example within specific services. But the irony is that elements of the U.S. national security community are relying more and more heavily on an instrument that has been called into question in the field where it was most advanced—financial services. The financial industry had developed arguably the most elaborate procedures and models for measuring and mitigating risk, but those techniques didn’t prevent leading financial firms from often unknowingly swallowing massive amounts of risk that led to their destruction.
Over the last year I’ve conducted a study to consider the lessons of this experience. I have come to believe that, notwithstanding a number of well-designed risk frameworks being employed for very specific purposes, the way we use risk in national security has too often been ill-defined and misleading. We need a more focused and precise understanding of risk at the highest levels. In the process of developing one, we should judge risk processes by one fundamental criterion—the degree to which they contribute to the making of effective strategy.
It’s commonly suggested that there are four basic elements of strategic logic: ends, ways, means, and risk. Most defense policy experts will have a pretty quick—and mostly shared—idea of what we mean by ends and means. “Ways” are a little more abstract, but there is a clear and well-established definition: the manner in which the means are employed to achieve the end.
Now ask yourself: What do we mean, in strategy, by “risk”? Chances are, some will say “gaps between ends and means.” Others will say “threats.” Still others will say, “Dangers created by my proposed strategy.” Some might answer the question by listing various categories of risk, such as operational, strategic and institutional. This is the essence of the problem at the moment: there are a half-dozen ways of thinking about risk in national security—which means, at the highest level of national policy, that there is none at all.