Published: April 27, 2010

The question in the title of this piece is one that often crops up and was thrown into sharp relief during a recent conversation with a colleague working for a defence contractor. He had read a report in which I’d assessed that there was a high threat of rocket attacks against an airport in Afghanistan. He had subsequently moved his organisation’s risk level for that airport to ‘High’ and banned all travel through that location, having a significant impact on their ability to move personnel in and out of the country. As an academic in my shadow career, I switched to lecturer mode and held forth on the difference between ‘threat’ and ‘risk’. He got the point and adjusted the risk level, which allowed his organisation to resume travel through the airport.

So what is the difference? Simply put, ‘threat’ is a function of the enemy’s capability and intent to conduct attacks, whereas ‘risk’ is a function of the probability that your organisation will be involved in an attack (either as a deliberate target or just in the wrong place at the wrong time) and the harm that such an attack would cause. Even more simply, ‘threat’ = capability x intent, whereas ‘risk’ = probability x harm.

Threat assessments take in to account a wide range of factors. To assess capability, they analyse the quality of past performance, current trends, command and control (C2), logistic support and the extent to which a group can create its own opportunities to attack. Intent is established by past performance (i.e. if they’ve actually attacked at least once then intent is clear), public rhetoric and whether a group does create its own opportunities or just reacts to events. In the example of the airport, the local insurgent group had been carrying out one or two rocket attacks a day for several days. The capability and intent were, therefore, fairly clear – the group had the logistic support and C2 necessary to conduct these attacks and were attacking whenever they wanted. The attacks rarely caused any casualties or damage, but this was more to do with the dispersed nature of the airport than any lack of technical ability – the insurgents had managed to hit the same accommodation block on two separate occasions, which shows some degree of expertise. The fact that rocket attacks had been carried out regularly over a number of years indicated that the intent to carry out more attacks was similarly high. As a result of all of these factors, we assessed that the threat was high, i.e. it was almost certain that the insurgents would carry out further rocket attacks against the base.

So, having established the level of threat, what of the risk? This is, of course, informed by the threat assessment, which identifies the type and level of hazard likely to be faced. As I’ve already mentioned, risk is a function of probability and harm; i.e. how likely a particular event is and what damage to the organisation can result from it. There is an entire industry built around risk assessments so I won’t try to summarise it here, but will continue with the airport example to illustrate my point. The ‘harm’ was relatively easy to assess. If an employee was killed or injured in a rocket attack against the airport it would clearly be devastating to him and his family. On top of that, his company’s mission would be unable to proceed if he did not arrive at his place of work and the company’s reputation would suffer as a result of the death or injury of the employee. The probability was equally straightforward. The vast majority of attacks consisted of one or two rockets fired at the airport during the afternoon or evening. Most rockets landed in open areas well away from the terminal buildings and runways. Since the usual flight schedule meant that the employee would arrive in the middle of the night and only spend an hour or two at the airport, the chances of them being there during an attack were extremely low. Add to this all the mitigation factors put in place by the military and the company itself, the actual risk was found to be well within the tolerance of the company.

There is, unfortunately, a tendency to try to quantify risk and reduce the process to a mathematical calculation that provides an objective result. When it comes to carrying out threat and risk assessments in war zones there is also a highly subjective element. You never have access to all of the information you need, either because it is classified or just because it is not available. Much of the threat assessment is based on opinion and subjective judgement, even if supported by diligent research and the best available data. But the biggest problem with trying to assess risk in a hostile environment is that there is an element of pure chance. As a recent article by a former US Special Forces officer eloquently put it:

‘Chaos, the kind I know, has little to do with a traffic jam...or white-water rapids. There is chance in those systems, but... it does not reign supreme. In warfare, chance does reign supreme. We tilt the deck in our favour. We shoot better. We have better armour. We communicate better than our foe. We bring order to the variables we can. But we only hold a few of the cards. We can’t always control where or how we enter the rapids, nor even tell where the rapids are. War is not perfect chaos, for we have a little control. But it is damn close.’

In short, even the best risk assessment and mitigation measures leave a certain amount of residual risk, either because one can’t mitigate totally against all the risks or because of the element of chance. But, as this example shows, understanding the difference between ‘threat’ and ‘risk’ can help you make decisions that will keep your people safe and avoid unnecessary costs. If you want to know more, please feel free to ask me. As my defence contractor colleague will testify, I can go on for hours....

David Strachan-Morris
Manager, Information and Intelligence Services
Pilgrims Group Limited

+44 (0) 1483 228 778
E-mail David Strachan-Morris

About the Author
David Strachan-Morris is Manager of Information and Intelligence Services at Pilgrims Group. Prior to this he served in the British Army and worked as intelligence manager for a number of large security companies in Iraq. In addition to his duties at Pilgrims, David is finalising his PhD at the University of Wolverhampton and is an associate tutor in the Department of Politics and International Relations at the University of Leicester. He is an active member of the academic research community, with publications and conference papers on intelligence, counterinsurgency and private security companies.