top of page
Line Concept Level 3 page 2.PNG

Effective risk management in an era of strategic competition: An alternative view

This week The Central Blue editor, Wing Commander Ulas Yildirim, discusses risk management within the Australian Defence Force. The current rule-based model of risk management that Defence uses is insufficient to properly assess the different types of risks faced by the Service and its members. Using aviation safety reform, Yildirim examines how a shift in culture can be powerful for meaningful change. However, contextualisation of change is equally important in mitigating failings based on rote adherence to rules without understanding the principles behind them. Yildirim further highlights how Defence’s culture surrounding fear of failure will inhibit the long-term evolution and change necessary for Defence to take advantage of opportunities and create space for innovation.

Risk – Effect (positive or negative) of uncertainty on objectives

- ISO Guide 73:2009

Never miss the opportunity of a crisis

- Anonymous

In the mid-1990s, when the Defence aviation community vowed to make safety its top priority, a robust aviation safety framework was implemented. Inherent to the rules of this framework was a strict regime of compliance and conformance from its operational and technical personnel. Yet, this aviation safety framework—deemed exemplary by the Nimrod Board of Inquiry—did not prevent one of the Defence aviation community’s worst peacetime accidents with the loss of a Royal Australian Navy Sea King helicopter in 2005. The resulting Board of Inquiry for this tragic event attributed the accident to several themes including organisational deficiencies, management failures, poor communication and perhaps most concerningly, compliance to existing regulations without understanding their intent. The Sea King accident reflects a common and recurring issue in risk management which is continually underpinned by a logic of compliance. This logic holds that risk events can be resolved by ensuring that personnel comply with a set of predetermined rules-based risk management system.

It would be foolish to suggest that an unregulated risk management system is the most effective. For example, Defence has significantly reduced its fatal aviation accident rate since the 1990s from a peak of more than five aircraft losses and four fatalities per year down to 0.4 fatal accidents per year for the period 1993 to 2012. However, a rules-based risk management system will neither diminish the likelihood nor the consequences of events such as the Sea King accident in the same way that it could not prevent the adverse effects of COVID-19. In an era of strategic competition in the Indo-Pacific there is a need to revisit Defence’s assumptions around risk management. To do so, this article presents some common issues associated with defining risk, identifies three different categories of risk, and provides some suggestions on how notions of risk might be dealt with within Defence in the future.

Defining Risk

Very few topics will generate as much frustration and confusion as risk management in Defence. For instance, how might understandings of risk and the identification of opportunities be rethought in a way suggested by the quotes that opened this article, but still be reconciled against the varied risk management policies within Defence which deliberately seek to steer well clear of any crisis? Academics B. Fischoff, S. R. Watson and C. Hope argue that the definition of risk is inherently controversial due to the unrecognised disagreements about what is meant by risk. The definition of risk has the likely effect to impact the outcome of policy debates, the allocation of resources and the distribution of political power in society. Moreover, without proper review and alignment this also has the effect of creating distortion and organisational skewing of risk perceptions based on long standing assumptions and organisational norms. Therefore, it would be improper to have a single definition of risk for all situations because there is no one definition suitable for all problems. ‘Rather, the choice of definition is a political one’ highlighting the importance one places on certain events in particular situations. For instance, in 1958, the Air Force Scientific Advisor, W. B. Kennedy, advised against installing cockpit voice recorders in Air Force aircraft. Kennedy instead wrote ‘... to the RAAF, the loss of aircraft is an accepted risk with a predicated cost.’[1] Kennedy’s comments represent the Air Force’s attitude towards aviation risk management during the Cold War which took precedence over aviation safety and reflect a stark contrast to the modern narrative within Defence. To overcome the problems of being bound to a singular and universal definition, academics R. S. Kaplan and A. Mikes propose three risk categories and different systems in managing risk as follows.

Preventable risks

Preventable risks are those that are internal to the organisation with a degree of control existing over them. Hence, they should be eliminated or avoided. Examples can include policies to prevent unethical use of Defence funds or materiel that can lead to reputational risk within Australian society. In this context, Defence’s aviation safety framework is a prime example that seeks to avoid preventable risks by mandating specific rules in managing aviation related safety risks.

Strategy risks

Organisations routinely accept strategy risks to increase the net gains from their strategies. In this context, strategy risks are different from preventable risks as they are not always undesirable. For instance, Defence’s ongoing close alliance with the US that enables the Australian government to achieve extended deterrence is also a strategy risk requiring Defence to provide niche contributions to various allied operations over the years. Given prevention is not the ultimate aim means that a rules-based system would be inadequate to manage strategy risks. Therefore, strategy risks require a risk management system that minimises the resultant effect and the likelihood of harmful aspects of strategy risks should they occur, while maximising the opportunities that they create.

External Risks

External risks are those that are outside the organisation’s control. COVID-19 and its impact on all aspects of society is a topical example of an external risk. Given such events cannot be avoided, efforts should be spent in identifying and mitigating their impact. This is a rather difficult task requiring foresight and the freedom to question existing norms to mitigate the effects of an event should it occur. For example, the ability of Defence’s high end capabilities to achieve the reach and duration required of them are closely linked to liquid energy stockpiles on Australian soil or place of operation. A Sino-Indian conflict in the region may disrupt the sea lines of communication which will have a severe impact on Defence’s ability to generate strategic effects. The establishment of sovereign capabilities able to produce and store liquid energy from indigenous feedstock can mitigate external risks such as a Sino-Indian conflict in the region, thus ensuring that Defence is capable of continuing to support the Australian government.

Risk versus Opportunity: Two parts of a whole

There is a large body of evidence within Defence to suggest that risks are treated via rules-based risk management systems due to a culture that values prevention of failures. This is, fundamentally, an untenable position for Defence to continue to hold. Arguably, such a culture inhibits the generation of opportunities and innovation. True innovation can only occur after a cultural shift occurs; one which generates a culture that values the benefits offered by failures. In his intent, the Chief of Air Force states that the Air Force will not succeed by treating risk, but by seizing opportunity. Similarly, retired Air Commodore Bill Kourelakos argues that the existing risk averse culture within Defence, coupled with the implementation of loss-focussed aviation safety regulations, are preventing the ability to seek opportunities while generating further conservatism. These examples highlight that systems traditionally designed to manage preventable risks may no longer be viable, regardless of the perceived certainty that they provide. More importantly, preventable risks and external risks represent the thin bookends of a risk continuum dominated by strategy risks. While isolated risk decisions may have been acceptable in the past, in an era of strategic competition in the region this is no longer acceptable.

Risk decisions are about being able to view all three risk categories in cohesion and making a choice for a net benefit. For example, the effects of natural disasters present complex risks for Defence including the ability to respond at a notice against drought, fires and inundation within Australian borders. While outside Australian borders, major effects of natural disasters can be large-scale human suffering, instability in the region, conflict, and substantial population movements across the porous borders of fragile states. However, the ability to effectively respond to natural disasters can also create many opportunities. For instance, academic D. Brewster argues that Australia’s work with India, the US and Japan in the multilateral naval response effort to the 2004 Tsunami was a turning point in India’s decades-long non-alignment policy. Cooperation between the four navies directly led to the 2007 proposals for a Quadrilateral (QUAD) Security Dialogue which has gained further strategic importance recently within the Indo-Pacific region. Defence’s response to the 2004 Tsunami is a great example that highlights the interactions and good management of the three risk categories starting from available materiel and trained personnel which have led to the generation of a substantial opportunity in establishing the QUAD. In contrast, the circumstances behind the Navy’s Rizzo review is a stark reminder of the opportunity cost of mismanaged risks hampering the availability of mission-worthy materiel to generate strategic effects.

Now what?

In light of the above examples, generation of opportunities will require a concerted effort from the whole institution. This involves driving a strategic narrative to highlight that risk decisions require being able to view all three risk categories in cohesion and challenge Defence personnel to view risk management as a means to generate opportunities. Commanders must empower their subordinates, provide them top cover, and recognise the lessons gained from innovation failures. Professional military education must inculcate risk management as a means to generate opportunity while unnecessary governance must be avoided. Additionally, Defence personnel must no longer see themselves in discrete silos, responsible for managing one type of risk divorced from the world in which Defence operates in the hopes of preventing failures. They must leverage the decades of success and knowledge that they have gained from their past experiences. Further, they must view risk management of preventable risks as a starting point rather than a finishing line and look for creative solutions to emerging problems. Importantly, personnel must avoid a singular focus on obviating past failures or rely solely on ‘one size fits all’ attitudes towards risk management. These behaviours stifle innovation and fail to address contemporary challenges with potentially dire strategic implications in the long run.


Management of risk within Defence remains a hot topic likely to generate rigorous discussion. This is generally due to the unrecognised disagreements about what is meant by risk. Moreover, Defence’s drive to manage risk through endless rules-based risk policies creates a dissonance between a focus to prevent failures through strict rules, while lamenting the lack of generated opportunities. This is because a single rules-based risk management approach is inadequate for all situations. It is more appropriate to view risk through the lens of preventable, strategy and external risks in cohesion. Therefore, relying solely on a rules-based system as a ‘one size fits all’ to try to manage all manner of risk to prevent failures must be avoided. To achieve this there must be a cultural shift regarding risk within Defence requiring a concerted effort from every part of the institution. Only when Defence’s culture recognises that risk management is a means to an end, rather than an end in itself, can it take on higher-risk, higher-reward opportunities than its competitors.

The views expressed are the author’s alone and do not reflect the opinion of the Royal Australian Air Force or the Department of Defence.

Wing Commander Ulas Yildirim is the Deputy Director Force Structure Design in Air Force Headquarters. He has a Masters in Military and Defence Studies from ANU and a Doctorate in Aerospace engineering from RMIT. He is also an editor of The Central Blue blog. Follow him on Twitter @lightningulas

References [1] W.B. Kennedy, "Aircraft Crash Recorder," ed. Department of Air (Melbourne: Commonwealth of Australia, 1958).


bottom of page