Rethinking Risk in Great Power Competition

In the Future . . .

  • Integrated deterrence and active campaigning will create new planning requirements for the U.S. Department of Defense (DOD). Great power competition and efforts to achieve a position of advantage short of triggering dangerous military confrontations will push the DOD to explore alternative methods for assessing risk to force and risk to mission.[1]
  • The national defense community will view risks as interdependent and adjust contingency plans according to real-time changes in the global security environment. A new risk assessment methodology that accounts for changing circumstances, uncertainty, and interdependent risks will enable the DOD to understand how militarized disputes and crises in one theater of operations create additional risks in other theaters.
  • These new approaches to globally integrated campaigning will integrate Bayesian reasoning and data science to modernize strategic analysis. The DOD will better integrate human capital, technological, and procedural improvements that embrace probabilistic and inductive reasoning. A Bayesian approach to risk assessment and communication will allow policymakers to view risk globally and holistically while having real-time updates to risk assessments that help combatant commanders determine how to reallocate resources across combatant commands (CCMDs) and invest in new capabilities.


Between the spring of 2021 and winter of 2022, Russian military forces began to mass combat troops along Ukraine’s eastern border. In anticipation of a “potential imminent crisis,” U.S. European Command (EUCOM) increased intelligence, surveillance, and reconnaissance.[2] During the same timeframe, China’s People’s Liberation Army (PLA) increased the number of aerial incursions into Taiwan’s Air Defense Identification Zone to occur on a near daily basis—raising tensions regionally, particularly with the United States.[3] These simultaneous crisis events present the DOD with unique strategic and operational questions: How do ongoing crises change operational plans? When should DOD leadership—from planners in Central Command (CENTCOM) managing a portfolio of options for countering Iran, to teams in U.S. Forces Korea seeking to deter North Korea—adjust their risk assessments?

This edition of the On Future War series proposes a new methodology for risk assessment in defense planning. The brief argues that adapting Bayesian reasoning and proven data science methods and concepts to defense planning can help policymakers and planners better assess the risks arising from globally integrated operations. Seeing integrated deterrence and active campaigning in terms of a set of interdependent and continuous risks and opportunities will allow planners to better calibrate operations, activities, and investments in great power competition.

Modern military planning differentiates between crisis and contingency planning.[4] Based on strategic direction, including documents such as the National Military Strategy and National Defense Strategy, the Joint Staff prepares the Joint Strategic Campaign Plan, which outlines priorities for CCMD contingency plans, including what potential crises to focus on and how often to update plans. Since these plans are bets about hypothetical futures, they tend to be isolated, static, and deterministic “what if” propositions. During a crisis, the military profession pulls a contingency plan off the shelf and adapts its assumptions about the threat and environment to changing circumstances. This process often includes the Joint Staff convening forums such as a “tank” and soliciting input from service chiefs and CCMDs to codify risk. The process allows the plan to be updated with new information as it is translated into a set of orders for approval by the secretary of defense. However, these updates are generally focused on a single contingency plan or crisis rather than a family of contingency plans, and they occur in an ad hoc manner driven by operational timelines rather than a holistic, data-driven examination of the new operating environment.

The problem the U.S. military faces with respect to risk is not with crisis planning but in how, when, and why to adjust contingency plans. At present, most contingency plans are updated in two-year cycles and, even then, often in isolation of larger changes in the global security environment. Plans exist as massive Word and PowerPoint files with Excel annexes that are disconnected from large data pools tracking changes to the military balance and force posture. As a result, the current DOD risk assessment methodology with respect to contingency planning is hampered by three primary weaknesses in global integrated campaigning:

  1. Risks identified during contingency planning are often viewed as isolated or discrete rather than interdependent. This weakness prevents the DOD from assessing and communicating to decisionmakers how changes in the likelihood of one driver of risk can impact other drivers across a portfolio of contingency plans.
  2. Assessments in contingency plans tend to be static—updated in isolation every two years—rather than dynamic. This weakness means that DOD risk assessments are not updated as circumstances change or as new information is collected, leaving decisionmakers behind the curve as they update plans often loaded with outdated assessments during a crisis. Someone has to update those massive PowerPoint and Word files to adapt an often two-year-old assessment of risk into a set of viable options for using military force to achieve political objectives, often in crisis environments prone to condensed timelines, friction, and uncertainty.
  3. Planners identify risk to force and risk to mission within a contingency plan using a single deterministic approach to probability. DOD risk assessment methodology used in contingency planning and to support global military integration fails to communicate dissenting views and weaknesses in underlying information or models, leaving decisionmakers with a distorted view of the real likelihood of a threat or hazard’s occurrence.

In contrast to a crisis, where the Joint Chiefs of Staff and combatant commanders weigh in and adjust risk assessments, contingency planning tends to treat each risk as isolated, discrete, and deterministic. In a defense strategy driven by multiple, global campaigns seeking to gain and maintain a position of relative advantage, it is untenable to rely on the two-year planning update cycle or wait for a new crisis to update a risk assessment. Instead, active campaigning requires a constant reframing of key assumptions that captures the temporal component of risks identified during planning as they compound, wane, or accrue to new stakeholders over time.  As the world changes, the plan should adapt. Furthermore, even when an emerging military crisis isn't linked to a specific contingency plan, military planners can adapt risk assessments associated with a family of campaign plans involving the same adversary to tailor their response and manage escalation.

Active campaigning requires a constant reframing of key assumptions that captures the temporal component of risks identified during planning as they compound, wane, or accrue to new stakeholders over time.  As the world changes, the plan should adapt.

Sometimes new problems call for old solutions. An eighteenth-century idea about induction and probability—Bayes’ theorem—can help the DOD rethink how it approaches assessing risk in twenty-first-century global competition. Defense enterprise and military professionals can follow many other domains of practice—from insurance and finance to artificial intelligence and machine learning—and integrate Bayesian probabilistic reasoning into the DOD decisionmaking and planning processes.[5] This brief will map out how to make this change. First, the brief will examine the current risk assessment methodology prevalent not just in the DOD but across the military profession. Second, the brief will define the core concepts inherent in a Bayesian approach to rethinking risk. Finally, the brief will specify key changes the DOD can make to bring its planning and decisionmaking processes into the twenty-first century.

Current DOD Risk Assessment Methodology

The DOD's Joint Concept for Integrated Campaigning (JCIC) envisions a security environment in which the United States constantly competes with adversarial great powers and near-peer competitors.[6] This competition takes place along a continuum of actions in which the DOD will often play a supporting role to other elements of U.S. national power.[7] However, rather than seek “victory,” the JCIC identifies that victory is ephemeral—or indeed nonexistent—because states compete for a position of advantage vis-à-vis their adversaries. Absent a strategic goal of regime change, the adversary will do the same.[8] Thus, there is no end to a campaign of competition, only the continued search for windows of opportunity to advance interests short of war. This idea of substituting competition for war is an old idea in the deterrence literature.[9]

In this environment, risk assessment is central to understanding the potential gains and negative outcomes from the DOD and other agencies’ competitive actions. The need to clearly understand the potential gains and losses of a particular action is central to making the decision to assume risk.[10] However, this decision is complicated when the risk assumption is not discrete and must instead consider the effects of past actions, the impacts of and to other stakeholders in the integrated campaign, and the potential consequences for future actions. For example, when crisis response necessitates shifting large ammunition stockpiles to a partner such as Ukraine and increases the number of forward-deployed troops in Europe, it impacts contingency plans to respond to Iranian aggression even if that contingency planning is not due for an update for another year. This creates a dangerous lag in which plans tend not to be updated until either the formal process or a new crisis beckons.

In addition to this bureaucratic dilemma, there is a larger philosophical limitation to how the U.S. military profession approaches risk. The overarching approach to risk assessment within the DOD is governed by three interrelated variables: the likelihood that a threat or hazard will occur, the severity of the threat or hazard, and whether the potential gains of a course of action outweighs the risks.[11] The DOD’s risk assessment methodology begins with the identification of a threat or hazard.[12] An assessor uses their intuition, rather than a systematic method, to guide the identification of risks.[13] Once a threat or hazard is identified, an assessor defines the probability that the hazard will occur and the severity of the resulting outcome.[14] The DOD relies on a subjective approach to assess the likelihood of an event, which is then converted into one of four probability levels, with set levels of certainty ranging from very unlikely (~0–20 percent) to very likely (~81 to 100 percent)[15] Once this probability is established, the assessor seeks to identify the severity of potential harm using four consequence levels ranging from minor to extreme.[16] In combining these two metrics, the DOD formulation allows for an expression of risk.[17] Upon identifying and assessing all risks, an assessor recommends mitigation measures to either avoid risk by forgoing a course of action or control risk by implementing controls to decrease the probability or severity of occurrence.[18] After implementing mitigation measures, the assessor is left with the residual risk.[19] This remaining risk allows an assessor to state the overall risk of an activity or operation, which the DOD defines as either the highest remaining individual residual risk or an undefined composite of remaining residual risk.[20]

Figure 1: Generic Risk Contour

Figure 1: Generic Risk Contour

Source: U.S. Joint Chiefs of Staff, Joint Risk Analysis Methodology, CJCSM 3105.01A (Washington, DC: Joint Staff, October 2021), B-6, Fig. 5,…

This approach to risk during contingency planning is flawed in three ways. First, each threat or hazard tends to be viewed independently of other risks to military operations or U.S. strategy.[21] Until a crisis, events in Ukraine and Taiwan—much less requirements to support allies from Japan to Israel—are treated separately by planners. While a forward-thinking commander can order a review of their portfolio of contingency plans relative to an emerging global crisis such as Ukraine, the underlying risk assessment methodology and bureaucratic process for updating plans makes such action the exception, not the rule.

Further complicating assessments, risks are also not tied to positive outcomes, which undermines the ability of contingency planners to assess whether to accept or forego the risk.[22] Contemporary defense planning lacks a clear understanding of opportunity costs and should shift from cost-benefit analysis (i.e., marginal analysis) to seeing decisions in terms of risks and opportunities (i.e., return on assets).[23] Even if these tried-and-true concepts are applied during crisis response, the underlying contingency plans do not see risk in these terms and tend to treat isolated risks as something to be mitigated as opposed to assumed relative to a gain. Absent a concept of opportunities for relative advantage, this tendency can create a bias for plans that are risk averse. As a result, policymakers walk into a crisis with a more limited menu of options. For example, they are hampered in their ability to assess whether the potential gain of arming Ukraine in repelling Russian aggression is outweighed by risk from depletion of munitions stocks in the event of a crisis involving Taiwan, or whether shifting personnel and resources to arming Kyiv with Patriots impacts contingency plans to defend air bases against Iranian missile strikes.

DOD risk assessments also tend to be static. Risk is assessed on an annual basis through a variety of boards, bureaus, working groups, and cells as part of the risk assessment of the chairman of the Joint Chiefs of Staff as well as the annual Global Force Management process .[24] However, there is no formal, systematic, and comprehensive process to update risk assessments as force allocations change or as new global threats emerge outside of a crisis.[25] This may leave policymakers with a distorted view of events, such as China’s willingness or potential success in using lethal force to reunify with Taiwan in light of Russia’s relatively dismal performance, or how Iran might alter its use of proxies to challenge U.S. allies in the Middle East.

Contingency plans detail isolated (i.e., independent) assessments of risk as snapshots of a probable future (i.e., discrete, as opposed to continuous) absent a discussion of opportunities and uncertainty.

Finally, the DOD methodology takes an artificially deterministic approach to risk, seeking to assign a percentage probability to a threat or hazard’s occurrence without properly accounting for uncertainty.[26] This leaves policymakers with a single dimension of risk likelihood, without an understanding of where information might be lacking on Russian or Chinese capabilities or morale, or whether there are dissenting opinions among analysts that could contribute to a more robust understanding. The net result is that contingency plans detail isolated (i.e., independent) assessments of risk as snapshots of a probable future (i.e., discrete, as opposed to continuous) absent a discussion of opportunities and uncertainty. This approach creates additional burdens during crisis response and limits a more adaptable approach to active campaigning and managing global force posture along the lines required by integrated deterrence.

Weakness 1: Risks Are Isolated and Discrete, Not Interdependent

As outlined above, contingency plans view each risk as independent of all others.[27] Even though “comprehensive” risk pictures are presented to decisionmakers during a crisis and the current risk assessment methodology emphasizes the importance of identifying risks across services and CCMDs, each threat or hazard is still assessed and presented independently during planning.[28] However, risk probabilities can be highly interdependent. Within the DOD, risks can be present across CCMDs or affect multiple interagency partners. Events in Ukraine and Taiwan are not seen as related by planners, even though the consequences of military escalation in either affects military planning and force posture in the other. Additionally, new domains present new challenges. Cyberspace operations targeting a rival in one state may spill over into civilian networks in the same state or in neighboring states. This isolated view of risk is incongruent with the nature of contemporary military operations and defense planning.

A wide range of industries and professions have made the leap to seeing risk as interdependent.[29] From pandemics altering supply chains, to a war in Ukraine affecting food prices in Africa, interdependent risks have affected the entire world over the last three years. Yet, the DOD and its current planning framework isolate risk assessments (e.g., risk to force and risk to mission) and struggle to visualize and describe global risk in a real-time manner that supports active campaigning and global contingency planning.[30]

Weakness 2: Assessments Are Static, Not Dynamic

The risk assessment of the chairman of the Joint Chiefs is provided to Congress for any risks the chairman identifies as “significant” or “high.” However, this is a snapshot taken on an annual basis to satisfy a congressional reporting requirement.[31] Similarly, during regular on-cycle reviews of CCMD contingency plans, there is a static and discrete risk assessment presented to inform the secretary of defense’s decision to approve or execute the contingency plan.[32] While the DOD's risk analysis methodology seeks to assess risk across various timelines, this is in relation to different functions and is still presented as a snapshot at a given time.[33] Changes in U.S. or adversary domestic political circumstances or adversarial behaviors may change the actual probability that an event will occur as well as the combatant commander’s understanding of the likelihood of an event’s occurrence.[34] U.S. actions in the CENTCOM area of operations may change the way China views the costs and benefits of military action against Taiwan on a timeline that renders a plan out of date by the time the natural two-year update cycle rolls around. A decisionmaker may be more apt to accept the potential of a negative outcome of U.S. involvement in Ukraine if, for instance, new or updated assessments indicate that Russia has depleted its stocks of precision-guided munitions and is thus expected to be less militarily effective.[35] Changes occurring from internal DOD processes, such as modifications to the Secretary of Defense Orders Book (SDOB) or to the allocation of resources, and changed actions and perceptions of threat actors continuously affect risk calculations.[36]

Two components of risk in particular demand consistent updating, as risk assessments are perishable and have an indeterminate temporal component, after which their accuracy or relevance degrades. First, the understanding of the likelihood of a risk will change over time. Increased information can lead to a refined understanding of the probability that a threat or hazard will occur, a concept that is critical to a proper application of Bayesian probability.[37] Changed circumstances may also impact the actual probability of a threat or hazard’s occurrence.[38] Second, as time progresses, uncertainty about an event decreases.[39] While uncertainty never goes to zero, the reduction in uncertainty should alter risk assessments in a dynamic manner. This applies as much to planning as it does to crisis response. A plan to defend a non-treaty ally from cruise missile strikes by China should adjust its risk assessment when estimates of stockpiles or the known accuracy of PLA capabilities change. In fact, much like traders at hedge funds, it is conceivable that planners could set thresholds in their plans triggered by events that force a review of the contingency plan. After all, contingency plans are similar to the investment portfolios insurance companies use to ensure they have enough capital to pay out claims in the event of a major crisis. If those firms fail to shift their portfolios as estimates about the impact of climate change on flood and storm damage became more certain, they risk bankruptcy.

Weakness 3: Risks Are Assessed Using a Single, Deterministic Approach to Probability

The DOD's methodology assesses risk on a single dimension of likelihood, one which does not leave room for uncertainty or communicate the potential gaps or weaknesses in assessment methods or underlying information. For the purposes of global campaigning, joint risk assessments express likelihood using a pseudo-deterministic percentage that a risk will occur. The risk assessor uses their intuition to assess how likely a risk is to occur and then, using a formulistic process, converts that intuition into a percentage likelihood. This gives the false impression of statistical rigor and the sense that an event will occur a certain percentage of the time. This method does not express all the ways that the likelihood of a risk could be assessed and does not include a component to deal with uncertainty. Bayesian theory provides a means to assess the probability of a risk’s occurrence in deterministic, probabilistic, and uncertain environments by leveraging known information and applying experience in conjunction with data analysis to extrapolate the likelihood of an event in the future.[40]

Viewing risks as independent constrains the DOD's ability to assess the merits and drawbacks of a range of contingency plans across multiple CCMDs. For instance, as the United States provides arms and equipment to Ukraine, including anti-air and coastal defense systems, several interdependent risks are present.[41] The risk of escalation with Russia may present new risks to contingency plans linked to defending a NATO ally in the event that Russian strikes target incoming military supply shipments from Poland.[42] Iran’s recent provision of lethal unmanned aerial systems to Russia also lends a horizontal escalation element to the conflict that creates cascading risk across geographically aligned contingency plans.[43] For example, is Iran more or less confident in their swarming munitions based on their use in Ukraine? And how does it affect their willingness to use military force to achieve their military objectives in the Middle East? Understanding the ways in which these risks are interdependent is critical to maintaining a more viable set of updated contingency plans that reflects changes to the security environment in a more dynamic, as opposed to static, manner. 

As bets about possible futures, static risk assessments fail to account for changing circumstances. As Chinese officials observe the Russian invasion of Ukraine, it is unclear what lessons the PLA is learning or what adjustments they might make to operational plans to reunify Taiwan with mainland China.  One significant event that will change Beijing’s operational plans is Taiwan’s defense minister indicating that Taiwan should mirror image the Ukrainian resistance in the face of any PLA invasion. Furthermore, while there are no indications that China has provided weapons to Russia, it has enabled Russia to evade economic sanctions and permitted large cargo aircraft to ship hundreds of tons of unspecified “e-commerce and clothing goods” to Russia.[44] With Taiwan learning from the Ukrainian resistance and China potentially depleting its munitions to assist Russia, an accurate risk assessment in contingency planning with respect to Chinese military action in East Asia must be updated with each new piece of information. Planners can no longer afford to wait two years to assess their plans. Worse still, the DOD cannot expect its planners to provide dynamic assessments if its “program of record” for planning remains a bundle of programs such as PowerPoint and Word that leave the military professional downloading large files as opposed to linking data points across documents and running background applications analyzing risk relative to changes in the security environment.

Similarly, risk assessments must both analyze and communicate known and unknown factors to defense leaders. Foreign actors’ perceptions and intentions are notoriously difficult to assess, particularly in authoritarian states. As a result, understanding Chinese escalation thresholds or assessing Chinese willingness to invade Taiwan, as opposed to using other coercive means of reunification, is nearly impossible with any certainty.[45] As a result, risk communication to policymakers should not be presented in terms of “Chinese horizontal escalation in the Straits of Luzon is X percent likely.” Rather, risk communication should be presented as: “We assess Chinese horizontal escalation in the Straits of Luzon is X percent likely. However, we do not understand the decisionmaking process between the Chinese Communist Party Politburo, the uniformed officers of the Central Military Commission, and President Xi and see this decision as altering the escalation threshold.”[46] Sadly, such qualifications tend to be treated as equivocating by a profession trained to see risk as deterministic. What appears as bureaucratic doublespeak is actually an attempt to quantify uncertainty and update forecasts as new information becomes available that replicates key aspects of Bayes’ theorem.

A Bayesian Risk Framework

Reverend Thomas Bayes was an eighteenth-century English Presbyterian minister who postulated a method to ascertain the probability of an event given knowledge of related evidence and assumptions about related events. Bayes’ theorem was published posthumously in his Essay Towards Solving a Problem in the Doctrine of Chances in 1763. Bayes’ theorem is essentially a wager on the relationship between two observed events that seeks to determine the probability of event A occurring when observing event B. In order to inform this wager, the theorem uses assumptions about event B’s occurrence when observing event A and prior evidence of event A’s occurrence independent of any other factor. These are termed “priors,” or “prior probability.” The theorem also uses observed evidence about event B’s occurrence independent of other factors to help inform any relationship between events A and B (termed a “marginal probability”). The result after observation is a “posterior probability,” which is updated to reflect new evidence and conditions as they occur.[47] Applied to modern defense, military planners can integrate assumptions such as how arming Ukraine alters underlying assessments of the security environment in contingency plans linked to China and Iran.

Figure 2: Formula for Bayes' Theorem

A Bayesian concept for risk assessment would incorporate three conceptual underpinnings supported by a suite of new capabilities, competencies, and organizational structures. Probability theory will primarily focus on implementation of the Bayesian concept of probabilistic likelihood in the face of uncertainty. Probability theory involves the assessment of the likelihood of an event’s occurrence using a combination of statistical analysis, holistic expert input, and real-time or near-real-time sampling and updating.[48] In applying these concepts, probability theory can help implement the Bayesian approach to using current knowledge or evidence to model outcomes under relatively known circumstances, extrapolate to reasonably well-understood circumstances, and provide resilient decisionmaking ability in the face of unknown circumstances. In other words, contingency plans could be updated and refined continuously as circumstances change.

Decision theory will support a dynamic and interdependent understanding of risk. Decision theory involves the weighing of potential risks and opportunities in an operational context to provide support to friendly decisionmaking and an assessment of potential adversary decisionmaking.[49] This capability would support greater understanding of adversaries’ competing interests in making risk management and assumption decisions as well as the ability to better assess risks and opportunities across both geographic and functional CCMDs. If updating contingency planning to reflect probabilistic reasoning provides a logic of change, incorporating decision theory translates these insights into a means of evaluating potential courses of action alongside branches and sequels.  

Finally, data science can assist with all three aspects of Bayesian risk assessment: seeing the world as probabilistic, dynamic, and prone to interdependence. Investing in human capital to conduct data analysis and build basic models alongside truly digitizing the defense enterprise would enable a range of novel applications. It would allow planners to set alerts in their contingency plans that help notify them to revisit key assumptions and risk estimates. For example, if a contingency plan in CENTCOM assumes the ability to deploy Patriot air defense battalions to defend key air bases on short notice, a planner could set a trigger to alter them if any event indicates there will be a change in the available number of Patriot battalions and munitions. More importantly, the Joint Staff would be able to see risks to global force posture across allocation tables in multiple contingency plans. By digitizing planning and creating a data infrastructure that allows cross-contingency plan queries, the DOD can overcome the challenge of isolated, discrete, and deterministic risk assessments.

Strength 1:  Risks Are Assessed and Communicated Using Multiple Dimensions of Likelihood

Risk probability can be expressed in multiple ways, with alternative approaches better suited to different circumstances. A deterministic or frequentist approach may be appropriate for events where there is a large sample size with data coming from multiple sources in which a reasonable understanding of likelihood can be ascertained.[50] In situations that are prone to uncertainty and less frequent, like the war in Ukraine, different approaches to assessing risk are required.

When data sets are less robust and the likelihood of an event is less certain, a Bayesian probability assessment provides a preferable model for risk assessment.[51] A Bayesian approach to risk assessment would be probabilistic and would assess the likelihood of an event’s occurrence based on historical evidence and extrapolation to future or unknown circumstances. This approach has the benefit of being based on knowledge and analysis of past events while accounting for uncertainty. The strength of a Bayesian approach to probability is that it provides a means to assess the likelihood of a future outcome or event without robust prior information. This contrasts with a frequentist approach to probability, which extrapolates the future likelihood of an outcome or event based solely upon past observations.[52]

A comprehensive risk framework should also account for uncertainty by taking a holistic view of the system in which risks occur.[53] To deal with the inherent uncertainty involved with assessing risks in complex systems years in the future, a holistic view that constantly reframes risks should be adopted to build a resilient and responsive system.[54] Holistic approaches have been developed in dealing with financial markets, including a number of adaptations to deal with the 2007–08 financial crisis, which resulted in part from attempts to suppress uncertainty.[55] One author has also advocated an approach that embraces uncertainty in weather forecasting to model operational risk related to DOD flight operations.[56] The value of embracing a holistic approach in uncertain environments is the ability to trust expertise or intuition in situations that are complex or in which data is lacking by simplifying and quantifying decisionmaking processes.[57] Applied to Ukraine, a Bayesian approach would allow decisionmakers to track their “bets” about outcomes in the conflict and the conflict’s relationship to other contingencies, adjusting the risk estimates as new information becomes available.

Strength 2:  Risk Assessments Are Dynamic through Constant, Near-Real-Time-Updating

A Bayesian methodology would be dynamic, as updated sampling and real-time integration of new evidence would change the theoretical assessment of an event’s likelihood of occurrence. In essence, the Bayesian assumptions change with every observation, and “prior” observations and forecast probability are updated with “posterior” probabilities.[58] With Ukraine, as battlefield events occur, a Bayesian model would adjust risk assessments and help global contingency planners beyond Europe adjust to new circumstances. For example, as Russia fires more cruise missiles at the Ukrainian electric grid, there may be a lower probability of horizontal escalation and Moscow pursuing military operations against Japan in the disputed Northern Territories.[59]

Strength 3: Risk Models Are Interdependent within and across Organizations

Finally, a Bayesian approach can assess correlation among drivers of risk, identifying where those drivers are interdependent. This approach to risk assessment and communication would incorporate three primary capabilities as components of a Bayesian approach to risk assessment—probability theory, decision theory, and data science—supported by new organizational structures and processes to increase collaboration among stakeholders. It would also ensure continuous updating as circumstances change or new information becomes available. This Bayesian approach to risk assessment would enable a better understanding of risks vis-à-vis potential benefits across CCMDs and the non- DOD federal departments and agencies required to implement globally integrated campaigning. This will enable policymakers to better weigh options, such as the choice between overt DOD assistance to Ukraine or a plan to provide clandestine or covert paramilitary and targeting support through special operations forces or non-defense agencies.

Policy Implications

Based on the insights provided by Bayesian risk assessments, in the future . . .

  • Defense planners will be able to leverage prior observations and real-time data to better weigh the risks and rewards of potential military action around the globe.
  • The DOD will invest in human capital and create a workforce literate in data science that can harness new information and Bayesian analysis to better understand changing security environments.
  • Cross-functional teams—leveraging multiple disciplines and including interagency partners as well as allies—will be created to execute periodic risk audits using Bayesian techniques to help the DOD visualize and describe the distribution of risk across its portfolios of contingency plans.

Real-Time Updating and Holistic Risk Communication

The DOD is awash with initiatives to improve its data practices, though not all have been successful—and the growing pains have at times been messy.[60] These efforts include components of cloud computing, artificial intelligence, command and control (C2), and cybersecurity.[61] What has been missing is a specific process or capability against which to apply those tools. Risk analysis and communication is one such area where “big data analytics” provides promise.

In this vein, dynamic risk assessments should include a methodology to update those assessments as new information is collected. Risk assessments should include a combination of real-time or near-real-time updating as new data is generated or forces are deployed, as well as regular assessments of key drivers of risk for ongoing operations. Risk assessments should provide clear timelines for the sources of risk assessed or expiration timelines for the assessment.[62]

Interdependent risk assessments should leverage cross-functional and interorganizational teams to strive for consensus in risk assessments, but any dissenting opinions should be captured as qualifications to the overall assessment and presented to the approval authority.[63] Risk assessments as part of both operational plans, concepts of operations at the CCMD level, and SDOB requests at the DOD level should articulate when risks are interdependent, how one or more drivers of risk are likely to change given the range of potential outcomes from an operation, and when risks are correlated but data is insufficient or otherwise fails to support interdependence.[64] Where models provide for correlation but causality is weak or uncertain, risk assessments should seek to offer alternative hypotheses as to the cause(s) or relationships between various drivers of risk.[65] Finally, probabilistic assessment supports, and is supported by, an understanding of interdependence and requires dynamic updating to provide maximum utility. The DOD should retain past assessments and update its data and models as information becomes available or circumstances change.[66]

Risk assessments should be informed by a combination of objective analysis and multidisciplinary subjective analysis using well-structured tasks and cues.[67] Risk assessments should employ numerical language to describe the probability of an event’s occurrence.[68] However, those numerical values should not be framed in deterministic terms. This can contribute to a false understanding, for instance, that a 50 percent likelihood of an event means that it will happen half the time; in reality, such a likelihood indicates a 50 percent bet that an event may occur half the time, based upon current information and understanding.[69]

As a result of this inherent uncertainty in probabilistic reasoning, risk assessments should present the approval authority with any weaknesses or uncertainty in the underlying evidence, data, or models.[70]

Enhance Human Capital

To fully implement a Bayesian approach to risk assessment, the DOD should pursue capabilities in three areas. These capabilities should be introduced conceptually at intermediate-level Joint Professional Military Education (JPME) and addressed in detail at senior-level JPME.[71] Specific billets should require additional skill identifiers tied to data science that would be provided in formal short courses (two to four weeks in duration).[72] The DOD and services should also incentivize attaining those skill identifiers, as well as demonstrated proficiency in data analytics, in a manner similar to diver or parachutist pay and foreign-language proficiency.[73]

Intermediate-level JPME is designed to educate future staff officers at the Joint Task Force (JTF) and CCMD level. These officers should have a basic understanding of probability theory, decision theory, and data science to support risk assessment and communication. This will better enable them to work with their counterparts across the DOD and with other federal departments and agencies to understand risk interdependence.

Senior-level JPME is meant to educate officers who will serve as primary staff advisers to the JTF and combatant commanders. These primary staff officers must be well versed in communicating risk—including the weaknesses or lack of information within risk assessments. These officers should have a thorough knowledge of risk assessment methodologies and, perhaps more importantly, communicate to policymakers what those models can and cannot forecast about risk.

Developing and incentivizing a cadre of military professionals who understand data science has the potential to revolutionize military planning. Rather than generalizing from old staff estimates and military theory to develop courses of action, personnel can augment their craft with more inductive approaches—integrating new data and bets about an uncertain future—to calibrate their assessments about underlying risks and opportunities in a plan. Seeing risk and opportunity inductively and prone to constant change will provide policymakers with a more dynamic understanding of the security environment that accounts for uncertainty and complexity.

Cross-Functional Teams and Outside Expertise

The Joint Staff should implement cross-functional teams (CFTs) leveraging expertise from multiple disciplines and external government agencies to support a holistic view of risks within the command.[74] The CCMD designated as the Global Coordinating Authority (GCA) should chair a standing interagency CFT to review and assess risk for the family of plans for which it is the proponent. In the Ukraine scenario, the Joint Staff should enable a CFT chaired by EUCOM that includes representation from other necessary geographic and functional CCMDs, the DOD, the Department of State’s Russia and Ukraine country teams, the Central Intelligence Agency, and all other departments that are components of the National Security Council.[75] In the Ukraine scenario, EUCOM’s CFTs should also include NATO, Ukrainian, policy, and other Baltic state representatives, as well as experts from private institutions (e.g., think tanks and academia) and federally funded research and development centers (FFRDCs). In the case of U.S. federal departments and international allies and partners, this CFT will not be a purely consultative body on the topic of risk; each should act as a sort of liaison to the relevant parent organization to maximize shared understanding and decision speed and quality. This type of CFT will enable risk assessments to address unknown circumstances and support the application of both probability and decision theory models.

The GCAs should develop a series of planning baselines for their assigned problem sets to better inform globally integrated planning. This will enable unified campaigns across CCMD geographic and functional responsibilities. Such planning baselines should include, at a minimum, an assessment of the range of adversary courses of action. The GCAs should also provide prioritized contingency plan objectives to guide CCMD-supporting campaign objectives. This will enable combatant commanders to better weigh risks and benefits when making decisions.

Finally, the CCMDs and GCAs should seek input from external experts such as non-defense federal departments and agencies and FFRDCs to assist in understanding and assessing interorganizational risks. Possible fora to provide this input could take the form of liaison personnel between the CCMD and NDFDA, in addition to regular consultative bodies at the action officer, directorate, and chief of staff/deputy commander level—all with a view toward incorporating external risk perspectives into the DOD's risk assessment model.


A Bayesian approach to risk assessment can mitigate the weaknesses in current DOD risk assessment methodology through the integration of three mutually supporting concepts. Bayesian risk assessment begins with a probabilistic approach and is supported by analysis of known data, extrapolation to reasonably known circumstances, and holistic expert perspectives to address uncertainty. This probabilistic approach should account for both intra- and interorganizational risk dependence as well as identify correlated risks where the data either does not support—or is insufficient to indicate—an interrelationship. In addition, this probabilistic approach should be supported by dynamic assessments to account for new information, which can impact both the actual and understood likelihood of an event, as well as address decreasing uncertainty as time progresses.

The DOD should adopt a suite of capabilities and processes to implement this Bayesian approach. Probability theory supports all three aspects of Bayesian inference. Decision theory, supported by a combination of technical tools and human capital, can assist in weighing risks against opportunities and understanding potential adversary actions. Finally, data science and near-real-time analytics will enable an improved understanding and communication of risks.

These functional capabilities should be supported by collaboration within and among the CCMDs, GCAs, and the Joint Staff and Office of the Secretary of Defense. DOD components should also collaborate with other stakeholders, such as NDFDAs and coalition partners, as well as with relevant subject matter experts. Finally, risk assessments should communicate both the inherent strengths and weaknesses of the data and models upon which they are based. As the data and models improve, risk assessments and assessment methodologies should be updated in near real time.

Incorporating this suite of capabilities, structures, and processes will enable a more accurate risk assessment methodology within the DOD. This Bayesian process is necessary to provide accurate and relevant risk assessments in support of globally integrated campaigning and to support informed risk decisions.

Lt. Col. Peter C. Combe II is currently assigned as the branch head, Community Plans and Innovation Branch, Judge Advocate Division, Headquarters Marine Corps. He is a graduate of the School of Advanced Warfighting (2022), the Marine Corps Command & Staff College – Resident Course (2021), and the Army Judge Advocate General’s Legal Center and School (2015). Benjamin Jensen is the senior fellow for future war, gaming, and strategy in the International Security Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C., and a professor at the School of Advanced Warfighting at the Marine Corps University. Adrian Bogart is a research assistant with the International Security Program at CSIS.

The views expressed herein are those of the authors, and do not represent the policies of the U.S. government, Department of Defense, Department of the Navy, or the U.S. Marine Corps.

This report was made possible through generous support from the Carnegie Corporation of New York.

Please consult PDF for references.

Peter C. Combe II

Branch Head, Community Plans and Innovation Branch, Judge Advocate Division, Headquarters Marine Corps
Benjamin Jensen
Senior Fellow, Futures Lab, International Security Program

Adrian Bogart

Former Research Assistant, International Security Program