ISBN 9780593192207, Penguin Books, 2021, 343 pages, $17.49 (hardcover)
Reviewed by: Ibrahim Kocaman, Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA
Operating under uncertainty has perhaps never been as challenging as it is in today’s global landscape. Whether you lead a governmental agency, a military unit, a business, or are just an ordinary citizen, the environment you need to navigate is characterized by a myriad of risks. These arise from the intricate mix of political and economic uncertainties, rapid—often disruptive—technological changes, ramifications of the AI revolution, and unconventional challenges like climate change, among others. If you are struggling to manage the risks you face, General Stanley McChrystal and co-author Anna Butrico’s book Risk: A User’s Guide offers a beacon of hope. Speaking from experience, McChrystal proposes embracing risk intelligently, and rather than preoccupying yourself with things beyond your control—like the risk itself—focus on what you can control and how you can develop immunity against risk by empowering yourself and your organization. This main argument is predicated upon McChrystal’s proposition that “we are, most often, the architects of our fate.” Ultimately, McChrystal aims to emphasize the agency we have in developing our responses that collectively build our immunity against risk.
The book’s central argument is that “at its core, effective risk management is about leadership and how capable leaders are in fostering resilience within their organizations.” While this is not the first book that puts the spotlight on leadership, it makes a noteworthy contribution to our understanding of decision-making in an unpredictable environment.
On the contrary, McChrystal starts by acknowledging that risks will always be there. Breaking down risks into several categories (i.e., communication risk, narrative risk, and structural risk), he highlights the host of challenges all types of organizations—government, military, and business—face in navigating the uncertainties of our world. His nuanced conceptualization of risk pertains to both external threats and internal vulnerabilities.
The book is organized into three major parts spanning seventeen chapters, along with a prologue and an epilogue. In part one, the authors prepare the reader for their central thesis by conceptualizing risk as “the probability of something unwanted happening, and the potential consequences if it did.” They illustrate this with the example of the Sword of Damocles, where the sword hanging over the king’s throne represents the risk, and the combination of its probability of falling and the calamity it would create if it did constitutes the actual risk. The authors also offer their blueprint for addressing risk, which entails an approach that acknowledges risk as an inescapable reality, albeit something that is still manageable by building resilience at both individual and organizational levels. McChrystal calls this blueprint a “Risk Immune System.” He proposes four functions essential to an effective Risk Immune System: Detect, Assess, Respond, and Learn.
In part two, the chapters are organized around risk control factors, as the book intentionally focuses on what one can control in responding to risks. McChrystal identifies ten dimensions of control that need to be monitored and adjusted to build his proposed Risk Immune System:
- Communication: How we exchange information
- Narrative: How we present who we are and what we do
- Structure: How we design our organization
- Technology: How we apply equipment, resources, and know-how
- Diversity: How we leverage the host of abilities and perspectives we can tap into
- Bias: How our assumptions about the world impact us
- Action: How we overcome inertia/resistance in implementing our response
- Timing: How the timing of our action affects its effectiveness
- Adaptability: How we respond to changes in the risks and environments
- Leadership: How we direct and inspire the Risk Immune System (pp. 11-12).
After identifying these dimensions of control, in part three, McChrystal offers 11 practical solutions, combinations of which could be tailored to an organization’s needs to build a relevant toolbox for enhancing resilience to risk. These solutions include assumptions check, risk review, risk alignment check, gap analysis, snap assessment, communications check, tabletop exercise, war gaming, red teaming, pre-mortem, and after-action review.
The book is well-organized and structured, and at times it reads like a textbook from a course syllabus on management. That said, the book balances theoretical concepts, statistics, and leadership principles with real-life examples. It strikes a fair balance between conceptual arguments and practical applications, blending in case stories, vignettes, and historical accounts—such as Pearl Harbor, the 9/11 attacks, and the COVID-19 pandemic—along with contemporary cases from the business world, including Apple, Google, and Boeing. It also frequently draws on McChrystal’s recollections from his lengthy military career and personal history. This delicate balance and exceptional storytelling make the book appealing to a broader audience, including military personnel, educators, executive leaders, and entrepreneurs.
While mostly well-received within the community, the book has garnered some criticism, such as in National Review and from Air Force Brigadier General Chad Manske. Both critiques argued that McChrystal lacked credibility due to his failures in Afghanistan. Judging McChrystal’s competence in risk management solely based on his relatively brief tenure (just over a year) as commander of the International Security Assistance Force (ISAF) overlooks his much longer military career.
Yet, the book and McChrystal’s proposed blueprint for a Risk Immune System (RIS) are not free from their drawbacks. To start with, while it presents many useful analogies, McChrystal’s RIS framework reflects an oversimplification of the complex and multifaceted dimensions of risk that organizations across various sectors encounter. Second, thanks to his colorful military career, the book heavily relies on military analogies in developing and defending its central thesis. This leads to an overemphasis on organizational structures akin to the military, which might come at the expense of individual agency—something the book conversely aims to advocate for. Finally, the book and the proposed RIS framework focus exclusively on internal risk factors within individuals and organizations, largely neglecting external risks such as political, economic, societal, and cultural variables, all of which have undeniable effects on the level and gravity of risk. While one may argue that such an exclusive focus aligns with the basic premise of the book—focusing on what you can control—it could still offer insights into how the effects of external factors could be mitigated.
All in all, McChrystal and Butrico’s book offers useful insights and provides readers with a risk management framework that could be applied to a diverse range of organizational settings, including all levels of government, the military, and industry. McChrystal’s call for a focus on people and what they can control—rather than fixating on the inherent characteristics of risk that are well beyond our control—constitutes a significant contribution to the risk management literature and has clear policy implications. His nuanced conceptualization of risk and emphasis on leadership as essential to developing an organizational response to risk should also be noted. These valuable insights make this book a guiding light for readers seeking to navigate the complexities of today’s world. The book also serves as a valuable resource for leaders whose mandates entail protecting their organizations from the dire consequences of unpredictable and inescapable risks.
Ibrahim Kocaman, PhD, is an Assistant Professor in the Department of Security Studies and International Affairs at Embry-Riddle Aeronautical University.
