Composite Risk Management (CRM) is a structured, five-step process used to identify hazards, assess their potential impact, and put controls in place before something goes wrong. Originally developed by the U.S. Army, CRM applies to everything from combat operations and training exercises to off-duty activities like road trips and recreational sports. The core idea is straightforward: every activity carries risk, and a deliberate process for thinking through that risk leads to better decisions.
Worth noting: the Army formally retired the term “composite risk management” in 2014 when it published ATP 5-19, replacing the older FM 5-19 manual. The process is now officially called simply “risk management.” But CRM remains the term most people know, and the five-step framework it describes is still the foundation of risk management across all military branches and many federal agencies.
The Five Steps of CRM
The process follows a logical sequence. Each step feeds into the next, and skipping one weakens everything that follows.
Step 1: Identify hazards. A hazard is any condition that could cause injury, illness, death, or damage to equipment and property. This step is about casting a wide net. You look at the mission or activity, the environment, the personnel involved, and the equipment being used. The goal is to list every realistic thing that could go wrong, not just the obvious dangers.
Step 2: Assess the hazards. Once you have a list, you evaluate each hazard based on two factors: how bad the outcome could be (severity) and how likely it is to happen (probability). These two ratings combine to produce a risk level for each hazard. This is where the risk assessment matrix comes in, which we’ll cover below.
Step 3: Develop controls and make decisions. For each hazard that presents unacceptable risk, you develop controls to reduce it. Controls might eliminate the hazard entirely, reduce your exposure to it, or change how the work gets done. The key decision here is whether the remaining risk, after controls are in place, is acceptable given the value of the mission or activity.
Step 4: Implement controls. Controls only work if they’re actually put into practice. This step involves communicating the plan to everyone involved, assigning responsibility for specific controls, and making sure the resources (equipment, time, training) are available to carry them out.
Step 5: Supervise and evaluate. The process doesn’t end once controls are in place. You monitor whether controls are working, watch for new hazards that emerge during execution, and feed lessons learned back into the process for next time. Conditions change, and a control that worked at the start of an operation may become inadequate as the situation evolves.
How the Risk Assessment Matrix Works
The matrix is the tool that turns subjective judgment into a consistent risk rating. It plots severity against probability to produce a color-coded risk level.
Severity is rated on a four-tier scale:
- Catastrophic: Could cause death or loss of a major system
- Critical: Could cause severe injury, serious illness, or major property damage
- Marginal: Could cause minor injury, minor illness, or minor property damage
- Negligible: Minimal threat to people, property, or the mission
Probability is rated on a five-tier scale:
- Frequent: Likely to occur often or continuously
- Probable: Will occur several times over the course of an activity or mission cycle
- Occasional: Likely to happen at some point
- Remote: Unlikely, but possible
- Improbable: So unlikely it can be assumed it won’t happen
When you cross-reference these two ratings on the matrix, you get one of four risk levels: Low, Medium, High, or Extremely High. A hazard rated as catastrophic in severity and frequent in probability lands at the top of the matrix as extremely high risk. A negligible, improbable hazard sits at the bottom as low risk. The risk level determines how high up the chain of command approval must go before the activity can proceed. Low-risk activities can typically be approved at lower levels of leadership, while extremely high risk requires senior commander approval.
Types of Controls
Not all controls are equal. They follow a hierarchy, with the most effective options at the top.
Elimination is the most effective approach because it removes the hazard entirely. If a route is known to have improvised explosive devices, choosing a different route eliminates that specific threat. In a workplace context, this might mean ending the use of a hazardous material or performing work at ground level instead of at height.
Engineering (physical) controls don’t remove the hazard but put a barrier between people and the danger. Guards on machinery, ventilation systems that remove toxic fumes, guardrails on elevated platforms, and interlocks that shut down equipment when a safety gate opens are all engineering controls. They work without relying on people to remember to do something.
Administrative (educational) controls change behavior through training, procedures, warnings, and scheduling. Examples include safety briefings, checklists, work rotation schedules, warning signs, lockout procedures, and pre-mission rehearsals. These controls depend on people following through, which makes them less reliable than physical barriers. They’re most effective when layered on top of engineering controls rather than used alone.
Personal protective equipment (helmets, body armor, gloves, eye protection) sits at the bottom of the hierarchy. It’s the last line of defense when higher-level controls can’t fully reduce the risk.
CRM Principles
Four principles guide how the process is applied in practice.
Accept no unnecessary risk. If a hazard doesn’t need to exist for the mission to succeed, eliminate it. Every risk you accept should have a clear payoff in terms of mission accomplishment.
Make risk decisions at the appropriate level. The person who accepts risk should have the authority and accountability that matches the level of risk involved. A squad leader can accept low-level risk for routine training, but a battalion or brigade commander needs to approve high-risk operations.
Accept risk when benefits outweigh costs. Risk management isn’t about avoiding all risk. It’s about making informed tradeoffs. Sometimes the mission demands accepting significant danger, but that decision should be deliberate, not accidental.
Integrate risk management into planning at all levels. CRM works best when it’s built into operations from the start, not bolted on as an afterthought. Waiting until the last minute to assess risk limits your options for reducing it.
When CRM Applies
CRM was designed for military operations, but its framework is used far beyond combat. The military applies it to training exercises, maintenance operations, convoy movements, aviation missions, and even weekend liberty plans. Service members often complete CRM worksheets before holiday weekends, assessing risks like long-distance driving, fatigue, alcohol use, and unfamiliar recreational activities.
The same five-step logic appears in civilian settings under different names. The FAA uses a nearly identical Safety Risk Management process for aviation safety. OSHA applies the same hierarchy of controls in workplace safety. Emergency management agencies use comparable matrices for disaster planning. The terminology shifts, but the core framework of identifying what can go wrong, rating how bad it could be, and deciding what to do about it remains consistent across all of them.
The process can be applied at three levels of depth depending on the situation. A deliberate risk assessment is a thorough, time-intensive analysis done during planning phases when you have days or weeks to prepare. A time-critical assessment compresses the same steps into a faster format for rapidly changing situations. And an ongoing assessment happens in real time during execution, as leaders continuously watch for new hazards and adjust controls on the fly.