The Risk Management Basic Course is one of the most widely required training courses in the U.S. Army. Every Soldier, leader, and Department of the Army civilian is expected to understand the five-step risk management process, the four RM principles, and the METT-TC framework for identifying hazards. Whether you are preparing for the course posttest, reviewing material before a deployment cycle, or studying for a promotion board, the questions on this exam test your ability to apply risk management concepts to real-world tactical and garrison scenarios.
This guide covers the core content tested in the Risk Management Basic Course. Rather than simply listing answers, it explains the reasoning behind each one so you actually understand the material.
That matters because the posttest questions rotate, scenario details change, and the exam increasingly tests application rather than memorization.
If you understand the underlying doctrine from ATP 5-19, Risk Management, you will answer any version of these questions correctly. For a broader overview of the risk management discipline, see our guide to the risk management process.
What the Risk Management Basic Course Covers
The Risk Management Basic Course is administered through the U.S. Army Combat Readiness Center. It provides foundational training on the Army’s risk management process as defined in ATP 5-19 (November 2021).
The course covers the definition of risk management, the four RM principles, the five-step RM process, the risk assessment matrix (probability and severity), the METT-TC framework for hazard identification, types of controls, the concept of residual risk, and responsibilities for risk decisions both on and off duty.
The posttest typically consists of 15 to 20 multiple-choice questions. These questions test your knowledge of RM definitions, your ability to identify the correct step in the RM process, your understanding of the risk assessment matrix categories, and your ability to apply the METT-TC framework to tactical scenarios.
The sections below walk through each major topic area tested in the course and provide verified answers with explanations drawn directly from ATP 5-19.
Risk Management Definition and the Four RM Principles
What Is the Definition of Risk Management?
Answer: Risk management is the Army’s primary decision-making process for identifying hazards and controlling risks across all operations and activities, both on and off duty.
ATP 5-19 defines risk management as “the process to identify, assess, and control risks and make decisions that balance risk cost with mission benefits.” The key phrase here is “balance risk cost with mission benefits.”
Risk management is not about eliminating all risk. It is about ensuring that the risks taken are necessary, understood, and controlled to the degree possible. The Army uses RM to maintain combat power while ensuring mission accomplishment.
For a detailed breakdown of how this definition maps to structured processes, see our article on the five steps of the risk management process.
What Are the Four Principles of Risk Management?
The 2021 update to ATP 5-19 established four RM principles (reduced from five in the earlier version). These principles guide every application of the RM process.
Principle 1: Integrate risk management into all phases of missions and operations. RM is not a standalone activity performed once during planning. It must be embedded throughout planning, preparation, execution, and assessment. Army units should apply RM to both operational and nonoperational (on-duty and off-duty) activities.
Principle 2: Make risk decisions at the appropriate level. The leader who will answer for the consequences of an incident is the person who should make the risk decision. In most cases, this is a senior officer or NCO, but small-unit commanders and first-line leaders may need to make risk decisions during execution.
The key idea is that risk decisions should not be pushed down to levels that lack the authority or information to make them properly, and they should not be held at levels too high to act in time.
Principle 3: Accept no unnecessary risk. An unnecessary risk is any risk that, if taken, will not contribute to accomplishing the mission or protecting the force.
This does not mean avoiding all risk. It means every risk accepted should have a clear purpose. The benefits of completing the mission must outweigh the potential costs of the risk.
Principle 4: Apply risk management cyclically and continuously. Conditions change during execution. New hazards emerge, existing controls may lose effectiveness, and the situation on the ground may differ from what was planned.
RM is not a one-time event but a continuous cycle of assessment and adjustment. This principle is the reason Step 5 (Supervise and Evaluate) loops back into Step 1.
A common posttest question asks: “Which of the following is NOT an RM principle?” The answer will be whichever option is not one of these four principles. Watch for distractors like “Eliminate all risk” or “Identify hazards during planning only” because neither of those reflects actual doctrine.
The Five Steps of the Risk Management Process
The five-step RM process is the operational core of the course and the most heavily tested topic on the posttest. Every Soldier is expected to know these steps in order and understand what happens during each one. For a broader perspective on how these steps connect to enterprise-level risk management frameworks, see our article on what composite risk management (CRM) is.
Step 1: Identify Hazards
Posttest Answer: The first step in the risk management process is to identify hazards.
A hazard is any existing or potential condition that can cause injury, illness, or death to personnel; damage to or loss of equipment and property; or degradation of the mission. Hazards can be threat-based (caused by enemy or adversary action) or accident-based (caused by environmental conditions, equipment failure, or human error).
How are hazards identified during mission planning? Answer: By applying the METT-TC framework to examine risks posed by the Mission, Enemy, Terrain and weather, Troops and equipment available, Time available, and Civil considerations.
This is one of the most frequently tested questions on the posttest. The METT-TC framework is the Army’s standard format for identifying hazards.
It forces a systematic review of each operational variable rather than relying on intuition or experience alone. We cover the METT-TC factors in detail in the section below. For guidance on structured hazard identification in a project context, see our article on eight steps for conducting a project risk assessment.
Step 2: Assess Hazards
Posttest Answer: Step 2 focuses on determining the probability and severity of a hazard occurring.
During this step, each identified hazard is evaluated on two dimensions: the probability of occurrence and the severity of the expected consequence.
The intersection of probability and severity on the risk assessment matrix produces a risk level. This step determines how dangerous each hazard actually is, which drives the priority for developing controls in Step 3.
What are the two factors considered when determining the initial risk level? Answer: Probability and severity. Probability describes how likely the hazard is to occur.
Severity describes how bad the consequences would be if it does occur. The risk assessment matrix combines these two factors to assign a standardized risk level (extremely high, high, moderate, or low).
For a deep dive into assessment methodologies including matrices and scoring approaches, see our step-by-step guide to risk assessment.
Step 3: Develop Controls and Make Risk Decisions
Posttest Answer: The purpose of Step 3 is to develop specific controls that reduce or eliminate hazards and then decide whether the remaining (residual) risk is acceptable.
Controls are measures that reduce the probability or severity of a hazard. ATP 5-19 identifies three types of controls.
Education controls change behavior through training, briefings, and awareness campaigns. Physical controls modify the environment or equipment (barriers, protective gear, engineering changes).
Hazard elimination controls remove the hazard entirely by changing the plan, avoiding the activity, or selecting an alternative course of action.
What are controls designed to do? Answer: Reduce or eliminate risk. This is a direct-from-doctrine answer. Controls do not limit commanders’ authority, and they do not prevent mission execution. They are designed solely to bring risk down to a level where the benefits of the mission outweigh the costs.
What is residual risk? Answer: Residual risk is the risk that remains after all controls have been selected and applied. No set of controls eliminates all risk.
Residual risk is the level of risk the commander or leader must accept when deciding whether to proceed. If the residual risk exceeds the authority of the decision-maker, it must be elevated to a higher level of command. For more on how controls work in practice, see our article on how to conduct a risk assessment.
Step 4: Implement Controls
Posttest Answer: Controls are implemented by communicating, coordinating, implementing, and integrating the control’s who, what, when, where, and how into SOPs, written and verbal orders, mission briefings, and staff estimates with clear and simple execution orders.
This is a frequently tested question and the correct answer is specific. The exam is testing whether you understand that implementing controls is not just about deciding on a control. It requires formal communication through established Army channels: standard operating procedures, operations orders, warning orders, briefings, and staff estimates.
Everyone involved in the operation must know what control is being applied, who is responsible for it, when and where it applies, and how it is to be executed. A control that exists only in someone’s head is not implemented.
Step 5: Supervise and Evaluate
Posttest Answer: The fifth step in the risk management process is to supervise and evaluate.
This step ensures that controls are actually working as intended during execution. Supervision means leaders are actively monitoring whether controls are being followed. Evaluation means assessing whether the controls are effective in reducing risk and whether new hazards have emerged that require additional controls or a change to the plan.
How do on-duty leaders supervise compliance with hazard controls during an operation? Answer: By ensuring subordinates understand how, when, and where controls are implemented, monitoring the employment of controls, and adjusting as situational awareness demands. This answer reinforces two ideas: (1) supervision is active, not passive, and (2) adjustment is expected because conditions change during execution.
What factors can cause controls to lose their effectiveness over time? Answer: Overconfidence or complacency. This is a critical concept. Controls that work well initially can degrade if personnel become overconfident that the risk has been eliminated or complacent about following procedures. Step 5 exists precisely because this degradation is predictable and preventable through active supervision.
The Risk Assessment Matrix: Probability and Severity
The risk assessment matrix is the primary tool used in Step 2 (Assess Hazards) to assign a standardized risk level to each identified hazard. It is a grid with probability on one axis and severity on the other. The intersection of the two factors produces a risk level. Understanding the categories on both axes is essential for the posttest.
Severity Categories
What do the terms “catastrophic, critical, moderate, and negligible” describe? Answer: The level of severity of an adverse event’s effect.
Catastrophic: Death or permanent total disability; system loss; major property damage; mission failure or the loss of ability to accomplish a mission.
Critical: Permanent partial disability; temporary total disability exceeding three months; major system damage; significant property damage.
Moderate (Marginal): Minor injury; lost workday accident; compensable injury or illness; minor system damage; minor property damage.
Negligible: First aid or minor supportive medical treatment; minor system impairment.
Probability Categories
What do the terms “frequent, likely, occasional, seldom, and unlikely” describe? Answer: The level of probability of an adverse event occurring.
Frequent: Occurs very often; continuously experienced. Likely: Occurs several times. Occasional: Occurs sporadically. Seldom: Unlikely but could occur. Unlikely: Can assume it will not occur, but it is not impossible.
Risk Levels
What is the intersection of the assessed probability and severity called? Answer: The risk level. The matrix produces four risk levels: extremely high (E), high (H), moderate (M), and low (L). The risk level determines how high in the chain of command the risk decision must be made and what level of control effort is warranted.
The consequences associated with a “Catastrophic” severity level include mission failure or the loss of ability to accomplish a mission. This is a commonly tested question from the 2025 version of the course. For a broader perspective on risk matrices and their application across industries, see our article on the essential risk management process flow chart.
The METT-TC Framework for Hazard Identification
METT-TC stands for Mission, Enemy, Terrain and weather, Troops and equipment available, Time available, and Civil considerations. It is the Army’s standard framework for systematically identifying hazards during mission planning.
ATP 5-19 (paragraph 1-17) states that the mission variables “serve as a standard format for identifying hazards, on or off duty.” The framework is institutionalized across the Army and is used in both the Military Decision-Making Process (MDMP) and Troop Leading Procedures (TLP).
The posttest frequently presents tactical scenarios and asks which METT-TC factor is relevant. Here are the most commonly tested scenario types with their correct answers.
Scenario: You are part of a combat patrol in a foreign city. There are squad-sized insurgent forces operating in the area. What are key considerations when identifying hazards associated with the Civil Considerations factor of METT-TC? Answer: Pedestrians at the market, riots or demonstrations, and/or religious events taking place. Civil considerations deal with the civilian population, infrastructure, and activities in the operating area. Enemy forces, terrain features, and weather conditions fall under other METT-TC factors.
Scenario: “Do I remember the training I received about what to do when encountering unexploded ordnance?” What METT-TC factor is at the root of this question? Answer: Troops and equipment. The Troops and equipment factor includes the training level, experience, morale, physical condition, and competency of the personnel executing the mission. The question about whether you remember your training is fundamentally a question about troop readiness and capability.
The Mission factor addresses the complexity and difficulty of the task. The Enemy factor covers hostile forces, their capabilities, and likely courses of action.
Terrain and weather includes visibility, environmental conditions, fields of fire, avenues of approach, obstacles, and cover and concealment. Time addresses the time available for planning and execution. For more on how systematic frameworks improve hazard identification across industries, see our article on what is the first step in the risk management process.
Risk Management Responsibilities: On-Duty and Off-Duty
Off-duty risk decisions are: Answer: The responsibility of individual Soldiers. This is one of the most important concepts in the course. While commanders and leaders are responsible for integrating RM into operations and making on-duty risk decisions at the appropriate level, off-duty risk management is the responsibility of the individual.
This includes decisions about recreational activities, driving, alcohol consumption, and other personal activities. The Army’s emphasis on off-duty RM reflects the reality that a significant proportion of Army accidents and fatalities occur during off-duty hours.
Who has a responsibility in identifying and assessing hazards? Answer: Everyone. ATP 5-19 is clear that RM is not the exclusive domain of safety officers or commanders. The individual Soldier’s primary role in RM during operations is to rapidly identify and communicate hazards and risks that may affect the mission.
Leaders at every level are responsible for supervising RM and making risk decisions within their authority. For more on how organizational roles map to risk management responsibilities, see our article on the three components of risk management.
Commonly Missed Questions and How to Approach Them
Certain posttest questions trip up a large number of test-takers. Here is guidance on the most commonly missed areas.
What is the purpose of the RM step “develop controls and make risk decisions”? Answer: To determine whether the risk of an adverse event occurring is reduced enough that the benefits of completing the mission outweigh the risks.
This question tests whether you understand that Step 3 is a decision-making step, not just a planning step. The leader must weigh residual risk against mission benefits and decide whether to proceed, modify the plan, or elevate the decision to higher authority.
All of the following are questions asked as part of Step 5 to ensure compliance with the guiding principles, EXCEPT: Answer: “Was the RM process completed before the operation’s onset?” This is a trick question. Step 5 (Supervise and Evaluate) is about what happens during and after execution. Whether RM was completed before the operation began is a planning question (Steps 1 through 4), not a supervision question.
Step 5 asks: Are controls being implemented? Are they working? Have conditions changed? Are new hazards present?
Which of the following outcomes is the result of a loss? Answer: Decreased combat power or mission readiness. The course defines “loss” broadly: any outcome that reduces the organization’s ability to accomplish its mission.
This includes personnel casualties, equipment damage, property loss, and degradation of operational capability.
What sets the conditions for a possible mishap? Answer: Poor communication or implementation of the five steps of RM resulting in a mishap.
This question reinforces the doctrine that mishaps are preventable when RM is properly applied. The root cause of most accidents is a failure somewhere in the five-step process, not bad luck.
Hidden costs often exceed the obvious financial costs associated with RM and include: This question tests awareness that the cost of a mishap extends far beyond immediate financial damage. Hidden costs include lost morale, reduced unit readiness, investigation and administrative time, training replacement personnel, and long-term impacts on families and unit cohesion.
Study Strategy: How to Prepare for the Posttest
The Risk Management Basic Course posttest is not difficult if you study the right material. Here is a proven approach.
Read ATP 5-19 Chapter 1. Chapter 1 of ATP 5-19 covers all four principles, the five steps, the risk assessment matrix, and the METT-TC framework. Almost every posttest question can be answered from this single chapter. The publication is available through the Army Publishing Directorate and is unclassified.
Focus on the exact wording of the five steps. The exam tests precise terminology. “Identify the hazards” is Step 1, not “Identify the risks.” “Supervise and evaluate” is Step 5, not “Monitor and review.” Learn the steps in order: (1) Identify the hazards, (2) Assess the hazards, (3) Develop controls and make risk decisions, (4) Implement controls, (5) Supervise and evaluate.
Understand the METT-TC factors well enough to apply them to scenarios. The posttest presents tactical and garrison scenarios and asks you to identify which METT-TC factor applies. Do not memorize specific scenarios. Instead, understand what each factor covers: Mission (task complexity), Enemy (hostile forces), Terrain and weather (environment), Troops and equipment (personnel readiness and available assets), Time (planning and execution time), and Civil considerations (civilian population and infrastructure).
Know the risk assessment matrix categories cold. Probability categories (frequent, likely, occasional, seldom, unlikely) and severity categories (catastrophic, critical, moderate/marginal, negligible) are tested directly. Know that severity describes the effect of an adverse event and probability describes the likelihood. Know that their intersection produces a risk level.
Practice with scenario-based questions. The course increasingly tests application, not just recall. Use the Quizlet flashcard sets for the Risk Management Basic Course to test yourself on scenario-based questions. If you can explain why an answer is correct (not just which answer is correct), you are ready for the posttest.
Beyond the Course: Applying RM Principles in Practice
The Risk Management Basic Course provides foundational knowledge, but risk management becomes valuable only when it is applied.
For leaders preparing for positions of increased responsibility, the five-step RM process from ATP 5-19 maps directly to enterprise risk management frameworks used across government and the private sector.
The Army’s five-step process (identify, assess, develop controls, implement, supervise and evaluate) parallels the ISO 31000 risk management process (establish context, identify, analyze, evaluate, treat, monitor and review). The METT-TC framework is a military-specific tool, but the underlying principle of systematic hazard identification applies to every industry. The risk assessment matrix is a simplified version of the likelihood-impact matrices used across enterprise risk management programs worldwide.
If you are transitioning from military service to civilian employment, or if you manage risk in both military and civilian roles, understanding these connections will make you more effective.
For a detailed comparison of the two leading enterprise risk management frameworks, see our article on COSO ERM vs. ISO 31000 risk management standards. For guidance on building an enterprise-level risk management framework from the ground up, see our guide on how to develop an enterprise risk management framework.
The Bottom Line
The Risk Management Basic Course tests your understanding of a straightforward but critically important process. The five steps (identify hazards, assess hazards, develop controls and make risk decisions, implement controls, supervise and evaluate), the four principles (integrate RM into all phases, make risk decisions at the appropriate level, accept no unnecessary risk, apply RM cyclically and continuously), the risk assessment matrix (probability times severity equals risk level), and the METT-TC framework for hazard identification are the pillars of the entire course.
Learn the doctrine from ATP 5-19, understand the reasoning behind each answer, and practice applying the concepts to scenarios.
The posttest is designed to confirm that you can use RM in the real world, not just recite definitions. If you prepare with that mindset, you will pass the course and, more importantly, you will carry risk management skills that could save lives, protect equipment, and ensure mission success throughout your career.
Looking for more risk management resources? Visit riskpublishing.com for practical guides on enterprise risk management, business continuity planning, and project risk management that bridge military and civilian risk management practices.
Sources and Further Reading
1. ATP 5-19, Risk Management (November 2021), U.S. Army Publishing Directorate: armypubs.army.mil
2. U.S. Army Combat Readiness Center, Risk Management Basic Course: safety.army.mil
3. DA PAM 385-30, Risk Management: armypubs.army.mil
4. JP 3-0, Joint Operations (risk management definition): jcs.mil
5. Army Resilience Directorate, ATP 5-19 Resource Page: armyresilience.army.mil
6. Risk Management Basic Course (2025) Flashcards, Quizlet: quizlet.com
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.