Spy's
Guide
Thinking
Taking Risks
Strategy
DADA
Spy's GuideFrameworks › The Risk Framework

The Risk Framework: A Spy's AND/OR Risk Analysis Method

By John Braddock, former CIA case officer and author of the Spy's Guide series

What Is the Risk Framework?

The Risk Framework is a method for analyzing risk by breaking outcomes into their necessary conditions (ANDs) and substitutable conditions (ORs). When bad outcomes require multiple things to go wrong simultaneously (connected by AND), risk is lower. When any single failure can cause the bad outcome (connected by OR), risk is higher. The goal is to structure your situation so your ANDs are few and achievable and your ORs are many.

How It Works

AND conditions all must be true for the outcome to occur. If a bad outcome requires A AND B AND C to all happen, the probability is lower — each AND reduces the chance. More ANDs in the failure chain means lower risk.

OR conditions mean any one of them can cause the outcome. If a bad outcome occurs if A OR B OR C happens, the probability is higher — each OR increases the chance. More ORs in the failure chain means higher risk.

The method: Map your risks as AND/OR chains. Write out what has to go wrong for the bad outcome. Connect the conditions with AND or OR. Then count. If the chain is mostly ANDs, you're in a relatively safe position. If the chain is mostly ORs, you're exposed.

This is a model you can carry in your head and use on the fly. It works when you don't have large data sets, when probabilities are hard to calculate, and when you can't afford to be wrong. It's not a replacement for statistical analysis — it's a framework for situations where statistical analysis isn't possible.

Example From the Field

In intelligence operations, risk analysis of spy missions works exactly this way. For a mission to fail catastrophically, the source must be compromised AND the surveillance team must spot the officer AND the exit route must be blocked AND the backup plan must also fail. Each AND in that chain reduces the probability of total failure.

Compare that to an operation where any single point of failure causes catastrophe: the source is compromised OR the surveillance spots you OR the exit route is blocked. Each OR dramatically increases total risk. Smart operators structure their missions to maximize ANDs and minimize ORs in the failure chain.

How to Apply It

  1. Identify the bad outcome you're trying to avoid. Be specific — not 'things go wrong' but the specific worst case.
  2. List every condition that must be true for that bad outcome to occur. Write them all down.
  3. Connect the conditions: Which ones must ALL be true (AND)? Which ones can independently cause the outcome (OR)?
  4. Count your ANDs and ORs. More ANDs = lower risk. More ORs = higher risk. If you're heavy on ORs, you need to restructure.
  5. To reduce risk: Convert ORs to ANDs. Add backup plans (which add ANDs to the failure chain). Remove single points of failure (which are ORs). The goal is to make failure require many simultaneous things to go wrong, not just one.

Related Frameworks

The DADA Chain

Risk analysis feeds directly into the Decision step — knowing your AND/OR exposure shapes the choice.

Endgame Reasoning

Assess the risk of each path to the endgame before committing.

Game Type Identification

Risk profile changes depending on whether you're in a zero-sum or positive-sum game.

About the Author

John Braddock was a case officer at the CIA. He developed, recruited, and handled sources on weapons proliferation, counter-terrorism, and political-military issues.

The AND/OR Risk Framework is the central method in A Spy's Guide to Taking Risks.

Apply these frameworks to your specific situation with The Operative — a strategic analysis service built on Braddock's CIA frameworks.