In 1969, the Deputy Secretary of Defense directed the secretaries of the armed forces to identify areas of high technical risk, perform formal risk analysis, and include explicit consideration of risk assessment, reduction and avoidance in managing weapon systems acquisition.
Unfortunately, with few exceptions over the past 25 years, active risk management has been more of an afterthought than a primary factor in Department of Defense (DoD) decision making. Instead, the most prevalent means for managing risks has been the “fix-on-failure” problem control approach - i.e., waiting for risks to occur before taking remedial action.
Only in the last four or five years has the application of formal risk management taken solid root in the management of DoD programs. While the causes vary, the increasing use of risk management can be associated with the ever increasing costs (in terms of financial, political and defense posture) of DoD program failure, the cutbacks in available resources, the proven success of risk management on DoD and commercial programs, and recent Congressional mandates.
Program costs have skyrocketed over the past decade. Major program costs regularly reach into the tens of billions of dollars. Even minor schedule slips can cost hundreds of millions of dollars. In an era of tight resources, being even slightly wounded makes a program vulnerable. As one DoD official succinctly put it,
As program costs have risen, Congress has been equally less amenable towards funding “make-up” programs for ones that fail. Often program failure means concept failure as well, with the result that it is extremely difficult to receive funding approval for a similar concept, even if the original program requirement still exists. The Navy’s A-12 aircraft program is a prime example.
While the cost of failure has highlighted the need for active risk management, a stronger factor has been the success reported by programs applying formal risk management. For example, Hughes Aircraft (now part of Raytheon) aggressively used risk management on the highly complex, four-and-a-half year, 750-person Peace Shield air defense system1. Their risk management approach, which was used as a problem-preemption strategy, was credited with helping deliver Peace Shield 10% ahead of schedule and significantly below projected cost. Achieving success, which many observers believed was impossible at the time of Peace Shield’s start, sparked the company into institutionalizing risk management for use on its other major programs.
Other DoD programs such as the V-22, E-6, F-18 and F-22 are also crediting risk management with significantly enhancing their program management’s capabilities. In fact, data gathered from across all industry sectors by the Project Management Institute (PMI) demonstrates conclusively that project success is strongly correlated with the practice of risk management2. Rockwell Collins, for example, has recently determined that there is at least a 17% difference in the Cost Performance Index (CPI) between its projects that perform risk management and those that do not.
While cost of failure and the sweet smell of success have spurred the use of risk management, Congress has added its weight by the recent passage of the Clinger-Cohen act. This new law requires all but a few government programs and projects to perform formal risk assessments and to report those risks. For programs that decide to ignore Clinger-Cohen and later have a program hiccup, rest assured that they will be counted among the wounded, and we know what is happening to the wounded.
Providing new found insights to a decision-maker so that he or she can make informed decisions is the primary objective of risk management. Another way of putting it is risk management aims to keep the boss from being surprised. However, to keep the boss from being surprised requires a set of comprehensive, coordinated and complementary management of risk and risk management practices. The management of risk approach addresses risk in a top-down, granular, periodic fashion, and concerns “command-level decisions”, such as whether a program should be initiated, should it receive funding, has it passed a major milestone, etc. Its primary focus is on understanding the risks (and opportunities) that exist before plans are defined and/or put into operation. Risk management practice, on the other hand, concentrates on performing bottom-up, detailed, continuous assessment of risk (and again opportunity), concerning itself with addressing the day-to-day operational risks that a program faces. Together they provide a 360o 3-D view of the risk that might confront a program.
A management of risk approach is similar to what is performed during aircraft strike planning, with mission planners running through different attack scenarios, trying to pick the best attack routes having the fewest threats, defining the way points, etc. Risk management is similar to what a pilot does once the strike plan has been approved and the mission is launched. The pilot constantly checks instruments, gets updates from AWACS, checks for items the mission planners missed or couldn’t foresee, etc., i.e., updates his or her situational awareness, while taking corrective actions to ensure the strike can be successful.
Both management of risk and risk management approaches follow a two-stage, repeatable and iterative process of assessment (i.e., the identification, estimation and evaluation of the risks confronting a program) and management (i.e., the planning for, monitoring of, and controlling of the means to eliminate or reduce the likelihood or consequences of the risks discovered). Both take a holistic or systems view of the risks likely to be encountered (from their own unique perspectives), and likewise take a systems view on how they should be mitigated. Both are done continually over the life of a program, from its initiation to its retirement. Both should be able to be paid for from existing or minimal increases (3-7%) in program administrative costs. Finally, both should be performed not only by government program officials, but also by contractors working in conjunction and cooperation with government. Open communication of risk is key to its successful management.
To ensure a complete understanding of the risks to a program, both management of risk and risk management practices need to be integrated into a programs measurement processes. Once linked, a program can understand its past trends, see its future trends, and be able to predict its future trends with some level of confidence. Work being done under the auspices of the Practical Software Measurement (PSM) effort is concentrating on how to make the linkage between risk and measurement easier 3.
It would be a mistake to view risk management as yet another impractical idea mandated by nameless bureaucrats that serves only to keep your project or program from achieving its objective - quite the opposite. By applying good risk management practice, your program will be able to not only take on more risk but also exploit opportunities that now have to be passed by. Further, time to act, rather than react, will be gained, along with a greater number of alternatives to choose from when problems are eventually encountered. As a result, the program will develop a risk taking ethic, one with a bias toward informed action.
Of course, risk management is not a panacea. It will not turn bad situations automatically into good ones, make the operating environment suddenly pleasing nor ensure every high risk can be eliminated or avoided. Further, even if risks are identified and mitigation plans developed, no guarantee exists that proper actions will be taken in a timely manner. Risk management requires a belief in and commitment to the process of risk management by senior management. The current Y2K problem is a case study of what happens when risk warnings are ignored.
However, when practiced well, risk management can provide that extra edge needed to make a program successful, or at least keep that program from joining the wounded.
About the AuthorContact Information:Dr. Robert N. CharetteITABHI Corporation 11609 Stonewall Jackson Drive Spotsylvania, VA 22553-4668 (540) 972-8150 [email protected] |
 |
 |
 |