What is the Best Procedure for Implementing a Risk Management Process in a Government Department of Defense (DoD) Acquisition Category

I (ACAT I) Program A thesis submitted By Richard Allen Speight to Strayer University in partial fulfillment of the requirement for the degree of MASTER OF BUSINESS ADMINISTRATION, MANAGEMENT This thesis has been accepted for the faculty of Strayer University by:

Chair

Professor Camilla Craig Advisor

Name of External Reader External Reader

Strayer University Directed Research Project Certification of Conformity to Standards
I. Conformity to Standards for Strayer University Graduate Level Directed Research Project. I, ___Richard Allen Speight______ certify that I have in good faith complied with the requirements of Strayer University for this Directed Research Project. I also certify that any work or effort that is not my own has been properly credited to the appropriate source(s). I hereby submit this Graduate Level Directed Research Project to the faculty of Strayer University for acceptance.

Student’s Signature __________________________________ Date ___September 15, 2009___ II. Acceptance of Directed Research Project. I have received and examined this Directed Research Project and I believe it meets the Graduate Level Standards of Strayer University.

Faculty Member’s Signature _____________________________ Date _____________

Abstract This thesis reviews the best procedure for implementing a risk management process in a Government Department of Defense (DoD) Acquisition Category I (ACAT I) program. When looking at risk management, it is necessary to understanding that risk is the evaluation of uncertain future events that may affect a project’s cost, schedule, or performance. Risk management is on iterative process that begins with risk planning then risk identification. The process used by private industry is more process-oriented than that used by DoD project managers. The purpose for this research is to determine if the process identified in Program Management Book of Knowledge (PMBOK) would suit DoD programs better than the current processes identified in the Risk Management Guide for DoD Acquisition.

Risk Management Table of Contents

1

CHAPTER 1 – INTRODUCTION..................................................................................................2 Define Risk Management............................................................................................................3 DoD versus Private Industry Risk Management.........................................................................4 Issue versus Risk.........................................................................................................................7 Definitions...................................................................................................................................7 CHAPTER 2 – REVIEW OF RELATED LITERATURE .............................................................9 Overview of the Program Management Book of Knowledge.....................................................9 Overview of the Risk Management Guide for DOD Acquisition.............................................12 CHAPTER 3 – METHODOLOGY...............................................................................................13 Overview...................................................................................................................................13 Method.......................................................................................................................................13 Data source................................................................................................................................14 CHAPTER 4 – CONCLUSION....................................................................................................15 Discussion..................................................................................................................................15

Risk Management

2

CHAPTER 1 – INTRODUCTION Risk Management is critical to the proper management of any project. Without an active approach to managing risk, projects stand a greater potential for cost overruns, schedule slips, failure to meet performance requirements, and ultimately complete project failure. When looking at risk management, it is necessary to understand that risk is the evaluation of uncertain future events that may affect a project’s cost, schedule, or performance. According to the Project Management Book of Knowledge, or PMBOK (2004), these three elements of a project are called the triple constraints because when any of these elements are changed, it always affects the other two (PMI, 2004). For example, a project office that procures trucks for the Department of Defense (DoD) has a budget of $60 million to procure some number of trucks this year to meet an Authorized Acquisition Object (AAO), which is a number representing total end strength. If halfway through the year the project is required to take a $10 million reduction in budget, the schedule is affected because it will now require more time for the project office to procure the total number of trucks to meet the established AAO. This impact will also affect performance because the government will have to adjust the requirements to reduce the per unit cost of the vehicle to maintain the quantity purchase, or it will impact the manufacturer’s performance because the assembly line is no longer producing to capacity and the manufacturer may have to look at ways to reduce or realign its workforce. The DoD has certain objectives that have to be met for each project and are delineated in the Acquisition Program Baseline (APB) document for each project. This document takes the requirements for cost, schedule, and performance from other source documents and puts it all

Risk Management under one cover for the project manager to work from. The objectives are typically limits and constraints in which the project manager has to work. For private industry, project managers work to a slightly different set of rules that are often set by contracts or by management goals.

3

When a private industry project manager is working to support a contract, often his requirements are not that different from a DoD project manager. The contract for a firm is the equivalent of the APB which sets limits, constraints, and requirements that must be met in order to manage the project effectively. Other private industry managers are driven by revenue and profit goals set for them by upper management. The risk associated with this type of management is probably even more difficult in that what affects revenue and profits is often impacted by events outside of the manager’s control. For this reason it is important to define what risk management is and the process required to implement a risk management program. Identifying the differences between a DoD risk management process and one implemented by private industry is key in determining what is the proper procedure for implementing a risk management process in a government Department of Defense (DoD) Acquisition Category I (ACAT I) program. Define Risk Management Risk management is “a fundamental aspect of any business. From a business perspective, risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on specific planned or in-process strategic initiatives and their supporting objectives. The consequence of these changes can have technical, schedule, or cost impacts; often, risk affects all three” (Bolles, 2006). The DoD defines risk management as: a continuous process that is accomplished throughout the life cycle of a system. It is an organized methodology for continuously identifying and measuring the unknowns; developing mitigation options; selecting, planning, and implementing appropriate risk mitigations; and tracking the implementation to ensure successful risk reduction.

Risk Management Effective risk management depends on risk management planning; early identification and analyses of risks; early implementation of corrective actions; continuous monitoring and reassessment; and communication, documentation, and coordination. (DoD, 2006) DoD versus Private Industry Risk Management What is the difference between DoD and private industry risk management? When truly

4

comparing like methodologies, such as a product-oriented project, the first thing that can be seen is that a private industry is interested in profits - how the firm nets some percentage of margin on each product. Private industry typically views its risk management from this perspective and monitors its processes until the product leaves the door of the factory or possibly the shelf of a store. For the DoD, a project manager is responsible for the equipment from what is called “cradle to grave.” In other words, the DoD project manager has to monitor the risk to the project from the design stage, all the way through its life cycle, to when that piece of equipment is no longer used by the DoD. The second point of comparison would be the scope of a project. For the DoD, as discussed earlier, a project manager has specific quantities of a given item that are going to be procured and used. For a private industry project manager, oftentimes the limits for the product are completely driven by supply and demand, which introduces a different set of risks with which the DoD does not have to contend. In private industry it is imperative that the project manager have a reliable economic forecast upon which to determine production rates and quantities of supply. For a DoD project manager a budget is provided and quantities are placed on contract accordingly. Who performs risk management? Risk management is the responsibility of the project manager. However, in most cases, risk management is a process that involves most of the people on a project team. Additionally, most projects will have risk management boards that typically

Risk Management meet quarterly to reevaluate the identified risk and their mitigation plans. The project manager, in reality, is usually the final approver for risk and mitigation strategies, as the teams will have

5

identified, vetted and documented the risk, and sequentially developed the mitigation strategy for that risk. Risk management is a continuous process that is performed from a project’s inception to its completion. Figure 1.1: Risk Management Cycle, will show the iterative process for implementing risk management for a DoD program. This figure illustrates the DoD philosophy of cradle to grave risk management.

Figure 1.1 Risk Management Cycle (DoD, 2006) Although no specific start point is identified, the obvious first step is to identify a project’s first risk and the process will continue until the life cycle of the resultant equipment ends. A more widely accepted and exacting practice for implementing risk management is shown in figure 1.2: Project Risk Management Process Flow Diagram, this process identifies the

Risk Management

6

process as shown in the PMBOK, and is one of the reasons to question what is the best procedure for implementing a risk management process in a DoD Acquisition Category I (ACAT I) program.

Enterprise Environmental Factors

Risk Management Planning

Develop Project Management Plan

Organizational Process Assets

Risk Identification

Scope Definition Qualitative Risk Analysis Develop Project Management Plan Quantitative Risk Analysis

Performance Reporting

Risk Response Direct and Planning Manage Project Execution Figure 1.2: Project Risk Management Flow Diagram (PMI, 2004)
According to the PMBOK (2004), “the objectives of project risk management are to increase Close Project Integrated Risk Monitoring the probability and impact of positive events, and decrease the probability and impact of eventsChange and Control Control

Risk Management adverse to the project.” The processes for implementing risk management from this perspective are: risk management planning, risk identification, quantitative risk analysis, qualitative risk analysis, risk response planning, and risk monitoring and control. Figure 1.2 shows how these steps relate to each other, and their definitions are listed below. Issue versus Risk One of the biggest mistakes a project team makes is wrongly identifying issues as project risk. To prevent this from occurring the definitions for both are required. Risk is “an uncertain event or condition that if it occurs, has a positive or negative effect on a project’s objectives”

7

(PMI, 2004). An issue on the other hand is an event that already occurred and requires corrective action to fix or overcome. Risks are events that can be planned for and their mitigations put in place to eliminate or diminish their effect. Definitions The following terms are used in this research and are defined below: Qualitative Risk Analysis: “Prioritizing risks for subsequent further analysis or action by assessing and combining their probability of occurrence and impact” (PMI, 2004). Quantitative Risk Analysis: “Numerically analyzing the effect on overall project objectives of identified risks” (PMI, 2004). Risk Identification: “Determining which risks might affect the project and documenting their characteristics” (PMI, 2004). Risk Management Planning: “Deciding how to approach, plan, and execute the risk management activities for a project” (PMI, 2004).

Risk Management Risk Monitoring and Control: “Tracking identified risks, monitoring residual risks, identifying new risks, executing risk response plans, and evaluating their effectiveness throughout the project life cycle” (PMI, 2004). Risk Response Planning: “Developing options and actions to enhance opportunities, and to reduce threats to project objectives” (PMI, 2004).

8

Risk Management

9

CHAPTER 2 – REVIEW OF RELATED LITERATURE This study will review the existing processes for performing risk management as a best practice used by most private corporations as outlined in the PMBOK and the process used by the acquisition community within the Department of Defense. This literature review is provided so the reader will understand the processes involved – and their differences – and to see if a DoD ACAT I program would benefit from a more robust approach to risk management. The first step is to realize that managing risk is a fundamental aspect of business. Many people do not view a DoD acquisition program as a business, but the use of public funds require that the program manager be responsible for how he runs his program and spends his budget. Like any commercial enterprise, the acquisition arm of the services has customers. These customers consist of the men and women who put on a uniform and walk in harms way each and every day. The big difference that commercial or private industries experience from the DoD is that industries are calculating profit gains and profit losses; it’s all about the bottom line. For the DoD, however, it is all about getting equipment that meets customer requirements to the right place on time and within budget. As previously stated, the triple constraints of a program are time, schedule, and cost. These truly are the three areas that risk management focuses on for both private industry and the DoD. Overview of the Program Management Book of Knowledge According to the PMBOK (2004), “Risk Management includes the processes concerned with conducting risk management planning, identification, analysis, responses, and monitoring and control of a project.” With most of these processes continuously being updated throughout the duration of the program. The process and objective of risk management is to identify events,

Risk Management

10

both positive and negative, that will impact the program and to then decrease the probability and impact of negative events while increasing the probability and impact of positive events. “The Risk Management processes include the following: Risk Management Planning, Risk Identification, Qualitative Risk Analysis, Quantitative Risk Analysis, Risk Response Planning, and Risk Monitoring and Control” (PMI, 2004). Although risk management has distinct processes associated with it that continually interact with each other, it is important to understand that these processes interact with other aspects or areas of program management. Often times people from multiple disciplines work together to develop risk mitigation strategies associated with identified risk within a program. Risk Management Planning is the process of determining how risks are to be handled within a program. Risk planning consists of inputs and outputs. The inputs are environmental factors such as an organizations attitude towards risk and the level of tolerance of the organization, project scope statements and project management plans. The output for risk management planning is a risk management plan that consists of the methodology, roles and responsibilities, budgeting, timing, and risk categories (PMI, 2004). Risk Identification is the process for determining which risk might affect the program and documenting them. This is an iterative process that evolves throughout the life of the program and uses the project team and other stakeholders in the program. The inputs for this step are the same as those for risk management planning, but the output here would be a risk registry to be used during the monitoring and control process. Qualitative Risk Analysis is the process of racking and stacking the risk identified to determine the probability and impact of a risk as well as the categorization and urgency of them. The output from this process is updates to the risk registry.

Risk Management “Quantitative Risk Analysis is performed on risks that have been prioritized by the Qualitative Risk Analysis process as potentially and substantially impacting the project’s competing demands” (PMI, 2004). This process looks at the effect of those risks and assigns a numerical rating to them using techniques such as Monte Carlo simulation to determine consequence and likelihood. The output from this process is again updates to the risk registry. Risk Response Planning is the process in which you develop options and determine the

11

actions to be taken. Risk response planning is approached from different perspectives depending on whether the risk is negative (threat) or positive (opportunity). The three strategies for typically dealing with negative risk are avoid, transfer, and mitigate (PMI, 2004). When a risk is avoided, the program management plan would be changed to eliminate the threat created by the risk. This often times includes efforts of descoping a program’s requirements. Transferring risk is the process of shifting the impact of a threat to a third party. This can come in the form of insurance, warranties, or guarantees, but it does not get rid of the risk, it just shifts responsibility to someone else and usually involves fees of some sort. Mitigation is simply a reduction in the likelihood or impact of a threat to an acceptable threshold. This is usually done early in a program with methods such as prototype development and or redundancy designed into the system. The three strategies typically employed with positive risk (opportunities) are exploiting, sharing, and enhancing. When exploiting a risk the organization is really just making sure the opportunity is realized. By sharing a risk, as in transfer, ownership is allocated to a third party. By enhancing a risk the size of an opportunity is modified by increasing the probability of the risk (PMI, 2004). Risk Monitoring and Control is the process of identifying new risk, analyzing, and planning for them. This process also involves keeping track of identified risk and reviewing the execution

Risk Management

12

of risk responses all in an iterative process through the program’s development to its close. The output associated with monitoring and control are: risk registry updates, requested changes, recommended corrective actions, recommended preventive actions and program management plan updates (PMI, 2004). Overview of the Risk Management Guide for DOD Acquisition Unlike private industry, where the exchange is complete once a product reaches the consumer and the company receives payback, the DoD acquisition program manager is responsible for a product until it is removed from the military inventory. “The purpose for addressing risk on DoD programs is to help ensure program cost, schedule, and performance objectives are achieved at every stage in the life cycle and to communicate to all stakeholders the process for uncovering, determining the scope of, and managing program uncertainties” (DoD, 2006). The Risk Management Guide put out by the DoD is to assist program managers in effectively managing program risk. This guide is very useful in its approach to identifying where risk can come from. The processes for risk management within the DoD guide are risk identification, risk analysis, risk mitigation planning, risk mitigation plan implementation, and risk tracking. These processes are similar to those described in the PMBOK, thus the reason for questioning the best procedure for implementing a risk management process in a government DoD ACAT I program. A benefit to the DoD Guide is that it provides good top-level guidelines for effectively managing risk. One very good aspect of the DoD guide is that it lays out the risk management roles, from the program manager down to the working groups. This, however, is where the comparison begins.

Risk Management

13

CHAPTER 3 – METHODOLOGY Overview The purpose of this thesis is to determine what is the best procedure for implementing a risk management process in a government DoD ACAT I program. The recommendations that are within this thesis are based on research and analysis of data and literature that provide guidance from multiple perspectives on how risk management should be performed. Method A Qualitative research method was used in this thesis. Research questions were developed to clarify the differences between how private industry performs the risk management process and how the DoD performs the risk management process. To facilitate this methodology, numerous documents written on the larger subject of Risk Management were explored and studied. Then processes or steps used by several different organizations were examined, some of which buy end products for government use, some of which produce end products for government use, and some that produce end products for commercial or industrial use. By comparing these processes, it can be determined if any one particular approach is better than the others. Once that is completed the next question is, “Does this best process fit all situations?” As the research continues, it may be determined that different processes may be needed for different organization types. However, if a determination can be made that changes can be made to the way DoD performs risk management, then the research will be beneficial and can be submitted to policymakers for consideration. The methodology, then, is simply exploring the information developed on the topic and comparing their processes and results to answer the research questions.

Risk Management Data source

14

Resources and data used for this study were pulled mainly from other sited references. Three critical sites provided valuable references. These sites were the EBSCO Publishing Database website, The Program Management Book (PMBOK), and the Risk Management Guide for DoD Acquisition, Sixth Edition. Prior studies were researched, but none were found that compare the processes between private industry and the DoD. The PMBOK and Risk Management Guide provided the idea of comparing how DoD performs risk management to the way private industry does. The key research questions became who performs it best and does the same process meet both required objectives. By having intimate knowledge of these two processes, identification of which information each of these sources provides was simplified. The EBSCO database at the William and Mary Center for Professional Studies was used to identify additional resources using keyword searches. Through this process, data collected to date was evaluated to determine what, and to what degree, each document or publication provided relevance to the research question and determine how much research has been previously performed on the specific issue.

Risk Management

15

CHAPTER 4 – CONCLUSION Discussion This final chapter discusses the conclusions that are drawn from the research provided. It provides recommendations on how the DoD could benefit from adapting practices and process from the PMBOK to enhance the guidance currently provide in their own handbook. The DoD Guideline provides great high-level guidance. It also gives great insight to where risk initiates from. What the DoD Guide lacks, however, is detailed processes that show the inputs, tools, and outputs of each process in the risk management procedure. The PMBOK provides these missing elements that can be combined with the current DoD Guide to provide the direction needed to properly manage risk within a program. Conclusion The best procedure for implementing a risk management process in a government DoD ACAT I program is not the adaptation of one process over the other. The best solution for any program within the DoD is to take the guidance from the DoD Guide and the detailed processes from the PMBOK, the source for most private industry, and take a best practices approach. By taking the guidance and detail from both sources, the DoD can establish unprecedented risk management programs that could eliminate waste cost, scope creeps, and schedule slippages.

Risk Management REFERENCES Bolles, D., & Hubbard, D. (2006). Communications and risk management: 17.2 Risk

16

management. American Management Association International, 201-204. Retrieved July 27, 2009, from Business Source Complete database. CHAPTER 14: Risk Management in Practice. (2006). Retrieved July 27, 2009, from Business Source Complete database. Department of Defense (DoD). (2006). Risk management guide for DoD acquisition (6th ed.). (Version 1.0), Department of Defense. Dobbins, J. (2002). Critical success factor (CSF) analysis for DoD risk management. Program Manager, 31(3), 40. Retrieved July 27, 2009, from Business Source Complete database. Dunham Jr., W., Ostner, S., To, M., & Cochran, A. (2009). Know the rules. Best's Review, 110(3), 55-57. Retrieved July 27, 2009, from Business Source Complete database. Kendrick, T. (2009). Identifying and managing project risk. American Management Association International. Retrieved July 27, 2009, from Business Source Complete database. Mays, E. (2009). Scenario analysis for board risk management. Corporate Board, 30(177), 1721. Retrieved July 27, 2009, from Business Source Complete database. Panning, W. (2009). The why and how of risk-based planning. Best's Review, 110(3), 78-78. Retrieved July 27, 2009, from Business Source Complete database. Project Management Institute (PMI) (2004). A guide to the project management body of knowledge (3rd ed.). Newton Square, PA: Project Management Institute, Inc. Risk Management. (2004). Essential Economics, Retrieved July 27, 2009, from Business Source Complete database.

Sign up to vote on this title
UsefulNot useful