R I SK , I SSUE , AND OPPOR T UN I T Y MANAGEMENT

1. RISK,ISSUE,ANDOPPORTUNITYMANAGEMENT ProfessorDavidSwinney256-922-8159 David.Swinney@dau.mil February18,2016

2. QUOTESFROMAT&L • Ourtaskasmanagersinvolvesoptimization—whatare thehighest-payoffrisk-mitigationinvestmentswecanmakewiththeresourcesavailable? • Iexpectourmanagerstodemonstratethattheyhave analyzedthisproblemandmadegoodjudgmentsabout howbesttousetheresourcestheyhavetomitigatethe program’srisk.

3. NEWGUIDE Risk,Issue,andOpportunityManagementGuideforDefenseAcquisitionPrograms:June2015 SignificantlydifferentfromDoDRiskManagementGuideVersion6.0,2005

4. OVERVIEW • DoDRisk ManagementGuidanceRisk Management • RiskPlanning • RiskIdentification • RiskAnalysis • RiskHandling • RiskMonitoring • Issue ManagementOpportunityManagement • DAURisk ManagementWorkshop

5. RISK,ISSUE,ANDOPPORTUNITYRELATIONSHIP

6. RISK,ISSUE,OROPPORTUNITY? RISKor ISSUE?

7. RISK or ISSUE?

8. GUIDECONTENT Section1: ScopeandchangesSection 2: Planning& documentation.Section3: Riskmanagement process Section 4: Integrationwithotherprogrammanagementtools Section5: IssueManagementSection 6: OpportunityManagement Section7: Internalandexternalinterfaces.Appendixes:LifeCycleConsiderations,Activities,Templates,Roles,Responsibilities & Relationships;RiskManagementVignette

9. “Ifyoudon’tactivelyattacktherisks, theywillactivelyattackyou.” PrinciplesofSoftwareTomGilb EngineeringManagement “Badnewsisn’twine. Itdoesn’timprovewithage.” ColinPowell “Opportunityismissedbymostpeoplebecauseitisdressedinoverallsandlookslikework.” ThomasA.Edison

10. Risk ManagementOverview

11. RISKMANAGEMENTOBSTACLES • Cultureoftenprecludesriskmanagement • IknowwhatI’mdoing…. • Goingthroughthemotionsvs. an Integralprocess • Timeforanotherquarterlybrief…. • Managementandorganizationsfearriskidentification • It’snotmyfault • IfIdon’tknow,…thennoonecanblameme • Issuesvs. risks–theyarenotthesame • Ijustlost$2Minthebudgetreview! • Processisnotsupportedbyinfrastructure • Whoisinchargeofriskmanagement?

12. RISKMANAGEMENT–EVERYONE’SJOB! ProgrammanagementSystemsengineeringRequirementsdefinitionEarnedvaluemanagementProductionplanningQualityassurance Logistics ...

13. 2015RISKMANAGEMENTAPPROACH RiskMonitoring RiskPlanning Risk Identification RiskHandling RiskAnalysis

14. RISKDEFINITION Riskis thecombinationof theprobabilityofanundesired eventorconditionand theconsequences,impact,or severityoftheundesiredevent, wereittooccur. Theundesiredeventmaybeprogrammaticortechnical,and eitherinternalorexternaltothe program. *

15. RISKPLANNING RiskMonitoring RiskPlanning Whatistheprogram’srisk management process? “Plansarenothing… planningis everything” DDE Risk Identification RiskHandling RiskAnalysis

16. FRAMINGASSUMPTIONSANDGROUNDRULES • FramingAssumptions • priorityofrequirements • scheduledependencies • accuracyofmodelsandsimulations • GroundRules • Timeframe-riskconsequenceevaluatedasiftheriskweretoberealizedwithoutfurthermitigation, avoidance,etc. • Timeofriskevent-whenriskhypotheticallywilloccur • WBSlevel-shouldbeID’dtolowestlevelpossible

17. ALIGNINGGOVERNMENTAND CONTRACTORRISK MANAGEMENT • GovernmentPMO,PrimeContractorandassociatedSubcontractors shouldemployaconsistentRiskManagementProcess • EstablishaJointRiskManagementDatabaseRiskManagementshouldbeintegratedwith: • RequirementsDevelopment; • Design,Integration,andTest(SystemsEngineering); • PlanningandManagementofSystemSupportandSustainment; • ScheduleTracking; • Performancemeasurement; • EarnedValueManagement(EVM)(whenimplemented); • CostEstimating; • IssueManagement;etc…

18. RISKIDENTIFICATION INDODRMGV6ANDDODRIOMGMODELS Risk Monitoring Risk Planning Risk Identification Risk IdentificationWhat can gowrong? Risk Handling DoDRMGv62005 or… “Whatis uniquelyhardor difficult?” Risk Analysis

19. IDENTIFYINGRISK: WHATCANGOWRONG? I cannotimagineanyconditionswhichwouldcauseashiptofounder.I cannotconceiveofanyvitaldisasterhappeningtothisvessel.Modernshipbuildinghasgonebeyondthat..." CaptainE.J.Smith,1906,abouttheAdriatic (CaptainofTitanicontheevening on14April,1912)

20. RISKIDENTIFICATION Allprogrampersonnelareencouragedtoidentifycandidaterisks. Castyournet wideat first! Donotignoreareasoreliminateideasearlyintheprocess.

21. WHENIDENTIFYINGRISKS

22. 3MORE WAYSFORRISKID C2System C2System 1. Productbasedevaluation COP COP • UsesWorkBreakdownStructure • Looksatsystemarchitecture • Identifiesprogramrelationships Red Blue Neutral Red Blue Neutral PRODUCT 2. Process basedevaluation FUNDING • Focusesonprocessesusedto define,developandtestasystem • Looksatinternalorganizational processes FundsPhasing DESIGN TEST PRODUCTION FACILITIES LOGISTICS MANAGEMENT Execute Mission Repair and Maintain Prepare TOPLEVEL 3. Scenariobasedevaluation • Risksfromacustomerandsupplier pointofview • Requiresknowledgeofcustomers andsuppliers,ortheirinputs/time DECOMPOSITION Receive Order Receive Order Deploy Deploy LocateTarget LocateTarget Attack Attack Recover Recover Receive Order LocateTarget Deploy Attack Recover OrderReceived,Understood OrderNotReceived OrderReceived,NotUnderstood

23. RISKIDENTIFICATION MUSTDRILLDOWN The projectmightnot: (deliversome promise)(meetsomeexpectation) Because: (somereason)(somereason) (somereason)(somereason) (somefundamentalreason)

24. RISKANALYSIS RiskMonitoring Risk Planning RiskAnalysis Risk Identification RiskHandling DoDRMGv62005 RiskAnalysis Whatis thelikelihoodandconsequenceoftherisk?

25. ROOTCAUSEDETERMINATION WeMightNot:Because: Why? Why? Why? Why? Why? MeetAvailabilityRequirements EngineDoesNot Start GlowPlugFailure GlowPlug RemainsOn AfterStart Counterfeit Circuit Boards

26. ROOTRISKEVENT If Somenegativeevent occurs Then Somethingbadmayresult FailtoMeetAvailabilityRequirements PurchaseCounterfeitCircuitBoards “RootRiskEvent” “Consequence”

27. WEAKRISKSTATEMENTS • Makesanoverlygeneralobservation: • Weak:Ifthehighvacancyrateinengineeringstaffpersists,thentheprogramstaffingwillbeinadequate. • Stronger:Ifthehighvacancyrateinsoftwareengineeringstaffpersistsdueto aggressiverecruitingbycompetitors,thenthecommitmenttodeliverfirstsoftware buildsin6monthswillnotbemet. • Identifiesanissue ratherthana risk: • Weak:Fatiguecracksdiscoveredinalreadyproducedvehiclesmayshortenservicelifeunlessremedied. • Divertsfocusfromtheprogram’scontrollableactivities: • Weak:Iftheprogram’sfundingiswithheldduetopoortestresults,thenthe programschedulewillbejeopardized. • Stronger:IfthevehiclereliabilitytestperformanceisbelowXXMTBFduringtest, thentheresultingscheduledelaytofixfailurescouldjeopardizeFY2018funding.

28. RISKSTATEMENTFORMS IF(someevent) THEN(someconsequence) WEMIGHTNOT(somepromise) BECAUSE(somereason) THEREIS(someprobability)THAT(somerisk event) MAYOCCUR,RESULTINGIN (someconsequence), (optional)BECAUSE (somereason)

29. ANALYZINGRISK: • WHATDORISKSMEAN? • Estimate Likelihood/Consequence • TechnicalPerformance • Schedule • Cost • Determine the Risk Level • Useconsistentpredefinedlikelihoodandconsequencecriteria • Government and Contractorshoulduse common framework • UseQuantitativeDatawhenpossible

30. ANALYZINGRISK:

31. CONSEQUENCECRITERIA Tailoredtoprogram- Programscanbreakoutcostorconsolidate

32. LIKELIHOODCRITERIA Table3-2.RecommendedLikelihoodCriteria SpecificCriteriaRecommended

33. RISKANALYSIS Riskscan be characterizedas HIGH, MODERATE,or LOW basedon predeterminedrating thresholds. RiskLevelis calculatedfor eachriskandserves asthemeans torank theprogram risk. This difficultbutimportantstep intherisk managementprocesshelpsthe programdetermineresourceallocationandtheappropriatemitigationstrategy.

34. RISKANALYSIS RiskReportingMatrixisthesameinbothDoD RMGv6.0andDoD ROIMG HowbigistheRisk?and WhataretheLikelihoodand Consequenceshoulditoccur? AssessConsequenceAnalyzethepossible consequencesintermsof technical,schedule,cost(RDT&E, ProcurementandO&M) AssessLikelihoodof occurrenceIdentifytherisklevel inthe5X5 riskreportingmatrix Risk ReportingMatrix (DoDRisk ManagementGuide) 5 Likelihood 4 3 2 1 1 2 3 4 Consequence 5

35. DODRISKREPORTINGMATRIX

36. EXPECTEDMONETARYVALUE Programsshouldcomparecostburdenedriskandcostofhandlingstrategies. CostexposureofariskcanbeexpressedasitsEMV,whichisthelikelihood oftheriskmultipliedbythecostconsequenceoftheriskifrealized. Costoftheriskhandlingeffortisthensubtractedfromtheriskexposureto determinethe“likely”returnoninvestment(ROI).

37. RISKANALYSISEXPECTATIONS • Expectations: • Riskstatementsanddescriptionsfullydocumenteventsthatcouldadverselyaffecta program’s abilitytomeetcost, schedule,andperformanceobjectivesorbaselines. • Riskstatementsareclearlywrittenusingan“if–then”orsimilarconstruct. • Programs useestablishedcriteria,tailoredonlyas necessary,toprovideaconsistentmeans forevaluatingrisks. • Resultinglikelihoodandconsequenceratingsshouldbesupportedbydataand analysis. • Programs conductperiodicriskanalysestoupdateriskestimatesandtoalignandsupportotherprogramactivitiessuchasEVM,IMS, andtechnicalreviews. • Iftheanalyzedlikelihoodis 100percent,theprogramshouldaddresstheeventor conditionas anissueratherthanarisk.

38. Plan Risk Hforamenrlydling Assess Act

39. RISKHANDLING RiskMonitoring RiskPlanning Risk Mitigation Planning Risk Mitigation Plan Implementation RiskHandling DoDRMGv62005 RiskIdentification Should theriskbeaccepted,avoided,transferred,ormitigated? RiskAnalysis (formerly “Mitigation”)

40. RISKHANDLING • Considertheaccept,avoid,andtransfer handlingoptions,notjustthemitigationoption • Choosethebesthandlingoption,thenselect thebestimplementationapproachforthatoption • Takeintoconsiderationelevatingtheriskto appropriatetiers(executive,management,orworkinglevel) Risk HandlingShould theriskbe accepted,avoided,transferred,ormitigated? • Includecross-programrisksinorderto considertheimpactofriskmanagementactions onotherprograms

41. RISKHANDLINGAPPROACH • The selectedmitigationapproachesfor program-levelrisksshouldbe reflected intheprogram’sAcquisitionStrategy • Includethe specificsofwhatshouldbe done, • whenitshouldbe accomplished, • whois responsible, • the cost and scheduleimpact,and • the funding/resourcesrequiredtoimplementtherisk mitigationplan

42. FOURFUNDAMENTALSTRATEGIES Eliminatethe risk eventorcondition Avoid Activelyreduce risktoan acceptable level Mitigate(Control) Assume(Accept) Acceptthelevelof risk,butcontinuingon the current programplan Transfer Transfer toanotherentity

43. RMBACTIONS • RiskManagementBoard(RMB)shouldcompilea listofcriteriathatanswersquestionssuchas: • Istheapproachfeasibleinimplementation? • Aretheexpectationsrealisticineffectivelyreducingprogram risktoanacceptablelevel? • Istheapproachaffordableintermsofdollarsandresources? • Isadequatetimeavailabletodevelopandimplementthe approach? • Whatimpactdotheseapproacheshaveontheoverall programschedule? • Whatimpactwillthemitigationapproachhaveonthetechnicalperformanceofthesystem?

44. RISKMITIGATIONIMPLEMENTATION • RM Implementation • Directingtheteamsto executethedefined andapproved riskcontrolplans • Applyingresources(manpower,schedule,budget)to reducethelikelihoodand/orconsequenceofrisks • Trackingresourceexpenditure,technicalprogress,andriskimpacts(benefits) • ReducesProgram Risks • Providinga coordinationvehiclewithmanagementandotherstakeholders • Outliningtheriskreportingrequirementsforongoing monitoring,to include“tripwires”whichwarrantelevatingtherisktothenextmanagementlevel • Documentingthechangehistory • Providinginformationto further enhancerisktrackingandriskcommunication

45. RISKMITIGATIONAPPROACHES TradeStudies MultipleDevelopmentEfforts: Alternative Design DesignofExperiments Mockups TechnologyMaturation EarlyPrototyping ProcessProofing Reviews,Walk-throughs,andInspections ModelsandSimulation DemonstrationEvents RobustDesign

46. RISKBURN-DOWN Burn-downplanconsistsof6steps,tiedtotheprojectschedule,thatallow theprogramtocontrolandretirerisks Identifyriskstartandendpointsonagraph Assignnumericalvaluestothesepoints Identifyactivitiesthatwillburn-downrisk Estimatethetime basisfortheseactivities Estimatetheirrelativeriskburn-downcontribution Charttherelationshipofactivitiesonadatebasis RISK PILE

47. MOREBURNDOWNCONSIDERATIONS • Ensureallrisk handlingactivities • (1)areclearlydefinedandjargonfree, • (2)areobjectiveandnotsubjective,and • (3)havespecific,measurableoutcomes.For example,thestatement • Assigna plannedlikelihoodandconsequence valuetoeachrisk handlingactivity. • Notallhandlingactivitieswillresultinascorechange orburn-downoftheriskbutarenecessarytotracktheprogressoftheburn-downplan(e.g.,meetings donotmitigaterisks,resultsdo).

48. RISKHANDLING? Why? Why? Why? Why? Why? MeetAvailabilityRequirements EngineDoesNotStart GlowPlugFailure GlowPlugRemainsOn AfterStart CounterfeitCircuitBoards Mitigate? Mitigate? Mitigate? Mitigate? Mitigate? NotMy Problem ChangeAvailabilityRequirement Start EngineinWarmedShelter MoreSpare GlowPlugs CircuitRedesign CertifiedSupplier

49. RISKMITIGATIONPLANEXAMPLE Identify,evaluate,andselectdetailedsteps thatwilldriverisktoanacceptablelevelgiven programconstraintsandobjectives 5 Likelihood 4 Getnew/detailedProgramAandSW schedules IdentifyinsertionpointsforSW updates WorkwithSW contractortoimproveschedule IncentivizeSW labconstructionforschedule IdentifyrootcauseofSW technicalissues CorrectSW technicalissues 3 2 1 12345 ImproveSW scheduleby2months ImproveSW labconstructionby1month NewSW datescoordinatedwithProgramAleadership Consequence EXAMPLE Risk#2:IfthetimelineestablishedforProgramA’s production is notmetbecauseof adelayinreceivingsoftwareupdates,thentherewillbeaprogramslipofat least4 months.

50. RISKMITIGATIONPLANEXAMPLE Includethespecificsofwhatshouldbedone,whenitshouldbeaccomplished,whoisresponsible,andfundingrequiredtoimplementmitigationstrategy When?Who?Funding? Getnew/detailedProgramAandSW schedules IdentifyinsertionpointsforSW updates WorkwithSW contractortoimproveschedule IncentivizeSW labconstructionforschedule IdentifyrootcauseofSW technicalissues CorrectSW technicalissues Jan 12 May12 July12 Oct12 x x x CC YesTechDir Yes You? Nox No x x x x x x ImproveSW scheduleby2months ImproveSW labconstructionby1month NewSW datescoordinatedwithProgramAleadership x x x x x x