Upload
-chip-justice
View
221
Download
0
Embed Size (px)
Citation preview
Tech Day VII
Chip Justice and Courtney Lane Booz Allen Hamilton Tech Day VII
Ritz CartonMonday, November 13, 2006
McLean, VA
Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
2Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Agenda
Defining Risk Management – Chip
Programmatic Development – Courtney
Identifying Managing Risks – Courtney
Changing A Culture – Chip
Applying Risk Management to other Organizations – Chip
3Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Agenda
Defining Risk Management – Chip– Industry Definition vs NGA definition– Purpose & Goals– Value of Risk Management– Opportunities & Issues
Programmatic Development – Courtney
Identifying and Managing Risks – Courtney
Changing A Culture – Chip
Applying Risk Management to other Organizations – Chip
4Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
What is a Risk?
A threat or obstacle that prevents an organization from achieving its objectives
A hazard
The future chance or probability of loss
5Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Let’s take a look how Industry defines RiskRisk
“The potential inability to achieve overall program objectives within defined cost, schedule, and technical constraints and has two components
(1) the probability/likelihood of failing to achieve a particular outcome, and
(2) the consequences/impacts of failing to achieve that outcome.” [1]
“...an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective.” [2]
“RISK (risk) n. [Fr. risqué < Ital. risco.] 1. Possibility of suffering harm or loss: DANGER. 2. A factor, course, or element involving uncertain danger: HAZARD….” 3. a. The danger of probability of loss to an insurer. b. The amount that an insurance company stands to lose. c. One considered with respect to the possibility of loss to an insurer <a good risk>. ” [3]
[1] Risk Management Guide for DoD Acquisition, Fourth Edition DoD, DAU, DSMC, February 2001[2] Project Management Institute PMBOK®, 2001 Edition[3] Webster’s II University Dictionary
6Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
NGA tends to define risk much like that of the DAU but further breaks it down into three categories
RiskThe potential inability to achieve objectives
OpportunityThe potential ability to exceed objectives
IssueAn unfavorable circumstance that is certain to affect achievement of objectives
7Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
How do you communicate your risks?
8Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Process• Define a risk management process based on the ERM process• Introduce risk management process documents into the Enterprise Configuration Control Board (ECCB)• Recommend process improvements• Decision making process / Decision point (Requirements, spending)
NGA communicates their risks through standardized processes utilizing People, Processes, and Technologies
People
Process Technology
People• Promote a risk management culture that is supported and championed by leadership across the Enterprise• Communicate the standup of the risk management process through known and established communication channels• Provide training through established workshops
Technology• Promote the use of the web-based Risk, Issue, and Opportunity Tool (RIOT) to capture and report information regarding risks, issues and opportunities
Much like Booz Allen Hamilton, NGA focuses on People, Process & Technology in their transformation initiatives
9Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Enterprise Risk Management (ERM) Vision
Effective planning and program
implementationIntegrate good risk information with
decision activities for better planning
UNCLASSIFIED
UNCLASSIFIED
10Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Understanding the risk management process is the key to defining the purpose and the goals of every directorate within NGA
Purpose & Goals– Identify the Agency’s Top Risks so that NGA can direct the right amount of
resources, at the right time, to implement the right solution
– Ensure that all NGA directorates understand the identified risk with a mitigation plan that is created from a common frame of reference
– Create a bottom-up and top-down approach to Enterprise Risk Management
– Track overarching or summary level risks and use that information to assist with strategic decisions
– Instill the belief in the workforce that communicating risks is a positive, not negative, process that is rewarded, not punished
11Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
The value of risk management is that it is inline with Industry best practices and coincides with NGA’s mission
Process compliant with industry standards
Unified risk management process
Web-based risk management tool
Improved participation and communication throughout the Agency
Increase visibility with all stakeholders
Achievement of organizational objectives
Defining the value of the ERM process is different for every organization, the key is understanding how you define ‘Value’
12Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
So why implement a Enterprise Risk Management (ERM) program?
It can almost be thought of as situational awareness and capital improvement all in one
By identifying risks, executive leadership and mid level management can make a decision that is based on solid information with a strategy to mitigate the risk at hand
Management can look to see which are the most critical risks within the agency and then define the appropriate resources to resolve the issue
If implemented correctly, the entire enterprise will benefit from understanding the most important issues and the biggest challenges
13Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Agenda
Defining Risk Management – Chip
Programmatic Development – Courtney– NGA Risk Management Process– Implementation at the Program Level
Identifying and Managing Risks – Courtney
Changing A Culture – Chip
Applying Risk Management to other Organizations – Chip
14Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
An enterprise risk management process should be documented to ensure standardization
Process documentation contains the following information:– Tasks required to implement the ERM process– Entry and exit criteria– Inputs and outputs– Roles and responsibilities– Required measures
Templates and training materials should be made available – Risk management plan templates– Briefing templates– Enterprise risk management training package
15Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Projects and programs should tailor the ERM process to meet their needs
The following elements of the ERM process can be tailored by projects and programs:– Stakeholders– Probability and consequence definitions– Risk tolerance thresholds– Roles and responsibilities– Communication plan– Measures
Each project and program should document their risk management process in a risk management plan
16Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Risk management at NGA is an iterative, tailorable process
Source: Adapted from the Software Engineering Institute’s“Continuous Risk Management Guidebook”
Lessons learned
Validated risks, issues, opportunities
ClassificationRatingHandlingPriority
Mitigation PlansContingency PlansTriggers
Status reports
Communication
Project Kick-Off
ERM 03Analyze
ERM 04Plan
ERM 05Monitor
ERM 06Control
ERM 02Identify
ERM 01Develop Strategy
17Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Agenda
Defining Risk Management – Chip
Programmatic Development – Courtney
Identifying and Managing Risks – Courtney– Identifying Risks – Analysis and Planning– Monitor and Control
Changing A Culture – Chip
Applying Risk Management to other Organizations – Chip
18Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
There are four elements to risk identification at NGA
Title Captures the “so-what”
Statement For risks and opportunities: “If [concern], then [consequence or benefit]
For issues: “[Statement of concern]; thus, [consequence]
Context Facts only (who, what, when, where, why)
Avoid assumptions
Do not introduce new risks
Avoid blame
Closure Criteria Must alleviate the concern in the statement to an acceptable level
Must be specific, actionable, and measurable
4
2
1
3
19Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Risks are analyzed and handled using the appropriate method
Qualitative analysis is performed to determine:– The level of cost, schedule, and performance impacts– The probability of occurrence (probability is 100% if it
is an issue)
Results are mapped on a probability impact diagram to determine the risk level
A handling method is chosen depending on the type of risk:– Mitigate, Resolve, Exploit– Watch– Transfer– Assume
Plans for reducing the probability of occurrence or severity of consequence if the risk occurs are developed
Probability Impact Diagram
Pro
babi
lity
of O
ccur
renc
e
Consequence Level
Negligible Marginal Significant Catastrophic
0-19%Highly Unlikely
20-39%Unlikely
40-59%Likely
60-79%Highly Likely
80-99%Near Certain
100%Issue
Critical
20Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Risks and progress on their plans must be monitored and controlled
Monitoring risks is extremely important– New programs are created– Resource levels change– Funding status changes– New supporting information is discovered
Risks should be updated to reflect any changes found in the Monitor step
Controls (risk boards) are in place at every level of NGA to monitor risks. These boards can make several decisions about each risk:– Reject (need more information or rework)– Accept– Escalate– Return for status– Close
21Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Risk Controls at NGA
NCEE Directorate JOIO
IT/IS EEGeoScout
Key Component Risk, Issue, and Opportunity Management Board
(KC-ROMB)
Risk Management Core Team(RMCT)
ELG
Strategic Risks
Enterprise Risks
Directorate Level Risks
Program Risks
Joint Risk Process
22Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Agenda
Defining Risk Management – Chip
Programmatic Development – Chip
Identifying and Managing Risks – Courtney
Changing A Culture – Chip– Obtaining Buy-in & Support– Risk & Reward vs. Exposure & Condemnation – Defining a Concept of Operations (ConOps)/ Risk Management Plan– Training
Applying Risk Management to other Organizations – Chip
23Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Where do you stand with the evolution of risk management?
Problem Stage
“I’m too busy to apply a formal risk management practice.”
Risk identification not seen as positive.
“What went wrong?”
Mitigation Stage
“Risk Management is What Managers Have to Do”
Aware of risks but not sure how to communicate them
“What can go wrong and what are the consequences?”
Prevention Stage
“Risk Management is everybody’s responsibility.”
Risk management is viewed as a team activity
Identification and elimination of root causes
“What caused the risk?”
Anticipation Stage
“We can focus on the right priorities”
Use of measures to anticipate predictable risks
Alternatives are easy to compare using a quantitative approach
“How can we proactively attack risks and assess alternatives?”
Opportunity Stage
“Where there is risk, there is opportunity”
Risks are a chance to do better than planned
Risk management is used to innovate and shape the future
Engineering excellence
“How can we take advantage of risks?”
Increasing levels of knowledge, commitment, communication, efficiency, and effectiveness enable transformation through each stage
Source: NGA Enterprise Risk Management Training Workshop
24Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Defining and utilizing the risk management process will not succeed with just executive level support
The risk management process has to be embraced by the entire organization and championed by Leadership
Obtain buy-in through:– Using checklist for standardization– Providing guidelines– Encouraging and welcoming open communications between individuals,
departments, and organizations– Taking Surveys– Evaluating the upside and downside of the risk
Obtain commitment and resource from leadership. At this point, risk management automatically becomes a management priority and leadership becomes an advocate of risk management and supports the process
25Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Changing a culture is not easy, but a little praise could not hurt
The key is to understand that 'risk' exists and it can be managed and rewarded
Training, Training, and Training instilling Risk & Reward vs. Exposure & Condemnation
Leadership Communications– Talking points– Brown bags– Define why holding risk information is not a benefit
Transition to a Risk Aware (Manage the Risk), not Risk Adverse culture
26Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Defining a Risk Management Plan is a must if you want your ERM program to succeed
Identify, Evaluate and Manage the process for risks management
Develop Comprehensive Safety/Loss Control Programs Policies and Procedures that is tailorable to specific risk
Establish a Catastrophic Business Continuation or COOP Program
Transfer Risk Whenever Economically Feasible through Insurance, Legal Contracts, and Avoidance
Analyze/Re-evaluate Your Risks on a reoccurring basis
Identify best practices
Benchmark and define standards/metrics
27Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
NGA has implemented a very effective training program that address risks, mitigation, and NGA’s culture
Enterprise Risk Management Training Workshop– One day workshop held at least once a month– Trained over 500 NGA contractors and government employees– Teaches the risk management language at NGA, the enterprise risk process, and
allows students to practice identifying and managing risks
Executive Level Overview Training– 2 hour overview of enterprise risk management at NGA– Presented to senior level NGA management– Describes the process and how management can engage
28Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Agenda
Defining Risk Management – Chip
Programmatic Development – Chip
Identifying and Managing Risks – Courtney
Changing a culture – Chip
Applying Risk Management to other Organizations – Chip– Lessons Learned– Best Practices
29Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Communicating risks can be implemented better by understanding the Lessons Learned from previous risks
Identify
Communicate
Learn
30Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Implementing best practices assists in communicating effectively
31Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
PlanStandard definitionsProcessesTeam training
Using a Risk Management process that is consistent with existing government and industry best practices results in easier client buy-in, implementation and results
DAU Risk Management Community of PracticeIdentifySituation UncertaintyImpactActions
ControlMitigationContingency Plans
AnalyizeProbability Impact Outcomes
MonitorMaintain history Monitor plansPeriodic updates
One Firm delivering results that endure
32Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
How to Learn More… DAU
– PMCoP (https://acc.dau.mil/CommunityBrowser.aspx)– New Risk Management Guide, Aug 2006– Acquisition Review Quarterly, “Risk Special Edition”, Spring 2003
PMI – http://www.pmi.org/info/default.asp – PMBOK – Risk SIG
INOCSE – https://www.incose.org – Risk Management Working Group
Prince2 – Projects in controlled environments
http://www.tsoshop.co.uk
Read!
33Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)
Closing Remarks
The Director of Central Intelligence Directive (DCID) 8/1, identifies risk management as “Balancing the goal of greater intelligence information sharing with the need to protect sources and methods requires IC members to apply a risk management methodology. This policy must be implemented in ways that balance the risk of unauthorized disclosure of sources and methods against the imperative to provide the most useful and responsive intelligence. The information needs of the customer must be given important weight in this risk management determination.”