Communicating and Managing Risks at NGA

Tech Day VII

Chip Justice and Courtney Lane Booz Allen Hamilton Tech Day VII

Ritz CartonMonday, November 13, 2006

McLean, VA

Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)

2Communicating and Managing Risks within the National Geospatial-Intelligence Agency (NGA)

Agenda

Defining Risk Management – Chip

Programmatic Development – Courtney

Identifying Managing Risks – Courtney

Changing A Culture – Chip

Applying Risk Management to other Organizations – Chip


Agenda

Defining Risk Management – Chip– Industry Definition vs NGA definition– Purpose & Goals– Value of Risk Management– Opportunities & Issues


Identifying and Managing Risks – Courtney




What is a Risk?

A threat or obstacle that prevents an organization from achieving its objectives

A hazard

The future chance or probability of loss


Let’s take a look how Industry defines RiskRisk

“The potential inability to achieve overall program objectives within defined cost, schedule, and technical constraints and has two components

(1) the probability/likelihood of failing to achieve a particular outcome, and

(2) the consequences/impacts of failing to achieve that outcome.” [1]

“...an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective.” [2]

“RISK (risk) n. [Fr. risqué < Ital. risco.] 1. Possibility of suffering harm or loss: DANGER. 2. A factor, course, or element involving uncertain danger: HAZARD….” 3. a. The danger of probability of loss to an insurer. b. The amount that an insurance company stands to lose. c. One considered with respect to the possibility of loss to an insurer <a good risk>. ” [3]

[1] Risk Management Guide for DoD Acquisition, Fourth Edition DoD, DAU, DSMC, February 2001[2] Project Management Institute PMBOK®, 2001 Edition[3] Webster’s II University Dictionary


NGA tends to define risk much like that of the DAU but further breaks it down into three categories

RiskThe potential inability to achieve objectives

OpportunityThe potential ability to exceed objectives

IssueAn unfavorable circumstance that is certain to affect achievement of objectives


How do you communicate your risks?


Process• Define a risk management process based on the ERM process• Introduce risk management process documents into the Enterprise Configuration Control Board (ECCB)• Recommend process improvements• Decision making process / Decision point (Requirements, spending)

NGA communicates their risks through standardized processes utilizing People, Processes, and Technologies

People

Process Technology

People• Promote a risk management culture that is supported and championed by leadership across the Enterprise• Communicate the standup of the risk management process through known and established communication channels• Provide training through established workshops

Technology• Promote the use of the web-based Risk, Issue, and Opportunity Tool (RIOT) to capture and report information regarding risks, issues and opportunities

Much like Booz Allen Hamilton, NGA focuses on People, Process & Technology in their transformation initiatives


Enterprise Risk Management (ERM) Vision

Effective planning and program

implementationIntegrate good risk information with

decision activities for better planning

UNCLASSIFIED

UNCLASSIFIED


Understanding the risk management process is the key to defining the purpose and the goals of every directorate within NGA

Purpose & Goals– Identify the Agency’s Top Risks so that NGA can direct the right amount of

resources, at the right time, to implement the right solution

– Ensure that all NGA directorates understand the identified risk with a mitigation plan that is created from a common frame of reference

– Create a bottom-up and top-down approach to Enterprise Risk Management

– Track overarching or summary level risks and use that information to assist with strategic decisions

– Instill the belief in the workforce that communicating risks is a positive, not negative, process that is rewarded, not punished


The value of risk management is that it is inline with Industry best practices and coincides with NGA’s mission

Process compliant with industry standards

Unified risk management process

Web-based risk management tool

Improved participation and communication throughout the Agency

Increase visibility with all stakeholders

Achievement of organizational objectives

Defining the value of the ERM process is different for every organization, the key is understanding how you define ‘Value’


So why implement a Enterprise Risk Management (ERM) program?

It can almost be thought of as situational awareness and capital improvement all in one

By identifying risks, executive leadership and mid level management can make a decision that is based on solid information with a strategy to mitigate the risk at hand

Management can look to see which are the most critical risks within the agency and then define the appropriate resources to resolve the issue

If implemented correctly, the entire enterprise will benefit from understanding the most important issues and the biggest challenges


Agenda


Programmatic Development – Courtney– NGA Risk Management Process– Implementation at the Program Level





An enterprise risk management process should be documented to ensure standardization

Process documentation contains the following information:– Tasks required to implement the ERM process– Entry and exit criteria– Inputs and outputs– Roles and responsibilities– Required measures

Templates and training materials should be made available – Risk management plan templates– Briefing templates– Enterprise risk management training package


Projects and programs should tailor the ERM process to meet their needs

The following elements of the ERM process can be tailored by projects and programs:– Stakeholders– Probability and consequence definitions– Risk tolerance thresholds– Roles and responsibilities– Communication plan– Measures

Each project and program should document their risk management process in a risk management plan


Risk management at NGA is an iterative, tailorable process

Source: Adapted from the Software Engineering Institute’s“Continuous Risk Management Guidebook”

Lessons learned

Validated risks, issues, opportunities

ClassificationRatingHandlingPriority

Mitigation PlansContingency PlansTriggers

Status reports

Communication

Project Kick-Off

ERM 03Analyze

ERM 04Plan

ERM 05Monitor

ERM 06Control

ERM 02Identify

ERM 01Develop Strategy


Agenda



Identifying and Managing Risks – Courtney– Identifying Risks – Analysis and Planning– Monitor and Control




There are four elements to risk identification at NGA

Title Captures the “so-what”

Statement For risks and opportunities: “If [concern], then [consequence or benefit]

For issues: “[Statement of concern]; thus, [consequence]

Context Facts only (who, what, when, where, why)

Avoid assumptions

Do not introduce new risks

Avoid blame

Closure Criteria Must alleviate the concern in the statement to an acceptable level

Must be specific, actionable, and measurable

4

2

1

3


Risks are analyzed and handled using the appropriate method

Qualitative analysis is performed to determine:– The level of cost, schedule, and performance impacts– The probability of occurrence (probability is 100% if it

is an issue)

Results are mapped on a probability impact diagram to determine the risk level

A handling method is chosen depending on the type of risk:– Mitigate, Resolve, Exploit– Watch– Transfer– Assume

Plans for reducing the probability of occurrence or severity of consequence if the risk occurs are developed

Probability Impact Diagram

Pro

babi

lity

of O

ccur

renc

e

Consequence Level

Negligible Marginal Significant Catastrophic

0-19%Highly Unlikely

20-39%Unlikely

40-59%Likely

60-79%Highly Likely

80-99%Near Certain

100%Issue

Critical


Risks and progress on their plans must be monitored and controlled

Monitoring risks is extremely important– New programs are created– Resource levels change– Funding status changes– New supporting information is discovered

Risks should be updated to reflect any changes found in the Monitor step

Controls (risk boards) are in place at every level of NGA to monitor risks. These boards can make several decisions about each risk:– Reject (need more information or rework)– Accept– Escalate– Return for status– Close


Risk Controls at NGA

NCEE Directorate JOIO

IT/IS EEGeoScout

Key Component Risk, Issue, and Opportunity Management Board

(KC-ROMB)

Risk Management Core Team(RMCT)

ELG

Strategic Risks

Enterprise Risks

Directorate Level Risks

Program Risks

Joint Risk Process


Agenda


Programmatic Development – Chip


Changing A Culture – Chip– Obtaining Buy-in & Support– Risk & Reward vs. Exposure & Condemnation – Defining a Concept of Operations (ConOps)/ Risk Management Plan– Training



Where do you stand with the evolution of risk management?

Problem Stage

“I’m too busy to apply a formal risk management practice.”

Risk identification not seen as positive.

“What went wrong?”

Mitigation Stage

“Risk Management is What Managers Have to Do”

Aware of risks but not sure how to communicate them

“What can go wrong and what are the consequences?”

Prevention Stage

“Risk Management is everybody’s responsibility.”

Risk management is viewed as a team activity

Identification and elimination of root causes

“What caused the risk?”

Anticipation Stage

“We can focus on the right priorities”

Use of measures to anticipate predictable risks

Alternatives are easy to compare using a quantitative approach

“How can we proactively attack risks and assess alternatives?”

Opportunity Stage

“Where there is risk, there is opportunity”

Risks are a chance to do better than planned

Risk management is used to innovate and shape the future

Engineering excellence

“How can we take advantage of risks?”

Increasing levels of knowledge, commitment, communication, efficiency, and effectiveness enable transformation through each stage

Source: NGA Enterprise Risk Management Training Workshop


Defining and utilizing the risk management process will not succeed with just executive level support

The risk management process has to be embraced by the entire organization and championed by Leadership

Obtain buy-in through:– Using checklist for standardization– Providing guidelines– Encouraging and welcoming open communications between individuals,

departments, and organizations– Taking Surveys– Evaluating the upside and downside of the risk

Obtain commitment and resource from leadership. At this point, risk management automatically becomes a management priority and leadership becomes an advocate of risk management and supports the process


Changing a culture is not easy, but a little praise could not hurt

The key is to understand that 'risk' exists and it can be managed and rewarded

Training, Training, and Training instilling Risk & Reward vs. Exposure & Condemnation

Leadership Communications– Talking points– Brown bags– Define why holding risk information is not a benefit

Transition to a Risk Aware (Manage the Risk), not Risk Adverse culture


Defining a Risk Management Plan is a must if you want your ERM program to succeed

Identify, Evaluate and Manage the process for risks management

Develop Comprehensive Safety/Loss Control Programs Policies and Procedures that is tailorable to specific risk

Establish a Catastrophic Business Continuation or COOP Program

Transfer Risk Whenever Economically Feasible through Insurance, Legal Contracts, and Avoidance

Analyze/Re-evaluate Your Risks on a reoccurring basis

Identify best practices

Benchmark and define standards/metrics


NGA has implemented a very effective training program that address risks, mitigation, and NGA’s culture

Enterprise Risk Management Training Workshop– One day workshop held at least once a month– Trained over 500 NGA contractors and government employees– Teaches the risk management language at NGA, the enterprise risk process, and

allows students to practice identifying and managing risks

Executive Level Overview Training– 2 hour overview of enterprise risk management at NGA– Presented to senior level NGA management– Describes the process and how management can engage


Agenda


Programmatic Development – Chip


Changing a culture – Chip

Applying Risk Management to other Organizations – Chip– Lessons Learned– Best Practices


Communicating risks can be implemented better by understanding the Lessons Learned from previous risks

Identify

Communicate

Learn


Implementing best practices assists in communicating effectively


PlanStandard definitionsProcessesTeam training

Using a Risk Management process that is consistent with existing government and industry best practices results in easier client buy-in, implementation and results

DAU Risk Management Community of PracticeIdentifySituation UncertaintyImpactActions

ControlMitigationContingency Plans

AnalyizeProbability Impact Outcomes

MonitorMaintain history Monitor plansPeriodic updates

One Firm delivering results that endure


How to Learn More… DAU

– PMCoP (https://acc.dau.mil/CommunityBrowser.aspx)– New Risk Management Guide, Aug 2006– Acquisition Review Quarterly, “Risk Special Edition”, Spring 2003

PMI – http://www.pmi.org/info/default.asp – PMBOK – Risk SIG

INOCSE – https://www.incose.org – Risk Management Working Group

Prince2 – Projects in controlled environments

http://www.tsoshop.co.uk

Read!

http://www.pmi.org/info/default.asp

https://www.incose.org/

http://www.tsoshop.co.uk/


Closing Remarks

The Director of Central Intelligence Directive (DCID) 8/1, identifies risk management as “Balancing the goal of greater intelligence information sharing with the need to protect sources and methods requires IC members to apply a risk management methodology. This policy must be implemented in ways that balance the risk of unauthorized disclosure of sources and methods against the imperative to provide the most useful and responsive intelligence. The information needs of the customer must be given important weight in this risk management determination.”


Q &A

Presentations & Public Speaking

Communicating and Managing Risks at NGA