Risky Defense business

Defense AT&L, July-August, 2007 by Douglas J. Bragdon

I enjoyed the various risk articles in the May-June 2007 issue of Defense AT & L but was left with the feeling that all missed the most obvious problem with risk mitigation in DoD acqusition.

We can't make risks go away. Things happen. When a coworker gets ill, we inherently knew that was a risk to the workforce. When a manufacturing machine or computer breaks, we knew there was a risk that might happen. When a process or project doesn't flow as we had optimistically planned, we knew there was a probability of that.

We mitigate our daily risks by cross-training our workforce, keeping back-up machinery (or spare parts), and having contingency plans for when things don't go as planned.

Risk management is the art of deciding what those contingency plans will be. Industry passes on the costs of back-up workforce, parts, or plans to the consumer. But in DoD, we keep our budgets down by being success-oriented and minimizing backup items and alternative plans. It's a rare PM who can keep a budget padded with enough to fund risk-mitigation contingency alternatives to run in parallel with the baseline program--just in case something should happen. There are too many possible "somethings" for the PM to fund all alternatives, so we typically don't fund any. Hence--realistically speaking--there is little substantive risk mitigation in the DoD acquisition community.

Dick Rippere, Lt. Col. USAF (ret)

Level 3 PM

I'm a little confused by Douglas J. Bragdon's article "First Things First: The Importance of Risk Identification" in the last issue of the magazine. On the one hand, Mr. Bragdon seems to say the DoD isn't doing a good job of identifying risks:

"In order for the DoD risk management process to increase in value to programs, it needs to move out of its adolescence and become fully matured. The key to this maturity is improvement in the most important, yet most elusive part, of the process: risk identification."

But in the opening scenario, he writes: "'We actually proposed this risk three times,' says the RM. 'When we started out with our Delphi solicitation two years ago, over half of our industry experts mentioned it.'"

Mr. Bragdon goes on to write that "risk identification results are received with polite thanks--then left in a file." That doesn't sound like a breakdown in risk identification--the risks actually are being identified. Instead, this sounds like a failure to accurately assess and address the risk. More specifically, it sounds like breakdown in judgment, courage, and leadership (at the risk of quoting my own recent article on risk).

I completely agree with Mr. Bragdon that risk managmeent should never be just another engineering checklist. I appreciated his refreshingly honest appraisal of the state of risk management within the DoD. We do an awful lot of it, and we do a lot of it awful. But Mr. Bragdon and I part company on the solution to this problem. I do not think "a strong risk identification process" (or any other process) is going to help much, particularly in the absence of the aforementioned judgment and courage. PM's need courage to look risks in the face, and judgment to determine what to do about them. An over-reliance on process is doomed to failure from the start. And as Mr. Bragdon's article shows, that's how we got into this situation in the first place.

Maj. Dan Ward, USAF

Special Assistant to the Chief Scientist

Air Force Research Laboratory, Rome, N.Y.

The author responds: I took the liberty of defining Risk Identification as "... the activity that determines which risks are relevant to the program.." In doing so I extended this activity beyond the normal meaning of "identification" to include an evaluation of relevance. I think this is important in order to distinguish between risks cavalierly floated in a brainstorming session (which could be considered identification) and those that are fleshed out and considered thoroughly However, as Maj. Ward points out, I failed to stress this distinction adequately and caused needless confusion. The point to be made is this: Our programs aren't even addressing the right risks.

Not all good PMs can intuitively know the right path, and this is where the process adds value. But I totally agree with Maj. Ward that our PMs need courage to address difficult risks--another key ingredient of this inexact science.

Douglas J. Bragdon