Risk Management Lessons from the GAO

Risk Management Lessons from the GAO

The National Defense Authorization Act directed the Government Accountability Office (GAO) to annually assess a sampling of Department of Defense (DOD) major automated information system (MAIS) programs. The act requires that the GAO assess programs in terms of cost, schedule and performance targets, risk management practices, and acquisition best practices.

This article summarizes some key risk management lessons from the recent review of the Defense Agencies Initiative (DAI) program. This DOD program is intended to improve financial management processes for several agencies. The emphasis in this article is not on the specific automated information system, but rather to review the suggestions for improvement of real-world risk practices that can be applied in public and private programs alike.

According to the Project Management Institute Project Management Body of Knowledge (PMBOK®), effective risk management allows for identification of adverse events before they occur, performing risk analysis, and planning risk responses. Effective risk management attempts to reduce negative impacts to project objectives.

Specifically, key risk management practices include:

  • Identifying risks which could negatively affect work efforts and documenting their characteristics;
  • Evaluating and categorizing each identified risk using defined risk categories and parameters, such as probability and impact, and determining each risk’s relative priority;
  • Developing risk mitigation plans for selected risks to proactively reduce the potential impact of risk occurrence; and
  • Monitoring the status of risks periodically and implementing the risk mitigation plans as appropriate.

Risk Identification

The DAI program assessed by the GAO had not fully identified risks, but was implementing specific steps to do so. Best practices in process to improve in this area included:

  • Development of a risk management plan
  • Creation of a risk management board
  • Development of a risk log
  • Identification of a risk management expert to provide subject matter expertise

Risk Assessment and Categorization

The DAI program was taking initiative to consistently evaluate and categorize risks; something which had not occurred in the past. Steps to improve in this area included:

Development of processes for categorization using specified parameters
Determination of risk priorities

Risk Response Plans

The DAI program had not completed development of mitigation plans for risks due to being in the early phases of risk management adoption.

PMBOK best practices to consider for implementation to develop risk response plans include:

Development of risk response actions based upon strategies most likely to be effective; strategies to consider include avoidance, transfer, mitigation, or acceptance
Consideration of fallback plans if risk responses are ineffective
Reviewing possible secondary risks which could result from selected strategic actions

Regularly Risk Monitoring

During the GAO assessment of the DAI program it was determined that weekly program status review discussions did not correspond to the current risk log. The program is taking steps to align program reviews with the risk log. Best practices to consider for monitoring risks include:

  • Development of a recurring process for risk assessment and status meetings
  • Use of analysis techniques and risk audits for risks that pose a significant threat

Most government agencies and public sector organizations alike could benefit from improvements in risk management methodologies. If your organization is lacking in one of these key areas, take steps today to minimize the impact of negative risks to your programs.