The National Defense Authorization Act directed the Government Accountability Office (GAO) to annually assess a sampling of Department of Defense (DOD) major automated information system (MAIS) programs. The act requires that the GAO assess programs in terms of cost, schedule and performance targets, risk management practices, and acquisition best practices.
This article summarizes some key risk management lessons from the recent review of the Defense Agencies Initiative (DAI) program. This DOD program is intended to improve financial management processes for several agencies. The emphasis in this article is not on the specific automated information system, but rather to review the suggestions for improvement of real-world risk practices that can be applied in public and private programs alike.
According to the Project Management Institute Project Management Body of Knowledge (PMBOK®), effective risk management allows for identification of adverse events before they occur, performing risk analysis, and planning risk responses. Effective risk management attempts to reduce negative impacts to project objectives.
Specifically, key risk management practices include:
The DAI program assessed by the GAO had not fully identified risks, but was implementing specific steps to do so. Best practices in process to improve in this area included:
Risk Assessment and Categorization
The DAI program was taking initiative to consistently evaluate and categorize risks; something which had not occurred in the past. Steps to improve in this area included:
Risk Response Plans
The DAI program had not completed development of mitigation plans for risks due to being in the early phases of risk management adoption.
PMBOK best practices to consider for implementation to develop risk response plans include:
Regularly Risk Monitoring
During the GAO assessment of the DAI program it was determined that weekly program status review discussions did not correspond to the current risk log. The program is taking steps to align program reviews with the risk log. Best practices to consider for monitoring risks include:
Most government agencies and public sector organizations alike could benefit from improvements in risk management methodologies. If your organization is lacking in one of these key areas, take steps today to minimize the impact of negative risks to your programs.