Enterprise Risk Management (ERM) is the process of planning, organizing, leading and controlling the activities of an organization in order to minimize the effects of risk on an organization’s capital and earnings. The goal is not to completely eliminate risk, but rather to increase risk awareness and prepare for the worst case scenario.
The Department of Defense defined ERM in their Defense Risk, Issue and Opportunity Management Guide. This guide aims to help organizations make decisions about the best solutions for a technology acquisition while identifying, analyzing and attempting to handle the consequences of known risks, issues and opportunities. The key areas addressed in the guide are:
- Risks – Future events or conditions that may have a negative effect on achieving program objectives for cost, schedule and performance.
- Issues – Events or conditions that have already occurred, are occurring or are certain to occur in the future and have a potentially negative impact on the program.
- Opportunities – A proactive methodology that seeks to not only minimize the negative effects of dealing with chance, but also look at the positive outcome of obtaining the means and methods to deal with that risk.
To comply with the principles of ERM and the specifics in the DoD guide, organizations should follow five basic steps:
- Planning – What is the program’s risk management process?
- Identification – What can go wrong?
- Analysis – What are the likelihood and probable consequences of that risk?
- Handling – Should the risk be accepted, avoided, transferred or mitigated?
- Monitoring – How has the risk changed?
Doing this kind of analysis and risk prediction for every program within the government is not only a best practice but is also mandated by the Office of Management and Budget under OMB A-123. Compliance entails a mix of governance, processes and tools that can cost agencies a lot of time and money.
These compliance goals are a huge cultural and technological shift for organizations; so how are agencies approaching OMB A-123, RIO and other risk management protocols?
U.S Air Force Materiel Command and Risk Management
The U.S. Air Force Materiel Command (AFMC) is responsible for 50% of the Air Force’s budget. In this role, risk management is critical to ensuring stewardship of taxpayer dollars as well as the success of mission-critical programs. AFMC needs to know the risk profile of each USAF program. The goal of implementing ERM in AFMC is to encourage a more comprehensive risk-management process and communicate risk at all levels. This allows for the delivery of consistent processes across the entire Air Force.
Through consistent risk-management procedures, AFMC helps the Air Force reduce costs, increase transparency for senior management, and get more solid understanding of the risks, not just for today’s missions, but also for those of the next generation. With a holistic effort that defines processes and employs tools to automate risk-profiles and reporting, AFMC is able to effectively meet these goals. This translates into clearer risk-based decision-making, especially when it comes to funding.
In addition to the work at AFMC, ERM practices are being applied to new as well as existing programs across the DoD. Take, for example, DoD depots. Depots and arsenals vital to national defense, but aging systems and growing budget pressures are stressing the capabilities of these highly dynamic environments. In order to keep these shops running effectively, risk needs to be calculated and applied to the procurement cycle. By doing this, depots can ensure their upgrades and improvements will help to maintain and sustain the development and production lifecycles.
The Future of ERM in Government Acquisitions
While the tenets of ERM has been around for over a decade, a major revision to OMB A-123 was released this summer that underlines the importance of the relationship between Internal Controls and Enterprise Risk Management (ERM). Under this new version, the following key milestones were set:
- During FY16 – Agencies are encouraged to develop an approach to implement Enterprise Risk Management, including a Risk Structure, to understand their risk appetite and tolerance.
- During FY17 – Agencies must continuously build risk-identification capabilities into the framework to identify new or emerging risks and/or changes in existing risks. An agency’s risk profiles should be made available to the OMB by June 2, 2017, for discussion.
Meeting these deadlines is a huge undertaking for any agency that does not already have a robust Enterprise Risk Management capability, and many of those that do will need to formalize their existing processes in order to comply. This level of risk-management maturity cannot be achieved with spreadsheets and stand-alone risk registers. Fortunately, there are a number of tools specifically designed to help agencies automate the risk-management process:
- Sword Active Risk has developed risk-management software that enhances visibility, accountability and confidence at project, program and enterprise levels. Active Risk Manager (ARM) integrates Risk Management, Cost Management and Schedule Management to show the real impact of risk, enable better-informed decisions and leverage risk to create a competitive advantage. See how they are helping agencies meet the new OMB A-123 guidelines in this webinar. And check out how Sword Active Risk helped AFMC meet their risk management goals by downloading the case study referenced above here.
- Similarly, Autodesk’s software is designed to help engineers see the potential outcome of changes on a screen before any work is done in the field. This ability to see the impact of environmental conditions, planned construction or even cost factors provides a clear picture for risk planning. For more information on how Autodesk technology is being used in Maintenance, Repair and Overhaul projects in the DoD, watch this webinar series. check out this infographic.