What is the Best Procedure for Implementing a Risk Management Process in a Government

Department of Defense (DoD) Acquisition Category I (ACAT I) Program

A thesis submitted

By

Richard Allen Speight

to

Strayer University

in partial fulfillment of
the requirement for the
degree of

MASTER OF BUSINESS ADMINISTRATION, MANAGEMENT

This thesis has been

accepted for the faculty of
Strayer University by:

Chair

Professor Camilla Craig

Advisor

Name of External Reader

External Reader
 Strayer University

Directed Research Project

Certification of Conformity to Standards

I. Conformity to Standards for Strayer University Graduate Level Directed Research Project.

I, ___Richard Allen Speight______ certify that I have in good faith complied with the
requirements of Strayer University for this Directed Research Project. I also certify that any
work or effort that is not my own has been properly credited to the appropriate source(s). I
hereby submit this Graduate Level Directed Research Project to the faculty of Strayer
University for acceptance.

Student’s Signature __________________________________ Date ___September 15, 2009___

II. Acceptance of Directed Research Project.

I have received and examined this Directed Research Project and I believe it meets the
Graduate Level Standards of Strayer University.

Faculty Member’s Signature _____________________________ Date _____________

 Abstract

This thesis reviews the best procedure for implementing a risk management process in a

Government Department of Defense (DoD) Acquisition Category I (ACAT I) program. When

looking at risk management, it is necessary to understanding that risk is the evaluation of

uncertain future events that may affect a project’s cost, schedule, or performance. Risk

management is on iterative process that begins with risk planning then risk identification. The

process used by private industry is more process-oriented than that used by DoD project

managers. The purpose for this research is to determine if the process identified in Program

Management Book of Knowledge (PMBOK) would suit DoD programs better than the current

processes identified in the Risk Management Guide for DoD Acquisition.

 Risk Management 1

Table of Contents

CHAPTER 1 – INTRODUCTION..................................................................................................2

Define Risk Management............................................................................................................3

DoD versus Private Industry Risk Management.........................................................................4

Issue versus Risk.........................................................................................................................7

Definitions...................................................................................................................................7

CHAPTER 2 – REVIEW OF RELATED LITERATURE .............................................................9

Overview of the Program Management Book of Knowledge.....................................................9

Overview of the Risk Management Guide for DOD Acquisition.............................................12

CHAPTER 3 – METHODOLOGY...............................................................................................13

Overview...................................................................................................................................13

Method.......................................................................................................................................13

Data source................................................................................................................................14

CHAPTER 4 – CONCLUSION....................................................................................................15

Discussion..................................................................................................................................15
 Risk Management 2

CHAPTER 1 – INTRODUCTION

Risk Management is critical to the proper management of any project. Without an active

approach to managing risk, projects stand a greater potential for cost overruns, schedule slips,

failure to meet performance requirements, and ultimately complete project failure. When

looking at risk management, it is necessary to understand that risk is the evaluation of uncertain

future events that may affect a project’s cost, schedule, or performance. According to the Project

Management Book of Knowledge, or PMBOK (2004), these three elements of a project are

called the triple constraints because when any of these elements are changed, it always affects

the other two (PMI, 2004).

For example, a project office that procures trucks for the Department of Defense (DoD) has a

budget of $60 million to procure some number of trucks this year to meet an Authorized

Acquisition Object (AAO), which is a number representing total end strength. If halfway through

the year the project is required to take a $10 million reduction in budget, the schedule is affected

because it will now require more time for the project office to procure the total number of trucks

to meet the established AAO. This impact will also affect performance because the government

will have to adjust the requirements to reduce the per unit cost of the vehicle to maintain the

quantity purchase, or it will impact the manufacturer’s performance because the assembly line is

no longer producing to capacity and the manufacturer may have to look at ways to reduce or

realign its workforce.

The DoD has certain objectives that have to be met for each project and are delineated in the

Acquisition Program Baseline (APB) document for each project. This document takes the

requirements for cost, schedule, and performance from other source documents and puts it all
 Risk Management 3

under one cover for the project manager to work from. The objectives are typically limits and

constraints in which the project manager has to work. For private industry, project managers

work to a slightly different set of rules that are often set by contracts or by management goals.

When a private industry project manager is working to support a contract, often his requirements

are not that different from a DoD project manager. The contract for a firm is the equivalent of the

APB which sets limits, constraints, and requirements that must be met in order to manage the

project effectively. Other private industry managers are driven by revenue and profit goals set for

them by upper management. The risk associated with this type of management is probably even

more difficult in that what affects revenue and profits is often impacted by events outside of the

manager’s control. For this reason it is important to define what risk management is and the

process required to implement a risk management program. Identifying the differences between a

DoD risk management process and one implemented by private industry is key in determining

what is the proper procedure for implementing a risk management process in a government

Department of Defense (DoD) Acquisition Category I (ACAT I) program.

Define Risk Management

Risk management is “a fundamental aspect of any business. From a business perspective, risk

is an uncertain event or condition that, if it occurs, has a positive or negative effect on specific

planned or in-process strategic initiatives and their supporting objectives. The consequence of

these changes can have technical, schedule, or cost impacts; often, risk affects all three” (Bolles,

2006).

The DoD defines risk management as:

a continuous process that is accomplished throughout the life cycle of a system. It is an
organized methodology for continuously identifying and measuring the unknowns;
developing mitigation options; selecting, planning, and implementing appropriate risk
mitigations; and tracking the implementation to ensure successful risk reduction.
 Risk Management 4

Effective risk management depends on risk management planning; early identification

and analyses of risks; early implementation of corrective actions; continuous monitoring
and reassessment; and communication, documentation, and coordination. (DoD, 2006)

DoD versus Private Industry Risk Management

What is the difference between DoD and private industry risk management? When truly

comparing like methodologies, such as a product-oriented project, the first thing that can be seen

is that a private industry is interested in profits - how the firm nets some percentage of margin on

each product. Private industry typically views its risk management from this perspective and

monitors its processes until the product leaves the door of the factory or possibly the shelf of a

store. For the DoD, a project manager is responsible for the equipment from what is called

“cradle to grave.” In other words, the DoD project manager has to monitor the risk to the project

from the design stage, all the way through its life cycle, to when that piece of equipment is no

longer used by the DoD.

The second point of comparison would be the scope of a project. For the DoD, as discussed

earlier, a project manager has specific quantities of a given item that are going to be procured

and used. For a private industry project manager, oftentimes the limits for the product are

completely driven by supply and demand, which introduces a different set of risks with which

the DoD does not have to contend. In private industry it is imperative that the project manager

have a reliable economic forecast upon which to determine production rates and quantities of

supply. For a DoD project manager a budget is provided and quantities are placed on contract

accordingly.

Who performs risk management? Risk management is the responsibility of the project

manager. However, in most cases, risk management is a process that involves most of the people

on a project team. Additionally, most projects will have risk management boards that typically
 Risk Management 5

meet quarterly to reevaluate the identified risk and their mitigation plans. The project manager,

in reality, is usually the final approver for risk and mitigation strategies, as the teams will have

identified, vetted and documented the risk, and sequentially developed the mitigation strategy for

that risk.

Risk management is a continuous process that is performed from a project’s inception to its

completion. Figure 1.1: Risk Management Cycle, will show the iterative process for

implementing risk management for a DoD program. This figure illustrates the DoD philosophy

of cradle to grave risk management.

Figure 1.1 Risk Management Cycle (DoD, 2006)

Although no specific start point is identified, the obvious first step is to identify a project’s first

risk and the process will continue until the life cycle of the resultant equipment ends.

A more widely accepted and exacting practice for implementing risk management is shown

in figure 1.2: Project Risk Management Process Flow Diagram, this process identifies the
 Risk Management 6

process as shown in the PMBOK, and is one of the reasons to question what is the best procedure

for implementing a risk management process in a DoD Acquisition Category I (ACAT I)

program.

Enterprise Risk Develop

Environmental Management Project
Factors Planning Management
Plan

Organizational
Process Assets Risk
Identification

Scope
Definition

Qualitative Risk
Analysis
Develop
Project
Management
Plan
Quantitative Risk
Analysis
Performance
Reporting

Direct and Risk Response

Manage Planning
Project
Execution
Figure 1.2: Project Risk Management Flow Diagram (PMI, 2004)

According to the PMBOK (2004), “the objectives of project risk management are to increase
Close Project Integrated
Risk Monitoring
the probability and impact of positive events, and decrease the probability and impact of eventsChange
and Control
Control
 Risk Management 7

adverse to the project.” The processes for implementing risk management from this perspective

are: risk management planning, risk identification, quantitative risk analysis, qualitative risk

analysis, risk response planning, and risk monitoring and control. Figure 1.2 shows how these

steps relate to each other, and their definitions are listed below.

Issue versus Risk

One of the biggest mistakes a project team makes is wrongly identifying issues as project

risk. To prevent this from occurring the definitions for both are required. Risk is “an uncertain

event or condition that if it occurs, has a positive or negative effect on a project’s objectives”

(PMI, 2004). An issue on the other hand is an event that already occurred and requires corrective

action to fix or overcome. Risks are events that can be planned for and their mitigations put in

place to eliminate or diminish their effect.

Definitions

The following terms are used in this research and are defined below:

Qualitative Risk Analysis: “Prioritizing risks for subsequent further analysis or action by

assessing and combining their probability of occurrence and impact” (PMI, 2004).

Quantitative Risk Analysis: “Numerically analyzing the effect on overall project objectives of

identified risks” (PMI, 2004).

Risk Identification: “Determining which risks might affect the project and documenting their

characteristics” (PMI, 2004).

Risk Management Planning: “Deciding how to approach, plan, and execute the risk

management activities for a project” (PMI, 2004).

 Risk Management 8

Risk Monitoring and Control: “Tracking identified risks, monitoring residual risks,

identifying new risks, executing risk response plans, and evaluating their effectiveness

throughout the project life cycle” (PMI, 2004).

Risk Response Planning: “Developing options and actions to enhance opportunities, and to

reduce threats to project objectives” (PMI, 2004).

 Risk Management 9

CHAPTER 2 – REVIEW OF RELATED LITERATURE

This study will review the existing processes for performing risk management as a best

practice used by most private corporations as outlined in the PMBOK and the process used by

the acquisition community within the Department of Defense. This literature review is provided

so the reader will understand the processes involved – and their differences – and to see if a DoD

ACAT I program would benefit from a more robust approach to risk management.

The first step is to realize that managing risk is a fundamental aspect of business. Many

people do not view a DoD acquisition program as a business, but the use of public funds require

that the program manager be responsible for how he runs his program and spends his budget.

Like any commercial enterprise, the acquisition arm of the services has customers. These

customers consist of the men and women who put on a uniform and walk in harms way each and

every day. The big difference that commercial or private industries experience from the DoD is

that industries are calculating profit gains and profit losses; it’s all about the bottom line. For the

DoD, however, it is all about getting equipment that meets customer requirements to the right

place on time and within budget. As previously stated, the triple constraints of a program are

time, schedule, and cost. These truly are the three areas that risk management focuses on for both

private industry and the DoD.

Overview of the Program Management Book of Knowledge

According to the PMBOK (2004), “Risk Management includes the processes concerned with

conducting risk management planning, identification, analysis, responses, and monitoring and

control of a project.” With most of these processes continuously being updated throughout the

duration of the program. The process and objective of risk management is to identify events,
 Risk Management 10

both positive and negative, that will impact the program and to then decrease the probability and

impact of negative events while increasing the probability and impact of positive events. “The

Risk Management processes include the following: Risk Management Planning, Risk

Identification, Qualitative Risk Analysis, Quantitative Risk Analysis, Risk Response Planning,

and Risk Monitoring and Control” (PMI, 2004). Although risk management has distinct

processes associated with it that continually interact with each other, it is important to understand

that these processes interact with other aspects or areas of program management. Often times

people from multiple disciplines work together to develop risk mitigation strategies associated

with identified risk within a program.

Risk Management Planning is the process of determining how risks are to be handled within

a program. Risk planning consists of inputs and outputs. The inputs are environmental factors

such as an organizations attitude towards risk and the level of tolerance of the organization,

project scope statements and project management plans. The output for risk management

planning is a risk management plan that consists of the methodology, roles and responsibilities,

budgeting, timing, and risk categories (PMI, 2004).

Risk Identification is the process for determining which risk might affect the program and

documenting them. This is an iterative process that evolves throughout the life of the program

and uses the project team and other stakeholders in the program. The inputs for this step are the

same as those for risk management planning, but the output here would be a risk registry to be

used during the monitoring and control process.

Qualitative Risk Analysis is the process of racking and stacking the risk identified to

determine the probability and impact of a risk as well as the categorization and urgency of them.

The output from this process is updates to the risk registry.

 Risk Management 11

“Quantitative Risk Analysis is performed on risks that have been prioritized by the

Qualitative Risk Analysis process as potentially and substantially impacting the project’s

competing demands” (PMI, 2004). This process looks at the effect of those risks and assigns a

numerical rating to them using techniques such as Monte Carlo simulation to determine

consequence and likelihood. The output from this process is again updates to the risk registry.

Risk Response Planning is the process in which you develop options and determine the

actions to be taken. Risk response planning is approached from different perspectives depending

on whether the risk is negative (threat) or positive (opportunity). The three strategies for

typically dealing with negative risk are avoid, transfer, and mitigate (PMI, 2004). When a risk is

avoided, the program management plan would be changed to eliminate the threat created by the

risk. This often times includes efforts of descoping a program’s requirements. Transferring risk

is the process of shifting the impact of a threat to a third party. This can come in the form of

insurance, warranties, or guarantees, but it does not get rid of the risk, it just shifts responsibility

to someone else and usually involves fees of some sort. Mitigation is simply a reduction in the

likelihood or impact of a threat to an acceptable threshold. This is usually done early in a

program with methods such as prototype development and or redundancy designed into the

system. The three strategies typically employed with positive risk (opportunities) are exploiting,

sharing, and enhancing. When exploiting a risk the organization is really just making sure the

opportunity is realized. By sharing a risk, as in transfer, ownership is allocated to a third party.

By enhancing a risk the size of an opportunity is modified by increasing the probability of the

risk (PMI, 2004).

Risk Monitoring and Control is the process of identifying new risk, analyzing, and planning

for them. This process also involves keeping track of identified risk and reviewing the execution
 Risk Management 12

of risk responses all in an iterative process through the program’s development to its close. The

output associated with monitoring and control are: risk registry updates, requested changes,

recommended corrective actions, recommended preventive actions and program management

plan updates (PMI, 2004).

Overview of the Risk Management Guide for DOD Acquisition

Unlike private industry, where the exchange is complete once a product reaches the

consumer and the company receives payback, the DoD acquisition program manager is

responsible for a product until it is removed from the military inventory. “The purpose for

addressing risk on DoD programs is to help ensure program cost, schedule, and performance

objectives are achieved at every stage in the life cycle and to communicate to all stakeholders the

process for uncovering, determining the scope of, and managing program uncertainties” (DoD,

2006).

The Risk Management Guide put out by the DoD is to assist program managers in effectively

managing program risk. This guide is very useful in its approach to identifying where risk can

come from. The processes for risk management within the DoD guide are risk identification, risk

analysis, risk mitigation planning, risk mitigation plan implementation, and risk tracking. These

processes are similar to those described in the PMBOK, thus the reason for questioning the best

procedure for implementing a risk management process in a government DoD ACAT I program.

A benefit to the DoD Guide is that it provides good top-level guidelines for effectively managing

risk. One very good aspect of the DoD guide is that it lays out the risk management roles, from

the program manager down to the working groups. This, however, is where the comparison

begins.
 Risk Management 13

CHAPTER 3 – METHODOLOGY

Overview

The purpose of this thesis is to determine what is the best procedure for implementing a risk

management process in a government DoD ACAT I program. The recommendations that are

within this thesis are based on research and analysis of data and literature that provide guidance

from multiple perspectives on how risk management should be performed.

Method

A Qualitative research method was used in this thesis. Research questions were developed to

clarify the differences between how private industry performs the risk management process and

how the DoD performs the risk management process. To facilitate this methodology, numerous

documents written on the larger subject of Risk Management were explored and studied. Then

processes or steps used by several different organizations were examined, some of which buy

end products for government use, some of which produce end products for government use, and

some that produce end products for commercial or industrial use. By comparing these processes,

it can be determined if any one particular approach is better than the others. Once that is

completed the next question is, “Does this best process fit all situations?” As the research

continues, it may be determined that different processes may be needed for different organization

types. However, if a determination can be made that changes can be made to the way DoD

performs risk management, then the research will be beneficial and can be submitted to

policymakers for consideration. The methodology, then, is simply exploring the information

developed on the topic and comparing their processes and results to answer the research

questions.
 Risk Management 14

Data source

Resources and data used for this study were pulled mainly from other sited references. Three

critical sites provided valuable references. These sites were the EBSCO Publishing Database

website, The Program Management Book (PMBOK), and the Risk Management Guide for DoD

Acquisition, Sixth Edition. Prior studies were researched, but none were found that compare the

processes between private industry and the DoD.

The PMBOK and Risk Management Guide provided the idea of comparing how DoD

performs risk management to the way private industry does. The key research questions became

who performs it best and does the same process meet both required objectives. By having

intimate knowledge of these two processes, identification of which information each of these

sources provides was simplified. The EBSCO database at the William and Mary Center for

Professional Studies was used to identify additional resources using keyword searches. Through

this process, data collected to date was evaluated to determine what, and to what degree, each

document or publication provided relevance to the research question and determine how much

research has been previously performed on the specific issue.

 Risk Management 15

CHAPTER 4 – CONCLUSION

Discussion

This final chapter discusses the conclusions that are drawn from the research provided. It

provides recommendations on how the DoD could benefit from adapting practices and process

from the PMBOK to enhance the guidance currently provide in their own handbook. The DoD

Guideline provides great high-level guidance. It also gives great insight to where risk initiates

from. What the DoD Guide lacks, however, is detailed processes that show the inputs, tools, and

outputs of each process in the risk management procedure. The PMBOK provides these missing

elements that can be combined with the current DoD Guide to provide the direction needed to

properly manage risk within a program.

Conclusion

The best procedure for implementing a risk management process in a government DoD

ACAT I program is not the adaptation of one process over the other. The best solution for any

program within the DoD is to take the guidance from the DoD Guide and the detailed processes

from the PMBOK, the source for most private industry, and take a best practices approach. By

taking the guidance and detail from both sources, the DoD can establish unprecedented risk

management programs that could eliminate waste cost, scope creeps, and schedule slippages.
 Risk Management 16

REFERENCES

Bolles, D., & Hubbard, D. (2006). Communications and risk management: 17.2 Risk

management. American Management Association International, 201-204. Retrieved July 27,

2009, from Business Source Complete database.

CHAPTER 14: Risk Management in Practice. (2006). Retrieved July 27, 2009, from Business

Source Complete database.

Department of Defense (DoD). (2006). Risk management guide for DoD acquisition (6th ed.).

(Version 1.0), Department of Defense.

Dobbins, J. (2002). Critical success factor (CSF) analysis for DoD risk management. Program

Manager, 31(3), 40. Retrieved July 27, 2009, from Business Source Complete database.

Dunham Jr., W., Ostner, S., To, M., & Cochran, A. (2009). Know the rules. Best's Review,

110(3), 55-57. Retrieved July 27, 2009, from Business Source Complete database.

Kendrick, T. (2009). Identifying and managing project risk. American Management Association

International. Retrieved July 27, 2009, from Business Source Complete database.

Mays, E. (2009). Scenario analysis for board risk management. Corporate Board, 30(177), 17-

21. Retrieved July 27, 2009, from Business Source Complete database.

Panning, W. (2009). The why and how of risk-based planning. Best's Review, 110(3), 78-78.

Retrieved July 27, 2009, from Business Source Complete database.

Project Management Institute (PMI) (2004). A guide to the project management body of

knowledge (3rd ed.). Newton Square, PA: Project Management Institute, Inc.

Risk Management. (2004). Essential Economics, Retrieved July 27, 2009, from Business Source

Complete database.