From Integrated Risk Management to Enterprise Risk-Based Decision Support: A RiskPhased Approach

Lovely Krishen, Ph.D.

Lead Risk Analyst Technical Team Lead Futron Corporation
International Society of Risk Analysis Conference Baltimore, Maryland December 7-9, 2009
Futron Corporation 7315 Wisconsin Avenue, Suite 900W Bethesda, Maryland 20814 Phone 301-913-9372 Fax 301-913-9475 www.futron.com

Better DecisionsBetter Future

From Integrated Risk Management to Enterprise Risk-based Decision Support: A Phased Approach. Krishen L*; Futron Corporation lkrishen@futron.com Abstract: In technology-related endeavors, applied risk management often results in a stove-piped approach by organization and is also influenced by a tactical versus strategic project management perspective. But,conversely,decisions and risk mitigation plans are then implemented at the enterprise level, resulting in a gap in an effective risk management process overall.This presentation discusses the strategic and tactical aspects of merging top-down integration processes driven by enterprise risk management (RM) needs with the bottoms up approach of building and defining risk-based decision support initiatives. The merging of the RM processes with risk-based decision implementation is needed especially with changes at enterprise levels. To meet unique challenges posed by a Government agency undergoing organizational transformation, we developed a comprehensive strategy using enterprise-level decision management initiatives. Results of employing enterprise-level risk factors identification, strategic communications, and collaborative mitigation methodologies will be presented. Integration issues identified in existing risk information management tools and implementation methods will be presented. Additionally, the presentation will discuss innovative approaches to solving the integration issues in existing risk information management tools and implementation methods. The conclusions will be presented within the context of building a new and phased approach to Agency-wide strategic risk and decision management. This presentation will help provide best practices and lessons learned to RM practitioners and consultants facing the complex and unique challenges posed by clients undergoing enterprise and agency-level reorganization.

Organizational Transformation: Pushing Risk Management Boundaries

In the absence of structured and integrated Federal Agency (Agency)

or Enterprise-level Risk Management:
Strategic planning and decision implementation needed to happen Risks needed to be identified, tracked, and managed at all organizational levels Risk communication processes needed to be established horizontally and vertically

Working over a 3-year strategic planning horizon, our team has

made the following observations:
Establishing and communicating a unique, tailored risk management implementation strategy from the transforming program up and out is essential Regardless of true ownership, risk information needs to be captured, communicated, and used for decision-making at enterprise levels Boundaries become blurred for successful mitigation of transformation risks: collaboration and due diligence are fundamental Families of risks exist: Parent-child relationships, sibling risks, and adopted risks Risk management tools need added flexibility to bridge information gaps
Better Decisions Better Future
ISO 9001 Registered

Background
Risk Management (RM) is about
implementing an objective, structured approach to proactive problem-solving
Identify success criteria Identify risks to achieving success Analytical or quantitative risk assessment Qualitative ranking Key strategy: Successfully installing a Risk management system depends on tying in overall programmatic organizational goals and objectives
ISO 9001 Registered

Establish Context
Monitor & Review

Communicate & Consult Communicate & Consult

Risk Identification Risk Analysis Risk Evaluation Risk Treatment

Better Decisions Better Future

Defining the Problem

Unique Case Study: Agency undergoing organizational
transformation:
Three major programs with different lifecycles, missions, and decision making scenarios are in a delicate balance:
One Program is shutting down transition and retirement (T&R) The second Program is in operational cycle The third Program is in development cycle

These programs are looking at shared infrastructure and institutional assets, resource constraints, skill sets changes, generational changes in the workforce, and new funding approaches

Program and mission in final stages

Operational Program with Logistics needs

Developing Program with Architecture Decisions in work

Better Decisions Better Future

ISO 9001 Registered

Defining the Role

ISSUE: At the same time, Agencywide Enterprise Risk Management still in conceptual stages with no real requirements or success stories Our role was to implement a working Risk Management Framework and integrate that into existing Programlevel processes and drive towards risk-informed decision making at all levels
Framework was designed to support the Program undergoing transition and retirement
ISO 9001 Registered

Agency Programs Projects Suppliers/ Vendors

Better Decisions Better Future
5

Proposed Agency Integrated Risk Management

Agency RM leaders recognized need for Agency
integrated risk management:
The different types of risk in a complex organization are generally not independent of eachthey usually influence or impact each other. Therefore the stovepiped approach of conducting risk management for only one type of riskis not a useful management practice [1].

1. Stamatelatos, M., Ph.D. and H. Dezfuli, Ph.D. Agency-Wide Integrated Risk Management System. 2006.

Better Decisions Better Future

ISO 9001 Registered

Identifying Disconnects
Top-Down Risk Management dependent on disparate sources
of information to feed Enterprise decisions
RM tools stovepiped for different organizations from supplier (contractor) to Projects to Programs to Agency No integration or communication over organizations horizontally
Decision environments constrained by organizational structure, goals, and maturity levels leads to communication gap Cross-organizational risk reviews not a requirement, nor a normal practice

Bottom-up Risk Management based on mission operations and

related criteria, NOT tailored for T&R Strategic planning of capability shutdown risks vs. tactical (operational) risks Start by developing a working RM system with the T&R team and build the bridge from there
Better Decisions Better Future
ISO 9001 Registered

Project RM Implementation: A Place to Start

Initiate Initiate Project Instill Culture Plan Tailor Practice Detail Project Plan Install Tools Execute Train Staff Facilitate RM Control Improve Practice Close Capture Lessons Learned

Roadmap is executed in phases

Phases are the same as Project Management Institutes lifecycle phases Provides a management approach for RM implementation

Elements of roadmap were needed to build a working RM

framework, BUT:
T&R not a true program rather something between a program and a mission with institutional flavor/criteria Goals and success criteria were not well-defined, so risk identification difficult Required to use Mission Operations-based RM Plan and tool
Better Decisions Better Future
ISO 9001 Registered

Phase 1: The Building Block Approach

Risk communication and information capture

becomes the foundation for installing and deploying a successful RM strategy from the bottom up
Tailored Risk Identification Workshop conducted to help management team understand and capture T&R missionspecific:

ISO 9001 Registered

Success criteria Risk factors Consequence criteria Identified risks Evaluation criteria Risk handling and mitigation strategies
Better Decisions Better Future
9

Risk Workshop Products

Better Decisions Better Future

ISO 9001 Registered

10

Best Practices: The Tailored Risk Workshop

Involve organizational technical leads and management from sponsoring

program as well as affected stakeholder organizations Make sure all team members are trained in RM basic concepts and tools/processes in place Capture all risk data regardless of whether risk is actually owned by the sponsor program Outline unique enterprise-level risk factors (program management, technical, non-technical performance parameters) Build risk evaluation criteria (eg. Scoring Guideline) that augments but still uses baselined program scorecard Emphasize and initiate risk mitigation collaborative planning (e.g. Leveraged expertise and shared resources among affected organizations) Risk transfer and residual risks are potential outcomes

Better Decisions Better Future

ISO 9001 Registered

11

Best Practices: RM Tool and Process Customization

Flexible management to offset trap of compartmentalized thinking
T&R management assigned Horizontal Cross-cutting area leads (e.g. Facilities/assets, historical preservation, knowledge, environmental, human capital, supply chain, budgets, contracts, records/IT management, etc.)

Update current RM plan to define risk escalation criteria and

review/decision-making process within the transforming program Modify existing risk tracking and reporting tool with:
T&R-related impacts flags Parent-child relationships Horizontal leads as Owners
Parent risk owners Children reside with PMs

Additional risk scoring criteria Tailored risk reports as needed

Better Decisions Better Future
ISO 9001 Registered

12

Phase 2: Information Flow and Decision Interfaces

Risk information management continues beyond the initial
database capture and sponsoring program
Facilitate transfer of T&R-related residual risks or capture of sibling risks with impacted programs, institutions, and Agency-level management
Multi-lateral risk review process (e.g. Quarterly Transition risk reviews) Cost Threat capture (e.g. Loss of important Agency strategic capability how much would it cost to restart it versus retain it?)

Cross-pollination of Program and Agency decision-making councils to ensure thorough vetting Multi-organizational Risk Mitigation Special Teams

Document Decision interfaces within each

Program plan
Better Decisions Better Future
ISO 9001 Registered

13

Futron Next Steps: Integration and Innovation

Risk information integration vital to development of decision
alternatives
In process of integrating content for strategic capabilities, infrastructure management, and associated risk and cost threats assessments to architect decision information management platform Rapid and customized reporting for analysts as well as for program managers

Communications forum upgrades to offset potential

loss of knowledge and share risk context data
Agency knowledge management and lessons learned sites, wiki/blogs, and Pause-and-Learn sessions Collaborative tools (e.g. SharePoint, ThinkTank) Web

Teaching and facilitating Enterprise Risk Management to

provide Top-down push to connect-the-dots In work: Implementing Risk-Informed Decision Making at Agency level
Better Decisions Better Future
ISO 9001 Registered

14

Summary
Agency transformation brought about by shutdown of a major
program revealed lack of established enterprise-level risk management
No strategic risk capture or integration of information Compartmentalized RM systems, tools, and processes

Our approach focused on building a phased RM template that

would bridge the gaps in:
Information management Communications Assessment/Evaluation Handling Strategies

To date, this effort continues to be a Pathfinder in helping our

clients make timely decisions and mitigate Transition-related risks
Better Decisions Better Future
ISO 9001 Registered

15

Between every worthwhile destination and where you are lie many critical decisions.

BetterDecisionsBetter Future 16 Better DecisionsBetter Future

Photo courtesy of NASA

Futron

Questions?
Dr. Lovely Krishen 281-333-0190, X5512 lkrishen@futron.com

Better DecisionsBetter Future

17