Transcript Slide 1
IMS NextGen EA ERM RiskMosiac© – Connecting the Dots Across the Enterprise Ken Kepchar ESEP, CISSP EagleView Associates LLC [email protected] 703-346-7706 (Cell) NextGen Enterprise Risk Management V3.51 Paul Abramson PDA Associates [email protected] 508-358-7654 (O) 508-341-6450 (Cell) 1 Why an Adjustment in Our Thinking? Traditional System-Centric Risk Management Practices IMS NextGen EA ERM Enterprise (System-of-Systems) Risk Management Practices Resources are typically within organization responsible for System delivery. Resources typically are across organizations responsible for component System(s). There is a shared set of objectives across the program to baseline uncertainty against. Stakeholders probably have competing objectives or goals. Organization usually hierarchical with well defined risk & governance processes. Participants usually act independently without common risk or governance processes or approaches. Singular Risk Plan with risk treatment focused on single risks. Multiple Risk Plans - Risk treatment focus must shift to “portfolios” for measures to be shared and mutually effective. Risk efforts bounded by System boundaries or program scope. Risk efforts need to address interdependencies across the component Systems or organizations. Root cause factors defined as performance (technical), schedule, or cost. Root cause factors need to reflect the added complexity introduced by Enterprise relationships. 2 Multi-tiered Strategic Risk Management Approach • Enterprise Risk Management Strategy • Enterprise Architecture • ERM Plan • Transformational & Enabling Programs LEVEL 1 Enterprise (NextGen) IMS NextGen EA ERM STRATEGIC RISK FOCUS LEVEL 2 Mission / Business Process (NSIP - Segment) LEVEL 3 Implementation System (Solution) TACTICAL RISK FOCUS • Traceability and transparency of risk-based decisions • Organization-wide risk awareness 3 IMS Definition of Enterprise Risk NextGen EA ERM A risk is considered an enterprise risk if it directly impacts the objectives of the System-of-Systems by affecting more than one system (program), domain, or stakeholder or cannot be completely addressed by a single organization. For example: • • • • It degrades stakeholder benefit stream or business case It impairs ATC capability delivery – either performance, schedule, and/or cost It affects cross-cutting factors at the NextGen level (environmental, safety, information security, economic, international) It stems from level of readiness – either from a technology or integration perspective. Consequently, the purpose of Enterprise Risk Management is to protect and enhance the value of the Enterprise portfolio by addressing risks that cut across more than one organization 4 Integration Framework IMS NextGen EA ERM • Ensuring the complete NextGen trade space is considered • Identifying and understanding the relationships and interdependencies across operational domains, factoring in enablers and cross-cutting factors to provide a common NextGen operational picture • Helping characterize the issues from a global perspective and formulate mitigation strategies to reduce integration barriers • Providing more accurate and comprehensive guidance for both policy-makers and researchers about the feasibility and desirability of initiatives 5 Enterprise Risk Management Framework Spans the Full Life Cycle IMS NextGen EA ERM Level of Uncertainty Increasing Uncertainty (Life Cycle Phase Dependent) (Programmatic) SoS Capability (External) Stage in Life Cycle Operations Implementation Acceptance Initial Investment Decision Final Investment Decision Initial Operating Capability Time Investment Activities Basic Research Applied Research/System Development Prototyping, Demos and other Risk Reduction Activities Acquisition and Implementation Activities Increasing Degree of Maturity 6 IMS Enterprise Risk Management Framework NextGen EA ERM Risk: A future situation or circumstance which creates uncertainties about achieving Enterprise objectives. Opportunity: A future situation or circumstance with a realistic (non-zero nor 100 percent) likelihood/probability of occurring and which may create a favorable outcome toward advancing Enterprise objectives Program Execution Planning Operational Experience Identify Risk/ Opportunity What Can Go Wrong? Or What Can Improve an Outcome? Enterprise Risk Management Plan How Are Things Going? Monitor and Track Results (Mgmt Visibility) Analyze Risk/ Opportunity How Big Is the Risk or Opportunity? Select Approach How Can You Reduce the Risk and/or Maximize the Outcome? Risk Board Decision Implement Decision Are all the necessary elements in place for execution ? 7 IMS Three Pillars - Tailoring Enterprise Risk Traditional Categories to NextGen System-centric NextGen EA ERM Causes Program Health Business Factors (Solution Development) (NextGen Operation) Programmatic Implementation NextGen Capabilities (External) Acceptance Schedule & Progress NextGen Performance Environment Resources & Cost Enablers Harmonization System Performance Organization Technology Integration Operational Considerations Choice driven by (singular) Root Cause Social/Economic Equity Stakeholder & User Satisfaction 8 Organizing the Enterprise Risk Register by Root Cause • Risk register analyzed to determine root cause affinities - • IMS NextGen EA ERM For each risk, a “root cause” identified per the 17 root caused factors in the NextGen ERM Breakdown Structure) After analysis of the Risk Register, risks are assigned to groups, or portfolios for further analysis Legend: • • The number of risks in each category is shown in ( ) The colored numbers are the ranking of the cause by number of risks listed in that portfolio 9 IMS Enterprise Risk Board (ERB) NextGen EA ERM • The NextGen Enterprise Risk Board guides enterprise risk management efforts • Membership reflects the Enterprise community at large – representation from each contributing stakeholder • For each risk portfolio, the Board selects: – Priority – Mitigation strategy – Organization of primary mitigation responsibility (OPR) • Shared Governance process ensure a common, complete understanding before implementing mitigations and coordinating with stakeholders ERB does NOT dictate specific actions or approaches – Individual OPR practices, policies, and procedures will govern 10 IMS Helping the ERB prioritize NextGen EA ERM • Individual risks are left to individual stakeholders/domains • Enterprise interactions are addressed by ERB • Risk register needs to support analysis at the interdependency level Cause Risk Portfolio Count Counts Certification 1 Demand 1 Equipage 5 Funding 4 Human factors 2 Management 20 1 Performance 73 Regulation Schedule 33 Spectrum 7 Cost 4 Staffing and Training 6 Safety 1 Stakeholder Standards System Engineering System Supply Technical Yellow = Heavy hitters 2 From Top 10 Risks 2 From Top 10 Risks 11 6 30 3 from Top 10 Risks 1 12 Information Security 1 Procedures 1 Risk Management 1 From Top 10 Risks From Top 10 Risks From Top 10 Risks Risk Portfolio and Risk Cause Tables 11 Helping the ERB prioritize – NextGen Example IMS NextGen EA ERM 12 Drilling Down into Graphics Output IMS NextGen EA ERM Risk Portfolio shown in Blue with Round Halo Symbol Risks shown as rectangles with color of box dependent up risk level (red, yellow green) Clicks on a connection will highlight the connection and reveal source data in table Clicks on a box will display data behind a particular item Line color also indicates level of risks being connected to Filters can be set up to display only red, or green, or yellow risks Risk Causes shown as tan rectangles with Rectangle Halo Symbol 13 World Economic Forum Report • In its 2011 edition of the World Economic Forum (Global Risks 2011 Sixth Edition (http://riskreport.weforum.org/)), Risk Interconnection Maps (RIMs) were used to visualize risks, using colors and links to define risk portfolios and interdependencies • The WEF web site allows interactive viewing of the RIM via a proprietary Data Explorer. IMS NextGen EA ERM 14 IMS Conclusions NextGen EA ERM • Risk information in the Enterprise Risk Register must be presented in a manner that visually reinforces risk treatment at the portfolio level rather than for individual risks. • This visualization can be used to facilitate collaborative risk model construction and analysis, and developing insights into relationships of risks and how they aggregate • Organizing risks into “portfolios” appears to be useful for grouping and then explaining risk priorities, risk mitigation strategies, and resource assignments. • A traditional Risk Register needs to extended to contain information about interactions, hierarchies, or linkages between risks to support Enterprise risk management. • Risk analysis only provides the basis for decision making – a common governance model across the Enterprise is required to effectively treat risks to the benefit of all stakeholders involved. 15