1 ims ermea nextgen nextgen enterprise risk management v3.51 enterprise riskmosiac © – connecting...
TRANSCRIPT
1
IMS
ERMEANextGen
NextGen Enterprise Risk Management V3.51
RiskMosiac© – Connecting the Dots
Across the Enterprise
Ken Kepchar ESEP, CISSPEagleView Associates [email protected] 703-346-7706 (Cell)
Paul AbramsonPDA [email protected] (O) 508-341-6450 (Cell)
2
IMS
ERMEANextGenWhy an Adjustment in Our Thinking?
Traditional System-Centric Risk Management Practices
Enterprise (System-of-Systems) Risk Management Practices
Resources are typically within organization responsible for System delivery.
Resources typically are across organizations responsible for component System(s).
There is a shared set of objectives across the program to baseline uncertainty against.
Stakeholders probably have competing objectives or goals.
Organization usually hierarchical with well defined risk & governance processes.
Participants usually act independently without common risk or governance processes or approaches.
Singular Risk Plan with risk treatment focused on single risks.
Multiple Risk Plans - Risk treatment focus must shift to “portfolios” for measures to be shared and mutually effective.
Risk efforts bounded by System boundaries or program scope.
Risk efforts need to address interdependencies across the component Systems or organizations.
Root cause factors defined as performance (technical), schedule, or cost.
Root cause factors need to reflect the added complexity introduced by Enterprise relationships.
3
IMS
ERMEANextGenMulti-tiered Strategic Risk
Management Approach
• Traceability and transparency of risk-based decisions• Organization-wide risk awareness
LEVEL 3
Implementation System(Solution)
LEVEL 2
Mission / Business Process(NSIP - Segment)
LEVEL 1
Enterprise(NextGen)
STRATEGIC RISK FOCUS
TACTICAL RISK FOCUS
• Enterprise Risk Management Strategy
• Enterprise Architecture• ERM Plan
• Transformational & Enabling Programs
4
IMS
ERMEANextGenDefinition of Enterprise Risk
• It degrades stakeholder benefit stream or business case• It impairs ATC capability delivery – either performance, schedule,
and/or cost• It affects cross-cutting factors at the NextGen level (environmental,
safety, information security, economic, international)• It stems from level of readiness – either from a technology or
integration perspective.
A risk is considered an enterprise risk if it directly impacts the objectives of the System-of-Systems by affecting more than one system (program), domain, or stakeholder or cannot be completely addressed by a single organization.
For example:
Consequently, the purpose of Enterprise Risk Management is to protect and enhance the value of the Enterprise portfolio by addressing risks
that cut across more than one organization
5
IMS
ERMEANextGenIntegration Framework
Ensuring the complete NextGen trade space is considered
Identifying and understanding the relationships and interdependencies across operational domains, factoring in enablers and cross-cutting factors to provide a common NextGen operational picture
Helping characterize the issues from a global perspective and formulate mitigation strategies to reduce integration barriers
Providing more accurate and comprehensive guidance for both policy-makers and researchers about the feasibility and desirability of initiatives
6
IMS
ERMEANextGen
Enterprise Risk Management FrameworkSpans the Full Life Cycle
Increasing Degree of Maturity
Sta
ge
in L
ife
Cyc
le
Initial Investment
Decision
Basic Research
Investment Activities
Applied Research/System Development
Level of Uncertainty (Life Cycle Phase Dependent)
Inc
rea
sin
g U
nc
ert
ain
ty
TimeInitial
OperatingCapability
FinalInvestment
Decision
SoS Capability Operations
(External) Acceptance
(Programmatic) Implementation
Prototyping, Demos and otherRisk Reduction Activities
Acquisition and Implementation Activities
7
IMS
ERMEANextGen
Risk: A future situation or circumstance which creates uncertainties about achieving Enterprise objectives .
Opportunity: A future situation or circumstance with a realistic (non-zero nor 100 percent) likelihood/probability of occurring and which may create a favorable outcome toward advancing Enterprise objectives
Enterprise Risk Management Framework
Risk Board Decision
What Can Go Wrong?
Or
What Can Improve an Outcome?
IdentifyRisk/
Opportunity
How Big Is the Risk or
Opportunity?
AnalyzeRisk/
Opportunity
How Can You Reduce the Risk and/or Maximize the
Outcome?
SelectApproach
Are all the necessary elements in place for
execution ?
Implement Decision
Monitor and Track Results
(Mgmt Visibility)
How Are Things Going?Enterprise Risk
Management Plan
Enterprise Risk Management Plan
Program ExecutionPlanning
Operational Experience
8
IMS
ERMEANextGen
NextGenCapabilities
Integration
Technology
Enablers
NextGen Performance
OperationalConsiderations
ProgrammaticImplementation
Resources & Cost
Schedule & Progress
System Performance
Organization
(External)Acceptance
Harmonization
Environment
Social/Economic
Equity
Stakeholder & UserSatisfaction
Program Health (Solution Development)
Business Factors(NextGen Operation)
Three Pillars - Tailoring Enterprise Risk Categories to NextGen
Choice driven by (singular) Root Cause
Traditional System-centric
Causes
9
IMS
ERMEANextGenOrganizing the Enterprise Risk Register
by Root Cause• Risk register analyzed to determine root cause affinities
- For each risk, a “root cause” identified per the 17 root caused factors in the NextGen ERM Breakdown Structure)
• After analysis of the Risk Register, risks are assigned to groups, or portfolios for further analysis
Legend:• The number of risks in each category is shown in ( )• The colored numbers are the ranking of the cause
by number of risks listed in that portfolio
10
IMS
ERMEANextGen
Enterprise Risk Board (ERB)
The NextGen Enterprise Risk Board guides enterprise risk management effortsMembership reflects the Enterprise community at large – representation from each contributing stakeholderFor each risk portfolio, the Board selects:
PriorityMitigation strategyOrganization of primary mitigation responsibility (OPR)Shared Governance process ensure a common, complete understanding before implementing mitigations and coordinating with stakeholders
ERB does NOT dictate specific actions or approaches – Individual OPR practices, policies, and procedures will govern
11
IMS
ERMEANextGen
Risk Portfolio and Risk Cause Tables
Risk Portfolio Count
Performance 73
Schedule 33
Cost 4
Safety 1
Cause Counts Yellow = Heavy hittersCertification 1
Demand 1
Equipage 5
Funding 4
Human factors 2
Management 20 2 From Top 10 RisksRegulation 1
Spectrum 7
Staffing and Training 6 2 From Top 10 RisksStakeholder 11
Standards 6
System Engineering 30 3 from Top 10 RisksSystem Supply 1
Technical 12
Information Security 1 From Top 10 RisksProcedures 1 From Top 10 RisksRisk Management 1 From Top 10 Risks
Helping the ERB prioritize
• Individual risks are left to individual stakeholders/domains• Enterprise interactions are addressed by ERB• Risk register needs to support analysis at the interdependency level
12
IMS
ERMEANextGenHelping the ERB prioritize –
NextGen Example
13
IMS
ERMEANextGenDrilling Down into Graphics Output
Clicks on a connection will highlight the connection and reveal source data in table
Clicks on a box will display data behind a particular item
Line color also indicates level of risks being connected to
Risks shown as rectangles with color of box dependent up risk level (red, yellow green)
Risk Causes shown as tan rectangles with Rectangle Halo Symbol
Risk Portfolio shown in Blue with Round Halo Symbol
Filters can be set up to display only red, or green, or yellow risks
14
IMS
ERMEANextGenWorld Economic Forum Report
• In its 2011 edition of the World Economic Forum (Global Risks 2011 Sixth Edition (http://riskreport.weforum.org/)), Risk Interconnection Maps (RIMs) were used to visualize risks, using colors and links to define risk portfolios and interdependencies
• The WEF web site allows interactive viewing of the RIM via a proprietary Data Explorer.
15
IMS
ERMEANextGen
• Risk information in the Enterprise Risk Register must be presented in a manner that visually reinforces risk treatment at the portfolio level rather than for individual risks.
• This visualization can be used to facilitate collaborative risk model construction and analysis, and developing insights into relationships of risks and how they aggregate
• Organizing risks into “portfolios” appears to be useful for grouping and then explaining risk priorities, risk mitigation strategies, and resource assignments.
• A traditional Risk Register needs to extended to contain information about interactions, hierarchies, or linkages between risks to support Enterprise risk management.
• Risk analysis only provides the basis for decision making – a common governance model across the Enterprise is required to effectively treat risks to the benefit of all stakeholders involved.
Conclusions