1

IMS

ERMEANextGen

NextGen Enterprise Risk Management V3.51

RiskMosiac© – Connecting the Dots

Across the Enterprise

Ken Kepchar ESEP, CISSPEagleView Associates LLCeagleview2@cox.net 703-346-7706 (Cell)

Paul AbramsonPDA AssociatesPda-associates@comcast.net508-358-7654 (O) 508-341-6450 (Cell)

2

IMS

ERMEANextGenWhy an Adjustment in Our Thinking?

Traditional System-Centric Risk Management Practices

Enterprise (System-of-Systems) Risk Management Practices

Resources are typically within organization responsible for System delivery.

Resources typically are across organizations responsible for component System(s).

There is a shared set of objectives across the program to baseline uncertainty against.

Stakeholders probably have competing objectives or goals.

Organization usually hierarchical with well defined risk & governance processes.

Participants usually act independently without common risk or governance processes or approaches.

Singular Risk Plan with risk treatment focused on single risks.

Multiple Risk Plans - Risk treatment focus must shift to “portfolios” for measures to be shared and mutually effective.

Risk efforts bounded by System boundaries or program scope.

Risk efforts need to address interdependencies across the component Systems or organizations.

Root cause factors defined as performance (technical), schedule, or cost.

Root cause factors need to reflect the added complexity introduced by Enterprise relationships.

3

IMS

ERMEANextGenMulti-tiered Strategic Risk

Management Approach

• Traceability and transparency of risk-based decisions• Organization-wide risk awareness

LEVEL 3

Implementation System(Solution)

LEVEL 2

Mission / Business Process(NSIP - Segment)

LEVEL 1

Enterprise(NextGen)

STRATEGIC RISK FOCUS

TACTICAL RISK FOCUS

• Enterprise Risk Management Strategy

• Enterprise Architecture• ERM Plan

• Transformational & Enabling Programs

4

IMS

ERMEANextGenDefinition of Enterprise Risk

• It degrades stakeholder benefit stream or business case• It impairs ATC capability delivery – either performance, schedule,

and/or cost• It affects cross-cutting factors at the NextGen level (environmental,

safety, information security, economic, international)• It stems from level of readiness – either from a technology or

integration perspective.

A risk is considered an enterprise risk if it directly impacts the objectives of the System-of-Systems by affecting more than one system (program), domain, or stakeholder or cannot be completely addressed by a single organization.

For example:

Consequently, the purpose of Enterprise Risk Management is to protect and enhance the value of the Enterprise portfolio by addressing risks

that cut across more than one organization

5

IMS

ERMEANextGenIntegration Framework

Ensuring the complete NextGen trade space is considered

Identifying and understanding the relationships and interdependencies across operational domains, factoring in enablers and cross-cutting factors to provide a common NextGen operational picture

Helping characterize the issues from a global perspective and formulate mitigation strategies to reduce integration barriers

Providing more accurate and comprehensive guidance for both policy-makers and researchers about the feasibility and desirability of initiatives

6

IMS

ERMEANextGen

Enterprise Risk Management FrameworkSpans the Full Life Cycle

Increasing Degree of Maturity

Sta

ge

in L

ife

Cyc

le

Initial Investment

Decision

Basic Research

Investment Activities

Applied Research/System Development

Level of Uncertainty (Life Cycle Phase Dependent)

Inc

rea

sin

g U

nc

ert

ain

ty

TimeInitial

OperatingCapability

FinalInvestment

Decision

SoS Capability Operations

(External) Acceptance

(Programmatic) Implementation

Prototyping, Demos and otherRisk Reduction Activities

Acquisition and Implementation Activities

7

IMS

ERMEANextGen

Risk: A future situation or circumstance which creates uncertainties about achieving Enterprise objectives .

Opportunity: A future situation or circumstance with a realistic (non-zero nor 100 percent) likelihood/probability of occurring and which may create a favorable outcome toward advancing Enterprise objectives

Enterprise Risk Management Framework

Risk Board Decision

What Can Go Wrong?

Or

What Can Improve an Outcome?

IdentifyRisk/

Opportunity

How Big Is the Risk or

Opportunity?

AnalyzeRisk/

Opportunity

How Can You Reduce the Risk and/or Maximize the

Outcome?

SelectApproach

Are all the necessary elements in place for

execution ?

Implement Decision

Monitor and Track Results

(Mgmt Visibility)

How Are Things Going?Enterprise Risk

Management Plan

Enterprise Risk Management Plan

Program ExecutionPlanning

Operational Experience

8

IMS

ERMEANextGen

NextGenCapabilities

Integration

Technology

Enablers

NextGen Performance

OperationalConsiderations

ProgrammaticImplementation

Resources & Cost

Schedule & Progress

System Performance

Organization

(External)Acceptance

Harmonization

Environment

Social/Economic

Equity

Stakeholder & UserSatisfaction

Program Health (Solution Development)

Business Factors(NextGen Operation)

Three Pillars - Tailoring Enterprise Risk Categories to NextGen

Choice driven by (singular) Root Cause

Traditional System-centric

Causes

9

IMS

ERMEANextGenOrganizing the Enterprise Risk Register

by Root Cause• Risk register analyzed to determine root cause affinities

- For each risk, a “root cause” identified per the 17 root caused factors in the NextGen ERM Breakdown Structure)

• After analysis of the Risk Register, risks are assigned to groups, or portfolios for further analysis

Legend:• The number of risks in each category is shown in ( )• The colored numbers are the ranking of the cause

by number of risks listed in that portfolio

10

IMS

ERMEANextGen

Enterprise Risk Board (ERB)

The NextGen Enterprise Risk Board guides enterprise risk management effortsMembership reflects the Enterprise community at large – representation from each contributing stakeholderFor each risk portfolio, the Board selects:

PriorityMitigation strategyOrganization of primary mitigation responsibility (OPR)Shared Governance process ensure a common, complete understanding before implementing mitigations and coordinating with stakeholders

ERB does NOT dictate specific actions or approaches – Individual OPR practices, policies, and procedures will govern

11

IMS

ERMEANextGen

Risk Portfolio and Risk Cause Tables

Risk Portfolio Count

Performance 73

Schedule 33

Cost 4

Safety 1

Cause Counts Yellow = Heavy hittersCertification 1

Demand 1

Equipage 5

Funding 4

Human factors 2

Management 20 2 From Top 10 RisksRegulation 1

Spectrum 7

Staffing and Training 6 2 From Top 10 RisksStakeholder 11

Standards 6

System Engineering 30 3 from Top 10 RisksSystem Supply 1

Technical 12

Information Security 1 From Top 10 RisksProcedures 1 From Top 10 RisksRisk Management 1 From Top 10 Risks

Helping the ERB prioritize

• Individual risks are left to individual stakeholders/domains• Enterprise interactions are addressed by ERB• Risk register needs to support analysis at the interdependency level

12

IMS

ERMEANextGenHelping the ERB prioritize –

NextGen Example

13

IMS

ERMEANextGenDrilling Down into Graphics Output

Clicks on a connection will highlight the connection and reveal source data in table

Clicks on a box will display data behind a particular item

Line color also indicates level of risks being connected to

Risks shown as rectangles with color of box dependent up risk level (red, yellow green)

Risk Causes shown as tan rectangles with Rectangle Halo Symbol

Risk Portfolio shown in Blue with Round Halo Symbol

Filters can be set up to display only red, or green, or yellow risks

14

IMS

ERMEANextGenWorld Economic Forum Report

• In its 2011 edition of the World Economic Forum (Global Risks 2011 Sixth Edition (http://riskreport.weforum.org/)), Risk Interconnection Maps (RIMs) were used to visualize risks, using colors and links to define risk portfolios and interdependencies

• The WEF web site allows interactive viewing of the RIM via a proprietary Data Explorer.

15

IMS

ERMEANextGen

• Risk information in the Enterprise Risk Register must be presented in a manner that visually reinforces risk treatment at the portfolio level rather than for individual risks.

• This visualization can be used to facilitate collaborative risk model construction and analysis, and developing insights into relationships of risks and how they aggregate

• Organizing risks into “portfolios” appears to be useful for grouping and then explaining risk priorities, risk mitigation strategies, and resource assignments.

• A traditional Risk Register needs to extended to contain information about interactions, hierarchies, or linkages between risks to support Enterprise risk management.

• Risk analysis only provides the basis for decision making – a common governance model across the Enterprise is required to effectively treat risks to the benefit of all stakeholders involved.

Conclusions