Index









 


Risk Management Rollout and Installation at the NRO






 



Acquisition reform provides government program managers and their contractors 
more opportunities than ever before, but it also greatly increases risk. It is no surprise that 
Department of Defense (DoD) organizations face reduced resources, deplenishment of critical 
skills, increased congressional and public scrutiny, and a demand for streamlined operations 
and quality program results. The need for risk management is becoming apparent. But how? When 
program managers are under pressure to meet accelerated schedules and within budget, can risk 
management be integrated into already-burdened programs? This article shows how the National 
Reconnaissance Office (NRO), an organization with a dual DoD and security mission, introduced 
a disciplined risk management process that has provided significant cost-benefits.




    
DoD organizations increasingly operate as partnerships: government program managers 
and contractors are responsible for producing sophisticated and complex systems through 
integration of capabilities to deliver program results. The pressures that affect the DoD 
community also impact the NRO. This organization experiences the additional challenges of 
meeting mission requirements that integrate DoD and security missions. The organization faces 
a combination of new technologies, system complexity, tight schedules, and often-unstable 
requirements. With increased congressional oversight and public awareness, the NRO is 
experiencing pressure to deliver more complex and accelerated security programs than ever 
before.


    
In December 1995, the Undersecretary of Defense, Acquisition and Technology 
issued a memorandum, Reducing Life Cycle Costs for New and Fielded Systems. It 
acknowledged that "There are risks to be taken and risks to be avoided. When risks are taken, 
we will put in place appropriate risk management and contingency plans" [1]. The most recent 
guidance, released in May 1999, Risk Management Guide for DoD Acquisition, strengthens 
this policy. Risk management is defined as "an integral component of policy and strategy 
to develop and field systems responsive to user needs" [2].


    
NRO leadership has also directed that risk management is a critical element for 
program success. In fact, NRO Directive 7 of policy document NRO Acquisition Management 
emphasizes:


    
"Effective acquisition planning and aggressive risk management by both government 
and industry are essential for success. Program decisions and resource commitments must be based 
on consideration of executable options and plans for, and progress in, controlling risk" [3].



    
The Catch-22 in today's context is that, while risk management is more 
necessary than ever, finding time and resources to install a sound program creates a need to 
prove real and lasting value. As many who have tried to install risk management in their 
programs know, expanded awareness of its importance, and guidance on desired results, do not 
necessarily translate into effective, interactive processes that provide desired results.


    
For the past two years, the imagery intelligence (IMINT) organization at NRO, in 
partnership with the Software Engineering Institute (SEI), created and installed a risk 
management process that became an integrated aspect of program operations. The full story of 
this risk management initiative is available in Rollout and Installation of Risk Management 
at the IMINT Directorate, National Reconnaissance Office, a December 1999 technical report 
published by SEI [4]. Three critical success factors in this program installation were:


    

  1.  Visible and committed sponsorship.



  2.  Culture change that supported open communication for the 
surfacing and mitigation of risks.



  3.  A disciplined, forward-looking, continuous risk management, 
infrastructure, and rational, well-thought-out installation process.



    
These three critical success factors are interlocking and mutually reinforcing. 
Each of these was present and engaged at NRO, as described below.



Committed, Visible Sponsorship


    
"Leaders do not have a choice about whether to communicate," says Edgar Schein, 
professor at the MIT Sloan School of Management. "Leaders send messages whether they wish to or 
not. People in organizations are constantly looking to their leaders for cues about what is 
acceptable behavior. And it is not merely public statements that people hear and believe; it 
is the entire range of messages sent through behaviors and their consequences, organizational 
mechanisms, and events that have impact" [5].


    
The original pilot Risk Management program was undertaken by the Command and Control 
Division (CCD) at IMINT. This was the first NRO program to engage in a full-scale risk management 
program [6].


    
This pilot project was not without its challenges. The initial reaction by CCD 
participants was a measure of skepticism coupled with clear expression of their expectations.



    
"We were not interested in just learning a new vocabulary," said one area manager, 
"if risk management did not help us get our jobs done every day, then we were not interested. 
Risk management needs to show value by providing cost-efficiences, better scheduling, and 
technological capability."


    
The CCD division chief, and his area manager that he charged with risk management, 
decided that their best opportunity to achieve results with risk management would require a 
unified, coherent, disciplined process that involved all division staff. Accordingly, the 
division held a risk clinic to create its focused process. Once the decision was made to build 
a risk management infrastructure and process, the CCD division chief decided it was important 
that he be present at all critical meetings. The division chief integrated risk management into 
technical assessments, program reviews, and the monthly joint government/contractor meetings to 
manage joint risks, the Team Risk Reviews (TRRs).


    
As a result, the government program managers and contractor managers created a 
dialogue that, over time, opened communication to a level of candor that provided technical, 
schedule, and cost mitigations. An example of an early success resulted from identifying a risk 
in the methodology by which the program planned to manage its Operations and Maintenance 
(O&M) process. Up to this point the O&M activities and the development activities were 
separated into different organizational elements under different contracts.


    
Due in part to this segregation, the processes were inherently expensive and made 
it easy for deplenishments in functionality to occur. The risk mitigation strategy was 
development of the Integrated Development and Maintenance Organization (IDMO). The IDMO 
absorbed the maintenance functions traditionally managed by the operational site and integrated 
them into the development organization. The goal was to gain synergy through a single reduced 
staff that would manage a consolidated maintenance and development effort.


    
The sponsorship factor is undeniable: both government and contractor managers 
exhibited clear support for necessary changes to achieve constructive outcomes.


    
Once the pilot program had proved the value and efficacy of risk management to the 
satisfaction of this division and to Al Krum, the system program director, he decided to install 
risk management at the system level. 


    
Recognizing the importance of focus on the entire program, he confirmed that, for 
risk management to be successful, "Management commitment is invaluable. Managers cannot assign 
risk management leadership to individual contributors; risk management will not be taken 
seriously without appropriate and visible leadership" [4].


    
As evidence of his commitment to risk management throughout his system, Krum 
launched the Executive System-level Risk Management Team (ESRT), that included all division 
chiefs, to lead the way for risk management by other divisions across the system. Next, he 
directed that each division would undergo training in risk management processes and procedures, 
to develop a common language and set of tools to use within divisions and across the system.



    
In addition to authorizing a rollout and installation process across the 
organization, Krum "walked his talk." During development of the risk management process, 
division chiefs continued to question the durability of sponsorship for risk management. 
Although Krum had clearly stated his sponsorship for risk management, there were mixed views 
regarding management's seriousness about the initiative. To reinforce his commitment, he used 
various forums to present his vision for the risk management effort and his expectations for 
coherent, consistent communications up the chain to management. The result was strengthened 
support of risk management by most division chiefs, as well as evolving practices within the 
divisions.


    
To further clarify the seriousness of risk management at the system level, the 
program manager led the division chiefs to define the level of risks appropriate for 
system-level discussion. Accordingly, the ESRT defined its criteria for system-level risks 
as follows:  

    
 
  •  Impact on program commitments.
 
  •  Risks deemed as priority 
due to being on the program's critical path or on any division's critical 
path. 
 
  •  Exceeded planned schedule slack, and those that resulted in a 
negative margin (seriously eroded management reserve). 
 
  •  Cost impact exceeds 
planned budget.
 
  • Impact on program interfaces, internal or external to 
the program.


    
System risk management allowed the program, for the first time, to analyze and work 
together on interdependencies at the system level. Through the division risk management processes 
and the ESRT, a consistent system process was installed. As divisions installed their own 
process, they were increasingly able to communicate mission-critical risk management concerns 
to their contractors.



Culture Change to Support Open Communication, Risk Mitigation


    
The 1999 DoD Risk Management Guide emphasizes a risk management approach 
that is disciplined, forward looking, and continuous [2]. "Our goal," program director Krum 
said in describing IMINT's aim of risk management, "was to build a system in which people would 
think ahead, mitigate risks, and reduce the likelihood of system delays, depletion of management 
reserve, and system failures.


    
"To accomplish this, we knew that risk management would require a culture change to 
one where people would openly discuss those very areas that are most likely to be uncomfortable. 
We wanted to build program success on a platform where leaders and contributors put their 
cards on the table" [4].


    
NRO had undergone a number of studies that analyzed specific cultural barriers to 
effective program functioning. In particular, a study by Malcolm Baldridge in 1996 pointed to a 
need for NRO to move from a culture of risk avoidance to the kind of open communications that 
elicit widespread knowledge and information sharing [7]. Risk management, in particular, requires 
early and open exchange of key information to allow for timely mitigation. Several studies have 
shown that, in the great majority of program failures, one or more key technical project staff 
knew in advance there was a serious risk of failure. 


    
The forums established at IMINT provided for this kind of discussion. Krum said, 
"Risk management forums at both system and divisional levels are not so much a place where you 
'don't shoot the messenger' as one where 'there is no messenger to shoot because there is not a 
crisis yet.'" [4]


    
In the example cited above, the advent of an IDMO organization was not readily 
embraced by the O&M organization. O&M members thought that it took away some of their 
flexibility to utilize level-of-effort resources to address the new approach, and required a 
scheduling discipline that was contrary to the organization's existing business practices. In 
addition, the maintenance budget would be turned over to development. 


    
Open-forum discussions established in the monthly team risk review meetings allowed 
identification of a potential budgetary risk in the newly configured approach. The risk was that 
the original O&M program might not have budgeted sufficient resources to support new 
architecture being delivered. 


    
As details of the risk were developed and discussed openly between government and 
contractor, it turned out that there was a budget shortfall. With this early identification, the 
management team could provide a budget wedge and secure necessary funding to acquire key 
resources and meet availability requirements.


    
To arrive at this level of candor and critical information exchange, leaders set the 
tone. Contributors and others must accept accountability to support the effort. A risk management 
infrastructure is essential to support the kinds of communication necessary for effective risk 
management.


    
Of course, all government organization, including NRO, have grown change-weary. To 
foster acceptance of risk management, a building of trust in the process was necessary, so that 
it would not be seen as the change process du jour. The risk management infrastructure 
supported the growth of trust in the process.



Risk Management Process 
and Infrastructure


    
To leverage a lasting risk management process across a complex system, where the 
pressure of current crises can erode the best intentions, a sturdy yet streamlined infrastructure 
is essential. For new initiatives that create a culture change, building a solid, well-designed 
infrastructure to support the change may initially seem burdensome. However, the infrastructure, 
if well-planned, can become a support for ultimate efficiencies and integration across system 
program management. The infrastructure further supports an alert, continuous process of risk 
management watchful for emerging and changing risks over a program life cycle.


    
A key driver behind the installation process at IMINT was to support division 
leaders who could provide sponsorship, model risk management behaviors, and act as in-house 
mentors for the process over time. Another critical element was to install a smoothly 
functioning operational infrastructure (teams, processes, practices, and information resources) 
to leverage continuous risk management and improvement of the process. 


    
The infrastructure installed at IMINT included the following:


    
 
  •  Conducting software risk evaluations with government and 
contractors for the pilot program to identify initial program risks 
and plan mitigation strategies.


 
  •  Establishing divisional risk management practices, which 
include regular forums where risks are identified, planned, tracked, 
and controlled—in staff meetings, program review sessions, or specified 
risk reviews.


 
  •  In some cases, establishing goverment/ contractor integrated 
product and process team-type TRRs for monthly identification, planning, 
tracking, and control of joint risks.


 
  •  Establishing the system-level risk management team, where 
division chiefs and the program director or his deputy meet monthly to 
discuss and monitor system-level risks.


 
  •  Designing a communications architecture that provides clear 
guidelines to all staff members on roles and mechanisms for communicating and 
working risks.


 
  •  Developing consistent, system-wide risk information documents, 
tracking charts, and a custom-tailored risk management tool initially 
designed by the CCD pilot program, eventually leveraged for system-wide 
use.



    
These streamlined infrastructure elements supported the risk management process at 
IMINT, and in turn are increasingly supported by the expanding risk management community. The 
contributors at IMINT found a return on investment in risk management that ranged from such 
subtle changes as "awareness has increased; we no longer just look at today's problems" to 
major crisis-averting risk management. IMINT still bears fruit.


    
As a final example, a mission-critical risk identified early on during one of the 
original IMINT risk assessments in 1997 was a portfolio of related risks involving scheduling 
and specifics of system-level testing, which were key to successful program delivery. In response 
to this major risk, an integrated set of mitigation strategies were translated into a mitigation 
plan. The mitigation plan received clear guidance from the government sponsor, with collaborative 
input from government and contractor TRR team members. With close monitoring at the monthly TRRs 
and ESRT sessions, and with instantiation of several contingency actions, the program delivery 
was not only on time, but successful in all defined aspects.



Conclusion


    
While risk management program integration is almost never easy, as an IMINT 
contractor said, "It is important to do the hard right thing than the wrong easy thing." By 
applying the three key success factors outlined above—committed sponsorship, a culture moving 
toward more open communication, and a reliable infrastructure to support continuous risk 
management—IMINT achieved successful risk management results in support of mission-critical 
programs into the new century. 




References


    

  1.  Reducing Life Cycle Costs for 
New and Fielded Systems, Undersecretary of 
Defense (Acquisition and Technology) 
Memorandum, December 1995.

  2.  
Risk Management Guide for DoD Acquisition, DoD Test, 
Systems Engineering and Evaluation, Defense 
Acquisition University, and Defense 
Systems Management College, Defense 
Systems Management College Press, Fort Belvoir, Va., May 1999. 


  3.  NRO Acquisition Management 
Directive 7 (NROD 82-2, OPR (P&A), National 
Reconnaissance Office, Aug. 6, 1997. Available on the web at 
http://www.dsmc.dsm.mil/pubs/gdbks/risk_management.html

  4.  Loveland Link, Jo Lee, Rick Barbour, Al 
Krum, and August C. Neitzel, Rollout 
and Installation of Risk Management at the IMINT 
Directorate, National Reconnaissance Office, 
CMU/SEI-99-TR-009, ESC-TR-99-009, SEI Technical 
Report, December 1999.

  5.  
Schein, Edgar H., Organizational 
Culture and Leadership, Jossey-Bass Business and 
Management Series, San Francisco, 1997.


  6.  Neitzel, August C., Jr., Managing Risk 
Management, CrossTalk: July 1999.


  7.  IMINT Malcolm Baldridge National 
Quality Award Assessment Consolidation 
Report, National Reconnaissance Office, 
May 1996.




About the Authors



August Neitzel is Director, EIS Ground Group, responsible for system 
delivery. During the period of risk management rollout and installation, he was division 
chief of IMINT's command and control acquisition effort. In this capacity, he led the pilot 
program for the initial IMINT risk management initiative. In addition, he served as the 
contracting officer's technical representative for the command and control acquisition contract. 
Neitzel joined the CIA in 1975. In 1982, he began working for the NRO. His career there has 
spanned the SIGINT program and virtually all aspects of the IMINT program. Neitzel earned a 
master's degree in electrical engineering from Drexel University after completing a tour of 
duty with the Air Force. He is a member of Eta Kappa Nu and the Institute of Electrical and 
Electronic Engineers. He is certified as a Level III COTR, and received the CIA Intelligence 
Commendation Medal.




    

NRO

4101 Pleasant Valley Road 

Chantilly, Va. 20151

Voice: 703-808-2038
    







Jo Lee Loveland Link is a visiting scientist at SEI, with more than 20 years 
of providing guidance for strategic direction of government, military, and private sector 
organizations. For the past six years, she has worked with technical programs to establish 
strategy and infrastructure for process improvement and risk management initiatives. With 
Richard Barbour, she provided risk management rollout and installation services across this 
IMINT organization. She has participated on Capability and Maturity Model®
-based assessment teams and 
teaches several SEI workshops, including Managing Technological Change, Consulting Skills, 
and customer-tailored Risk Management. A certified Senior Organization Development and Change 
Specialist with post-graduate work in applied behavior science, Loveland Link has a bachelor's 
degree in organization behavior/adult education, and is author of more than 30 publications on 
strategic planning, management, and corporate culture.




    

Software Engineering Institute

4301 Wilson Blvd., Suite 910

Arlington, Va. 22203

Voice: 703-709-9217 or 703-908-8232

Fax:  703-904-8330

E-mail:  jll@sei.cmu.edu
    





Richard E. Barbour is a senior member of the technical staff at CISE. For 
the past year, he has provided software capability evaluations (SCEs) to international software 
companies. In 1998-99, Barbour was instrumental in SCE assessments for the NRO future imagery 
architecture program. Prior to joining CISE, he was in the SEI software engineering process 
management program as the acquisition improvement project leader, serving as lead for the 
SEI-NRO risk management initiative. He had been in the SEI Process Program, developing and 
implementing Capability Maturity Model®
-based appraisals for internal process improvement and software capability 
evaluations. He also spent a year with the SEI Transition Partner, Integrated System Diagnostics 
Inc., developing the SCE v. 3.0 method. Barbour has more than 24 years of experience in managing 
and acquiring software systems, and is a retired Navy Commander from the antisubmarine warfare, 
patrol squadrons (P-3) community. His last assignment was as deputy program manager for the Next 
Generation Computer Resources program with the Space and Naval Warfare Systems Command. He also 
was deputy program manager for the Software Technology for Adaptable, Reliable Systems program. 
He received a bachelor's degree in business management from the University of South Carolina, 
and a master's degree in computer systems management from the Naval Post-Graduate School. 




    

CISE

4516 Henry Street, Suite 205

Pittsburgh, Pa. 15213

Voice: 412-268-4312

Fax:  412-268-6369

Email: reb@cise.cmu.edu
    





Al Krum is Director, Systems Engineering Sector, IMINT, NRO. At the time 
of the Risk Management Rollout and Installation, he was Program Director, Enhanced Imagery 
System (EIS), IMINT.