||DAU RMG 5th: Risk Management Guide for DoD Acquisition
4.4.1 Risk Management Organizational Structure
4.4.1 Risk Management Organizational Structure
A major choice for each PM is whether to have a centralized or
decentralized risk management organization. The PM may choose a centralized
organizational structure until team members become familiar with both the
program and the risk management process. In a centralized approach, the PM
establishes a team that is responsible for all aspects of risk management. The
team would write a plan, conduct assessments, evaluate riskhandling options,
and monitor progress. Although this approach may be necessary early in a
program, it tends to minimize the concept that risk management is a
responsibility shared by all members of the acquisition team, whether
Government or contractor.
The PM may also choose to decentralize. The degree of decentralization
depends on the assignment of responsibilities. Some level of centralization is
almost always essential for prioritizing risk across the program. A program
level IPT (see Figure 4-1) or a Risk Management Board (RMB) may be appropriate
for this integrating function.
Figure 4-1. Decentralized
Risk Management Organization
The decentralized risk management organization is the most widely used
approach, which is compatible with the DoD’s IPPD policy and generally results
in an efficient use of personnel resources. In this approach, risk management
is delegated to Program IPTs (PIPTs).
The following guidelines apply to all risk management organizations:
- The PM is ultimately responsible for planning, allocating resources, and
executing risk management. This requires the PM to oversee and participate
in the risk management process.
- The PM must make optimal use of available resources, i.e., personnel,
organizations, and funds. Personnel and organizational resources include the
PMO, functional support offices of the host command, the prime contractor,
independent risk assessors, and support contractors.
- Risk management is a team function. This stems from the pervasive nature
of risk and the impact that risk-handling plans may have on other program
plans and actions. In the aggregate, risk planning, risk assessment, risk
handling, and risk monitoring affect all program activities and
organizations. Any attempt to implement an aggressive forward-looking risk
management program without the involvement of all PMO subordinate
organizations could result in confusion, misdirection, and wasted resources.
The only way to avoid this is through teamwork among the PMO organizations
and the prime contractor. The management organizational structure can
promote teamwork by requiring strong connectivity between that structure,
the various PMO organizations, and the prime contractor. The teams may use
independent assessments to assist them, when required.
Figure 4-1 portrays a decentralized risk management organization. This
example includes the entire PMO and selected non-PMO organizations, e.g., the
prime contractor, who are members of the IPTs. The figure shows that risk
management is an integral part of program management and not an additional or
separate function to perform. Hence, separate personnel are not designated to
manage risk, but rather all individuals are required to consider risk
management as a routine part of their jobs. In the figure, the risk
coordinator reports to the PM, but works in coordination with the PIPT,
functional offices, and the Program Level IPT. As shown, this organizational
structure is suited to Acquisition Category (ACAT) I programs, but PMs can
tailor it to satisfy their specific requirements. The details are dependant
upon the contract, type, statement of work, and other
The organizational structure shows that the PM is ultimately responsible
for risk management. There is a coordinator to assist with this responsibility
and act as an “operations” officer. This may be a full-time position or an
additional duty as the PM deems appropriate. The coordinator should have
specific training and experience in risk management to increase the chance of
successful implementation and to avoid common problems. A support contractor
may assist the coordinator by performing administrative tasks associated with
The Program Level IPT, composed of individuals from the PMO and prime
contractor, ensures that the PM’s risk management program is implemented and
program results are synthesized into a form suitable for decision making by
the PM and OIPT.
The inclusion of both Sub-Tier IPTs and PMO functional offices simply
reflects that not all program management functions will be assigned to
Sub-Tier IPTs for execution.
Independent risk assessors are typically hired when the PM has specific
cost, schedule, performance concerns with a hardware or software product or
engineering process and wants an independent assessment from an expert in a
particular field. The duration of their services is normally short, and
tailored to each program.