4.4.1 Risk Management Organizational
A major choice for each PM is whether to have a centralized or decentralized risk management organization. The PM may choose a centralized organizational structure until team members become familiar with both the program and the risk management process. In a centralized approach, the PM establishes a team that is responsible for all aspects of risk management. The team would write a plan, conduct assessments, evaluate risk-handling options, and monitor progress. Although this approach may be necessary early in a program, it tends to minimize the concept that risk management is a responsibility shared by all members of the acquisition team, whether Government or contractor.
The PM may also choose to decentralize. The degree of
decentralization depends on the assignment of responsibilities. Some level of
centralization is almost always essential for prioritizing risk across the
program. A program level integrating IPT (see Figure 4-1) or a Risk Management
Board (RMB) may be appropriate for this integrating function.
The decentralized risk management organization is the most widely used approach, which is compatible with the DoD's IPPD policy and generally results in an efficient use of personnel resources. In this approach, risk management is delegated to Program IPTs.
The following guidelines apply to all risk management
- The PM is ultimately responsible for planning, allocating resources, and
executing risk management. This requires the PM to oversee and participate
in the risk management process.
- The PM must make optimal use of available resources, i.e., personnel,
organizations, and funds. Personnel and organizational resources include the
PMO, functional support offices of the host command, the prime contractor,
independent risk assessors, and support contractors.
- Risk management is a team function. This stems from the pervasive nature
of risk and the impact that risk-handling plans may have on other program
plans and actions. In the aggregate, risk planning, risk assessment, risk
handling, and risk monitoring affect all program activities and
organizations. Any attempt to implement an aggressive forward-looking risk
management program without the involvement of all PMO subordinate
organizations could result in confusion, misdirection, and wasted resources.
The only way to avoid this is through teamwork among the PMO organizations
and the prime contractor. The management organizational structure can
promote teamwork by requiring strong connectivity between that structure,
the various PMO organizations, and the prime contractor. The teams may use
independent assessments to assist them, when required.
Figure 4-1 portrays a decentralized risk management organization. This example includes the entire PMO and selected non-PMO organizations, e.g., the prime contractor, who are members of the IPTs. The figure shows that risk management is an integral part of program management and not an additional or separate function to perform. Hence, separate personnel are not designated to manage risk, but rather all individuals are required to consider risk management as a routine part of their jobs. In the figure, the risk coordinator reports to the PM, but works in coordination with the Program IPT, functional offices, and the Program Level IPT. As shown, this organizational structure is suited to ACAT I programs, but PMs can tailor it to satisfy their specific requirements. The details are dependant upon the contract, type, statement of work, and other variable.
The organizational structure shows that the PM is ultimately responsible for risk management. There is a coordinator to assist with this responsibility and act as an "operations" officer. This may be a full-time position or an additional duty as the PM deems appropriate. The coordinator should have specific training and experience in risk management to increase the chance of successful implementation and to avoid common problems. A support contractor may assist the coordinator by performing administrative tasks associated with that office.
The Program Level IPT, composed of individuals from the PMO and prime contractor, ensures that the PM's risk management program is implemented and program results are synthesized into a form suitable for decision making by the PM and OIPT.
The inclusion of both Sub-Tier IPTs and PMO functional offices simply reflects that not all program management functions will be assigned to Sub-Tier IPTs for execution.
Independent risk assessors are typically hired when
the PM has specific cost, schedule, performance concerns with a hardware or
software product or engineering process and wants an independent assessment
from an expert in a particular field. The duration of their services is
normally short, and tailored to each program.