IMS Next Gen EA ERM Risk Mosiac Connecting

IMS Next. Gen EA ERM Risk. Mosiac© – Connecting the Dots Across the Enterprise Ken Kepchar ESEP, CISSP Eagle. View Associates LLC eagleview 2@cox. net 703 -346 -7706 (Cell) Next. Gen Enterprise Risk Management V 3. 51 Paul Abramson PDA Associates Pda-associates@comcast. net 508 -358 -7654 (O) 508 -341 -6450 (Cell) 1

Why an Adjustment in Our Thinking? Traditional System-Centric Risk Management Practices IMS Next. Gen EA ERM Enterprise (System-of-Systems) Risk Management Practices Resources are typically within organization responsible for System delivery. Resources typically are across organizations responsible for component System(s). There is a shared set of objectives across the program to baseline uncertainty against. Stakeholders probably have competing objectives or goals. Organization usually hierarchical with well defined risk & governance processes. Participants usually act independently without common risk or governance processes or approaches. Singular Risk Plan with risk treatment focused on single risks. Multiple Risk Plans - Risk treatment focus must shift to “portfolios” for measures to be shared and mutually effective. Risk efforts bounded by System boundaries or program scope. Risk efforts need to address interdependencies across the component Systems or organizations. Root cause factors defined as performance (technical), schedule, or cost. Root cause factors need to reflect the added complexity introduced by Enterprise relationships. 2

Multi-tiered Strategic Risk Management Approach • Enterprise Risk Management Strategy • Enterprise Architecture • ERM Plan • Transformational & Enabling Programs LEVEL 1 Enterprise (Next. Gen) IMS Next. Gen EA ERM STRATEGIC RISK FOCUS LEVEL 2 Mission / Business Process (NSIP - Segment) LEVEL 3 Implementation System (Solution) TACTICAL RISK FOCUS • Traceability and transparency of risk-based decisions • Organization-wide risk awareness 3

Definition of Enterprise Risk IMS Next. Gen EA ERM A risk is considered an enterprise risk if it directly impacts the objectives of the System-of-Systems by affecting more than one system (program), domain, or stakeholder or cannot be completely addressed by a single organization. For example: • • It degrades stakeholder benefit stream or business case It impairs ATC capability delivery – either performance, schedule, and/or cost • It affects cross-cutting factors at the Next. Gen level (environmental, safety, information security, economic, international) It stems from level of readiness – either from a technology or integration perspective. • Consequently, the purpose of Enterprise Risk Management is to protect and enhance the value of the Enterprise portfolio by addressing risks that cut across more than one organization 4

Integration Framework IMS Next. Gen EA ERM • Ensuring the complete Next. Gen trade space is considered • Identifying and understanding the relationships and interdependencies across operational domains, factoring in enablers and cross-cutting factors to provide a common Next. Gen operational picture • Helping characterize the issues from a global perspective and formulate mitigation strategies to reduce integration barriers • Providing more accurate and comprehensive guidance for both policy-makers and researchers about the feasibility and desirability of initiatives 5

Enterprise Risk Management Framework Spans the Full Life Cycle IMS Next. Gen EA ERM Level of Uncertainty Increasing Uncertainty (Life Cycle Phase Dependent) So. S Capability (Programmatic) (External) Stage in Life Cycle Operations Implementation Acceptance Initial Investment Decision Final Investment Decision Initial Operating Capability Time Investment Activities Basic Research Applied Research/System Development Prototyping, Demos and other Risk Reduction Activities Acquisition and Implementation Activities Increasing Degree of Maturity 6

Enterprise Risk Management Framework IMS Next. Gen EA ERM Risk: A future situation or circumstance which creates uncertainties about achieving Enterprise objectives. Opportunity: A future situation or circumstance with a realistic (non-zero nor 100 percent) likelihood/probability of occurring and which may create a favorable outcome toward advancing Enterprise objectives Program Execution Planning Operational Experience Identify Risk/ Opportunity What Can Go Wrong? Or What Can Improve an Outcome? Enterprise Risk Management Plan How Are Things Going? Monitor and Track Results (Mgmt Visibility) Analyze Risk/ Opportunity How Big Is the Risk or Opportunity? Select Approach How Can You Reduce the Risk and/or Maximize the Outcome? Risk Board Decision Implement Decision Are all the necessary elements in place for execution ? 7

Three Pillars - Tailoring Enterprise Risk Traditional Categories to Next. Gen System-centric IMS Next. Gen EA ERM Causes Program Health Business Factors (Solution Development) (Next. Gen Operation) Programmatic Implementation Next. Gen Capabilities (External) Acceptance Schedule & Progress Next. Gen Performance Environment Resources & Cost Enablers Harmonization System Performance Organization Choice driven by (singular) Root Cause Technology Integration Operational Considerations Social/Economic Equity Stakeholder & User Satisfaction 8

Organizing the Enterprise Risk Register by Root Cause • Risk register analyzed to determine root cause affinities - • IMS Next. Gen EA ERM For each risk, a “root cause” identified per the 17 root caused factors in the Next. Gen ERM Breakdown Structure) After analysis of the Risk Register, risks are assigned to groups, or portfolios for further analysis Legend: • • The number of risks in each category is shown in ( ) The colored numbers are the ranking of the cause by number of risks listed in that portfolio 9

Enterprise Risk Board (ERB) IMS Next. Gen EA ERM • The Next. Gen Enterprise Risk Board guides enterprise risk management efforts • Membership reflects the Enterprise community at large – representation from each contributing stakeholder • For each risk portfolio, the Board selects: – Priority – Mitigation strategy – Organization of primary mitigation responsibility (OPR) • Shared Governance process ensure a common, complete understanding before implementing mitigations and coordinating with stakeholders ERB does NOT dictate specific actions or approaches – Individual OPR practices, policies, and procedures will govern 10

Helping the ERB prioritize IMS Next. Gen EA ERM • Individual risks are left to individual stakeholders/domains • Enterprise interactions are addressed by ERB • Risk register needs to support analysis at the interdependency level Risk Portfolio and Risk Cause Tables 11

Helping the ERB prioritize – Next. Gen Example IMS Next. Gen EA ERM 12

Drilling Down into Graphics Output IMS Next. Gen EA ERM Risk Portfolio shown in Blue with Round Halo Symbol Risks shown as rectangles with color of box dependent up risk level (red, yellow green) Clicks on a connection will highlight the connection and reveal source data in table Clicks on a box will display data behind a particular item Line color also indicates level of risks being connected to Filters can be set up to display only red, or green, or yellow risks Risk Causes shown as tan rectangles with Rectangle Halo Symbol 13

World Economic Forum Report • In its 2011 edition of the World Economic Forum (Global Risks 2011 Sixth Edition (http: //riskreport. weforum. org/)), Risk Interconnection Maps (RIMs) were used to visualize risks, using colors and links to define risk portfolios and interdependencies • The WEF web site allows interactive viewing of the RIM via a proprietary Data Explorer. IMS Next. Gen EA ERM 14

Conclusions IMS Next. Gen EA ERM • Risk information in the Enterprise Risk Register must be presented in a manner that visually reinforces risk treatment at the portfolio level rather than for individual risks. • This visualization can be used to facilitate collaborative risk model construction and analysis, and developing insights into relationships of risks and how they aggregate • Organizing risks into “portfolios” appears to be useful for grouping and then explaining risk priorities, risk mitigation strategies, and resource assignments. • A traditional Risk Register needs to extended to contain information about interactions, hierarchies, or linkages between risks to support Enterprise risk management. • Risk analysis only provides the basis for decision making – a common governance model across the Enterprise is required to effectively treat risks to the benefit of all stakeholders involved. 15