OMB keeps risk on the radar

If terrorist strikes and high-profile corporate collapses were not enough to emphasize the importance of risk management, program managers now face increased pressure from the Bush administration to identify and reduce risks associated with large information technology purchases.

The Office of Management and Budget requires capital asset plans, more commonly referred to as Exhibit 300s, for all major IT acquisitions. "This is really how OMB is trying to implement risk management," said Tom O'Rourke, a senior consultant at Total Quality Organization. "What they are trying to do is not spend a lot of money that is high risk."

The second section of the required Exhibit 300 highlights OMB's interest in having agency program managers take risk seriously. The document asks for a full list of risk areas associated with each major IT buy. Agencies must "describe risk assessment in terms of efforts to eliminate and manage identified risks," O'Rourke said. Risk categories include schedule, cost and technology issues.

"The big thing is that OMB is really trying to get clarity on requirements before an agency begins a project," O'Rourke said. "OMB is asking things like, 'What are the assumptions being made of this project?'"

As a risk management tool, Exhibit 300 takes a classic approach, he said. Specifically, the document asks agencies to identify information that will allow OMB officials to gauge a project's success at staying on budget and meeting deadlines, measures that are useful but go only so far, he added.

"The easiest two things to measure are cost and schedule. Forget performance," he said. "A project can be delivered on time and can be a piece of trash, or can be dead-on in terms of cost but can be a piece of trash. The hardest thing to measure is performance."

Although it is more difficult to assess, OMB officials are aiming to check risks that may hamper performance by determining the degree to which IT efforts adhere to the President's Management Agenda. OMB officials may require other research, interviews or more documentation in addition to Exhibit 300s.

According to some experts, however, OMB may have ventured into risk avoidance rather than risk management by relying so heavily on the 300s.

"OMB is pushing hard to make sure that agencies in their 300 reports identify and eliminate risks in their budgets," said Glenn Dunnington, senior program manager at Robbins-Gioia LLC. "The problem is that it is really important to balance risk and return. The complete aversion to risk and the exclusion of any projects that pose a risk is, quite frankly, a mistake."

To strike that balance, agencies will need to work closely with OMB officials and communicate what they believe they should be measuring. "Are we working with OMB? Heck yes," said Tony Maturo, who heads NASA's Academy of Program Project Leadership. "But you always have to be careful that you are measuring the right things and developing the correct metrics to achieve your strategic goals."

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group