OMB keeps risk on the radar

If terrorist strikes and high-profile corporate collapses were not enough to emphasize the importance of risk management, program managers now face increased pressure from the Bush administration to identify and reduce risks associated with large information technology purchases.

The Office of Management and Budget requires capital asset plans, more commonly referred to as Exhibit 300s, for all major IT acquisitions. "This is really how OMB is trying to implement risk management," said Tom O'Rourke, a senior consultant at Total Quality Organization. "What they are trying to do is not spend a lot of money that is high risk."

The second section of the required Exhibit 300 highlights OMB's interest in having agency program managers take risk seriously. The document asks for a full list of risk areas associated with each major IT buy. Agencies must "describe risk assessment in terms of efforts to eliminate and manage identified risks," O'Rourke said. Risk categories include schedule, cost and technology issues.

"The big thing is that OMB is really trying to get clarity on requirements before an agency begins a project," O'Rourke said. "OMB is asking things like, 'What are the assumptions being made of this project?'"

As a risk management tool, Exhibit 300 takes a classic approach, he said. Specifically, the document asks agencies to identify information that will allow OMB officials to gauge a project's success at staying on budget and meeting deadlines, measures that are useful but go only so far, he added.

"The easiest two things to measure are cost and schedule. Forget performance," he said. "A project can be delivered on time and can be a piece of trash, or can be dead-on in terms of cost but can be a piece of trash. The hardest thing to measure is performance."

Although it is more difficult to assess, OMB officials are aiming to check risks that may hamper performance by determining the degree to which IT efforts adhere to the President's Management Agenda. OMB officials may require other research, interviews or more documentation in addition to Exhibit 300s.

According to some experts, however, OMB may have ventured into risk avoidance rather than risk management by relying so heavily on the 300s.

"OMB is pushing hard to make sure that agencies in their 300 reports identify and eliminate risks in their budgets," said Glenn Dunnington, senior program manager at Robbins-Gioia LLC. "The problem is that it is really important to balance risk and return. The complete aversion to risk and the exclusion of any projects that pose a risk is, quite frankly, a mistake."

To strike that balance, agencies will need to work closely with OMB officials and communicate what they believe they should be measuring. "Are we working with OMB? Heck yes," said Tony Maturo, who heads NASA's Academy of Program Project Leadership. "But you always have to be careful that you are measuring the right things and developing the correct metrics to achieve your strategic goals."

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.