A thesis submitted
By
to
Strayer University
in partial fulfillment of
the requirement for the
degree of
Chair
I. Conformity to Standards for Strayer University Graduate Level Directed Research Project.
I, ___Richard Allen Speight______ certify that I have in good faith complied with the
requirements of Strayer University for this Directed Research Project. I also certify that any
work or effort that is not my own has been properly credited to the appropriate source(s). I
hereby submit this Graduate Level Directed Research Project to the faculty of Strayer
University for acceptance.
I have received and examined this Directed Research Project and I believe it meets the
Graduate Level Standards of Strayer University.
This thesis reviews the best procedure for implementing a risk management process in a
uncertain future events that may affect a project’s cost, schedule, or performance. Risk
management is on iterative process that begins with risk planning then risk identification. The
process used by private industry is more process-oriented than that used by DoD project
managers. The purpose for this research is to determine if the process identified in Program
Management Book of Knowledge (PMBOK) would suit DoD programs better than the current
Table of Contents
CHAPTER 1 – INTRODUCTION..................................................................................................2
Definitions...................................................................................................................................7
CHAPTER 3 – METHODOLOGY...............................................................................................13
Overview...................................................................................................................................13
Method.......................................................................................................................................13
Data source................................................................................................................................14
CHAPTER 4 – CONCLUSION....................................................................................................15
Discussion..................................................................................................................................15
Risk Management 2
CHAPTER 1 – INTRODUCTION
Risk Management is critical to the proper management of any project. Without an active
approach to managing risk, projects stand a greater potential for cost overruns, schedule slips,
failure to meet performance requirements, and ultimately complete project failure. When
looking at risk management, it is necessary to understand that risk is the evaluation of uncertain
future events that may affect a project’s cost, schedule, or performance. According to the Project
Management Book of Knowledge, or PMBOK (2004), these three elements of a project are
called the triple constraints because when any of these elements are changed, it always affects
For example, a project office that procures trucks for the Department of Defense (DoD) has a
budget of $60 million to procure some number of trucks this year to meet an Authorized
Acquisition Object (AAO), which is a number representing total end strength. If halfway through
the year the project is required to take a $10 million reduction in budget, the schedule is affected
because it will now require more time for the project office to procure the total number of trucks
to meet the established AAO. This impact will also affect performance because the government
will have to adjust the requirements to reduce the per unit cost of the vehicle to maintain the
quantity purchase, or it will impact the manufacturer’s performance because the assembly line is
no longer producing to capacity and the manufacturer may have to look at ways to reduce or
The DoD has certain objectives that have to be met for each project and are delineated in the
Acquisition Program Baseline (APB) document for each project. This document takes the
requirements for cost, schedule, and performance from other source documents and puts it all
Risk Management 3
under one cover for the project manager to work from. The objectives are typically limits and
constraints in which the project manager has to work. For private industry, project managers
work to a slightly different set of rules that are often set by contracts or by management goals.
When a private industry project manager is working to support a contract, often his requirements
are not that different from a DoD project manager. The contract for a firm is the equivalent of the
APB which sets limits, constraints, and requirements that must be met in order to manage the
project effectively. Other private industry managers are driven by revenue and profit goals set for
them by upper management. The risk associated with this type of management is probably even
more difficult in that what affects revenue and profits is often impacted by events outside of the
manager’s control. For this reason it is important to define what risk management is and the
process required to implement a risk management program. Identifying the differences between a
DoD risk management process and one implemented by private industry is key in determining
what is the proper procedure for implementing a risk management process in a government
Risk management is “a fundamental aspect of any business. From a business perspective, risk
is an uncertain event or condition that, if it occurs, has a positive or negative effect on specific
planned or in-process strategic initiatives and their supporting objectives. The consequence of
these changes can have technical, schedule, or cost impacts; often, risk affects all three” (Bolles,
2006).
What is the difference between DoD and private industry risk management? When truly
comparing like methodologies, such as a product-oriented project, the first thing that can be seen
is that a private industry is interested in profits - how the firm nets some percentage of margin on
each product. Private industry typically views its risk management from this perspective and
monitors its processes until the product leaves the door of the factory or possibly the shelf of a
store. For the DoD, a project manager is responsible for the equipment from what is called
“cradle to grave.” In other words, the DoD project manager has to monitor the risk to the project
from the design stage, all the way through its life cycle, to when that piece of equipment is no
The second point of comparison would be the scope of a project. For the DoD, as discussed
earlier, a project manager has specific quantities of a given item that are going to be procured
and used. For a private industry project manager, oftentimes the limits for the product are
completely driven by supply and demand, which introduces a different set of risks with which
the DoD does not have to contend. In private industry it is imperative that the project manager
have a reliable economic forecast upon which to determine production rates and quantities of
supply. For a DoD project manager a budget is provided and quantities are placed on contract
accordingly.
Who performs risk management? Risk management is the responsibility of the project
manager. However, in most cases, risk management is a process that involves most of the people
on a project team. Additionally, most projects will have risk management boards that typically
Risk Management 5
meet quarterly to reevaluate the identified risk and their mitigation plans. The project manager,
in reality, is usually the final approver for risk and mitigation strategies, as the teams will have
identified, vetted and documented the risk, and sequentially developed the mitigation strategy for
that risk.
Risk management is a continuous process that is performed from a project’s inception to its
completion. Figure 1.1: Risk Management Cycle, will show the iterative process for
implementing risk management for a DoD program. This figure illustrates the DoD philosophy
Although no specific start point is identified, the obvious first step is to identify a project’s first
risk and the process will continue until the life cycle of the resultant equipment ends.
A more widely accepted and exacting practice for implementing risk management is shown
in figure 1.2: Project Risk Management Process Flow Diagram, this process identifies the
Risk Management 6
process as shown in the PMBOK, and is one of the reasons to question what is the best procedure
program.
Organizational
Process Assets Risk
Identification
Scope
Definition
Qualitative Risk
Analysis
Develop
Project
Management
Plan
Quantitative Risk
Analysis
Performance
Reporting
According to the PMBOK (2004), “the objectives of project risk management are to increase
Close Project Integrated
Risk Monitoring
the probability and impact of positive events, and decrease the probability and impact of eventsChange
and Control
Control
Risk Management 7
adverse to the project.” The processes for implementing risk management from this perspective
are: risk management planning, risk identification, quantitative risk analysis, qualitative risk
analysis, risk response planning, and risk monitoring and control. Figure 1.2 shows how these
steps relate to each other, and their definitions are listed below.
One of the biggest mistakes a project team makes is wrongly identifying issues as project
risk. To prevent this from occurring the definitions for both are required. Risk is “an uncertain
event or condition that if it occurs, has a positive or negative effect on a project’s objectives”
(PMI, 2004). An issue on the other hand is an event that already occurred and requires corrective
action to fix or overcome. Risks are events that can be planned for and their mitigations put in
Definitions
The following terms are used in this research and are defined below:
Qualitative Risk Analysis: “Prioritizing risks for subsequent further analysis or action by
assessing and combining their probability of occurrence and impact” (PMI, 2004).
Quantitative Risk Analysis: “Numerically analyzing the effect on overall project objectives of
Risk Identification: “Determining which risks might affect the project and documenting their
Risk Management Planning: “Deciding how to approach, plan, and execute the risk
Risk Monitoring and Control: “Tracking identified risks, monitoring residual risks,
identifying new risks, executing risk response plans, and evaluating their effectiveness
Risk Response Planning: “Developing options and actions to enhance opportunities, and to
This study will review the existing processes for performing risk management as a best
practice used by most private corporations as outlined in the PMBOK and the process used by
the acquisition community within the Department of Defense. This literature review is provided
so the reader will understand the processes involved – and their differences – and to see if a DoD
ACAT I program would benefit from a more robust approach to risk management.
The first step is to realize that managing risk is a fundamental aspect of business. Many
people do not view a DoD acquisition program as a business, but the use of public funds require
that the program manager be responsible for how he runs his program and spends his budget.
Like any commercial enterprise, the acquisition arm of the services has customers. These
customers consist of the men and women who put on a uniform and walk in harms way each and
every day. The big difference that commercial or private industries experience from the DoD is
that industries are calculating profit gains and profit losses; it’s all about the bottom line. For the
DoD, however, it is all about getting equipment that meets customer requirements to the right
place on time and within budget. As previously stated, the triple constraints of a program are
time, schedule, and cost. These truly are the three areas that risk management focuses on for both
According to the PMBOK (2004), “Risk Management includes the processes concerned with
conducting risk management planning, identification, analysis, responses, and monitoring and
control of a project.” With most of these processes continuously being updated throughout the
duration of the program. The process and objective of risk management is to identify events,
Risk Management 10
both positive and negative, that will impact the program and to then decrease the probability and
impact of negative events while increasing the probability and impact of positive events. “The
Risk Management processes include the following: Risk Management Planning, Risk
Identification, Qualitative Risk Analysis, Quantitative Risk Analysis, Risk Response Planning,
and Risk Monitoring and Control” (PMI, 2004). Although risk management has distinct
processes associated with it that continually interact with each other, it is important to understand
that these processes interact with other aspects or areas of program management. Often times
people from multiple disciplines work together to develop risk mitigation strategies associated
Risk Management Planning is the process of determining how risks are to be handled within
a program. Risk planning consists of inputs and outputs. The inputs are environmental factors
such as an organizations attitude towards risk and the level of tolerance of the organization,
project scope statements and project management plans. The output for risk management
planning is a risk management plan that consists of the methodology, roles and responsibilities,
Risk Identification is the process for determining which risk might affect the program and
documenting them. This is an iterative process that evolves throughout the life of the program
and uses the project team and other stakeholders in the program. The inputs for this step are the
same as those for risk management planning, but the output here would be a risk registry to be
Qualitative Risk Analysis is the process of racking and stacking the risk identified to
determine the probability and impact of a risk as well as the categorization and urgency of them.
“Quantitative Risk Analysis is performed on risks that have been prioritized by the
Qualitative Risk Analysis process as potentially and substantially impacting the project’s
competing demands” (PMI, 2004). This process looks at the effect of those risks and assigns a
numerical rating to them using techniques such as Monte Carlo simulation to determine
consequence and likelihood. The output from this process is again updates to the risk registry.
Risk Response Planning is the process in which you develop options and determine the
actions to be taken. Risk response planning is approached from different perspectives depending
on whether the risk is negative (threat) or positive (opportunity). The three strategies for
typically dealing with negative risk are avoid, transfer, and mitigate (PMI, 2004). When a risk is
avoided, the program management plan would be changed to eliminate the threat created by the
risk. This often times includes efforts of descoping a program’s requirements. Transferring risk
is the process of shifting the impact of a threat to a third party. This can come in the form of
insurance, warranties, or guarantees, but it does not get rid of the risk, it just shifts responsibility
to someone else and usually involves fees of some sort. Mitigation is simply a reduction in the
program with methods such as prototype development and or redundancy designed into the
system. The three strategies typically employed with positive risk (opportunities) are exploiting,
sharing, and enhancing. When exploiting a risk the organization is really just making sure the
By enhancing a risk the size of an opportunity is modified by increasing the probability of the
Risk Monitoring and Control is the process of identifying new risk, analyzing, and planning
for them. This process also involves keeping track of identified risk and reviewing the execution
Risk Management 12
of risk responses all in an iterative process through the program’s development to its close. The
output associated with monitoring and control are: risk registry updates, requested changes,
Unlike private industry, where the exchange is complete once a product reaches the
consumer and the company receives payback, the DoD acquisition program manager is
responsible for a product until it is removed from the military inventory. “The purpose for
addressing risk on DoD programs is to help ensure program cost, schedule, and performance
objectives are achieved at every stage in the life cycle and to communicate to all stakeholders the
process for uncovering, determining the scope of, and managing program uncertainties” (DoD,
2006).
The Risk Management Guide put out by the DoD is to assist program managers in effectively
managing program risk. This guide is very useful in its approach to identifying where risk can
come from. The processes for risk management within the DoD guide are risk identification, risk
analysis, risk mitigation planning, risk mitigation plan implementation, and risk tracking. These
processes are similar to those described in the PMBOK, thus the reason for questioning the best
procedure for implementing a risk management process in a government DoD ACAT I program.
A benefit to the DoD Guide is that it provides good top-level guidelines for effectively managing
risk. One very good aspect of the DoD guide is that it lays out the risk management roles, from
the program manager down to the working groups. This, however, is where the comparison
begins.
Risk Management 13
CHAPTER 3 – METHODOLOGY
Overview
The purpose of this thesis is to determine what is the best procedure for implementing a risk
management process in a government DoD ACAT I program. The recommendations that are
within this thesis are based on research and analysis of data and literature that provide guidance
Method
A Qualitative research method was used in this thesis. Research questions were developed to
clarify the differences between how private industry performs the risk management process and
how the DoD performs the risk management process. To facilitate this methodology, numerous
documents written on the larger subject of Risk Management were explored and studied. Then
processes or steps used by several different organizations were examined, some of which buy
end products for government use, some of which produce end products for government use, and
some that produce end products for commercial or industrial use. By comparing these processes,
it can be determined if any one particular approach is better than the others. Once that is
completed the next question is, “Does this best process fit all situations?” As the research
continues, it may be determined that different processes may be needed for different organization
types. However, if a determination can be made that changes can be made to the way DoD
performs risk management, then the research will be beneficial and can be submitted to
policymakers for consideration. The methodology, then, is simply exploring the information
developed on the topic and comparing their processes and results to answer the research
questions.
Risk Management 14
Data source
Resources and data used for this study were pulled mainly from other sited references. Three
critical sites provided valuable references. These sites were the EBSCO Publishing Database
website, The Program Management Book (PMBOK), and the Risk Management Guide for DoD
Acquisition, Sixth Edition. Prior studies were researched, but none were found that compare the
The PMBOK and Risk Management Guide provided the idea of comparing how DoD
performs risk management to the way private industry does. The key research questions became
who performs it best and does the same process meet both required objectives. By having
intimate knowledge of these two processes, identification of which information each of these
sources provides was simplified. The EBSCO database at the William and Mary Center for
Professional Studies was used to identify additional resources using keyword searches. Through
this process, data collected to date was evaluated to determine what, and to what degree, each
document or publication provided relevance to the research question and determine how much
CHAPTER 4 – CONCLUSION
Discussion
This final chapter discusses the conclusions that are drawn from the research provided. It
provides recommendations on how the DoD could benefit from adapting practices and process
from the PMBOK to enhance the guidance currently provide in their own handbook. The DoD
Guideline provides great high-level guidance. It also gives great insight to where risk initiates
from. What the DoD Guide lacks, however, is detailed processes that show the inputs, tools, and
outputs of each process in the risk management procedure. The PMBOK provides these missing
elements that can be combined with the current DoD Guide to provide the direction needed to
Conclusion
The best procedure for implementing a risk management process in a government DoD
ACAT I program is not the adaptation of one process over the other. The best solution for any
program within the DoD is to take the guidance from the DoD Guide and the detailed processes
from the PMBOK, the source for most private industry, and take a best practices approach. By
taking the guidance and detail from both sources, the DoD can establish unprecedented risk
management programs that could eliminate waste cost, scope creeps, and schedule slippages.
Risk Management 16
REFERENCES
Bolles, D., & Hubbard, D. (2006). Communications and risk management: 17.2 Risk
CHAPTER 14: Risk Management in Practice. (2006). Retrieved July 27, 2009, from Business
Department of Defense (DoD). (2006). Risk management guide for DoD acquisition (6th ed.).
Dobbins, J. (2002). Critical success factor (CSF) analysis for DoD risk management. Program
Manager, 31(3), 40. Retrieved July 27, 2009, from Business Source Complete database.
Dunham Jr., W., Ostner, S., To, M., & Cochran, A. (2009). Know the rules. Best's Review,
110(3), 55-57. Retrieved July 27, 2009, from Business Source Complete database.
Kendrick, T. (2009). Identifying and managing project risk. American Management Association
International. Retrieved July 27, 2009, from Business Source Complete database.
Mays, E. (2009). Scenario analysis for board risk management. Corporate Board, 30(177), 17-
21. Retrieved July 27, 2009, from Business Source Complete database.
Panning, W. (2009). The why and how of risk-based planning. Best's Review, 110(3), 78-78.
Project Management Institute (PMI) (2004). A guide to the project management body of
knowledge (3rd ed.). Newton Square, PA: Project Management Institute, Inc.
Risk Management. (2004). Essential Economics, Retrieved July 27, 2009, from Business Source
Complete database.