BTA Enterprise Planning and Investment Director Talks Risk to Government and Industry Leaders
Enterprise Planning and Investment Directorate
Business Transformation Agency
December 17, 2008
Arlington, Va. – Information technology (IT) experts from across government and private industry gathered in Williamsburg, Va., to discuss optimizing the enterprise through risk management on October 27 - 28.
The annual Executive Leadership Conference, sponsored by the Department of Labor, ran four separate tracks with different themes of government transformation. The themes ranged from change in environment, transparency and partnerships; and transforming government with a changing workforce to crossing boundaries and managing risk. Paul Ketrick, director of the Enterprise Planning and Investment (EP&I) Directorate with the Business Transformation Agency (BTA), addressed an audience of about 200 as part of a panel on identifying and managing risk.
Ketrick described the Department of Defense (DoD) risk assessment approach, called the Enterprise Risk Assessment Methodology (ERAM). High costs and problematic implementation of DoD business enterprise IT systems resulted in programs being over budget and behind schedule. ERAM was developed to reduce risks and improve the speed of delivering business capabilities.
ERAM provides independent risk assessments by identifying program risks and working with programs in developing potential risk management solutions. ERAM functions as the due diligence of the Business Capability Lifecycle (BCL) process. The BCL is being implemented as a process the DoD follows for the acquisition of business major automated information systems.
To date, ten risk assessments have been performed on DoD’s largest business IT systems. ERAM looks forward rather than back, and this proactive approach is what sets ERAM apart, according to Ketrick. This is necessary because risk is defined as that which has potential to result in a negative outcome in the future.
"We need to look past the issues of today and look to the risk of tomorrow," Ketrick said. "What can we do to prevent the risk of tomorrow? That is what is needed in risk management and it will require a paradigm shift."
Ketrick went on to say after two years of conducting ERAMs, the teams have found the most serious program risks are often external – outside direct control of the program. These originate in areas such as governance structure, authority and sponsorship. Other risk factors include unrealistic implementation strategies and cultural resistance to change; the latter is why a paradigm shift is requisite.
Ketrick said risk management is a two-pronged approach: "First, figure out what risk is visible and understand that risk. Second, proactively mitigate the risk that may occur."