DHS should assess the benefits of a risk management sharing tool, GAO says

The Government Accountability Office wants the Department of Homeland Security to weigh the potential benefits of adding tools to share risk management practices enterprisewide. 

The recommendation was included in an Aug. 24 report from the watchdog examining the department’s risk management practices in its acquisitions programs. 

While GAO found that the DHS guidance broadly covered acquisition risk management and has improved in practice since revising its acquisition policy in 2019, the report found the guidance didn’t address how component agencies should pursue some risk management practices, such as objectively assessing risks and managing realized risks.

The report also noted that DHS missed an opportunity to implement risk management practices across its whole acquisition portfolio, rather than limiting them to individual programs.

GAO officials said that some benefit could be gained by implementing tools across the department that could share knowledge about risk management practices and how they could be applied to other component agencies. 

“In prior work, we found that the collecting and sharing of lessons learned from previous programs provides organizations with a powerful method for sharing ideas for improving work processes,” the report said. “A central component of a successful lessons learned process is to ensure that lessons learned are stored in a logical, organized manner.”

Some of the suggestions include reviewing risk responses from other programs, rather than keeping lessons siloed. Examples of such practices already occurring in component agencies included the Cybersecurity and Infrastructure Security Agency’s Next Generation Network Priority Services Phase 2, which provides first responders with priority voice, data and video communications during outages. 

The report noted that the officials working on the program coordinated with two other efforts within CISA’s emergency communications division to ensure they addressed interrelated risk management issues through practices like monthly meetings. 

“DHS does not have a department-wide repository to store and share knowledge that programs and portfolio managers could use to implement acquisition risk management, including leading practices in portfolio risk management,” the report said. “Instead, DHS, the components and programs have shared risk information on an ad hoc basis during meetings.”

GAO also noted that DHS and its component programs use a variety of risk-tracking tools and manually-completed spreadsheets, the latter because “there are no licensing costs, unlike other tools,” but often remain siloed as a result.

Though the agency's Office of Program Accountability and Risk Management launched its Acquisition Data Analytics Platform Tool to better manage acquisition programs, the tool does not include risk data. 

GAO offered eight recommendations, including multiple updates to the DHS risk management guidance and a call for the department to determine the costs and benefits of a tool to “systematically share risk management knowledge.” 

DHS officials concurred with all eight recommendations and said that they would determine whether it makes financial and organizational sense to implement a capability for sharing risk management approaches and information across the entire agency.