OMB keeps risk on the radar

If terrorist strikes and high-profile corporate collapses were not enough to emphasize the importance of risk management, program managers now face increased pressure from the Bush administration to identify and reduce risks associated with large information technology purchases.

The Office of Management and Budget requires capital asset plans, more commonly referred to as Exhibit 300s, for all major IT acquisitions. "This is really how OMB is trying to implement risk management," said Tom O'Rourke, a senior consultant at Total Quality Organization. "What they are trying to do is not spend a lot of money that is high risk."

The second section of the required Exhibit 300 highlights OMB's interest in having agency program managers take risk seriously. The document asks for a full list of risk areas associated with each major IT buy. Agencies must "describe risk assessment in terms of efforts to eliminate and manage identified risks," O'Rourke said. Risk categories include schedule, cost and technology issues.

"The big thing is that OMB is really trying to get clarity on requirements before an agency begins a project," O'Rourke said. "OMB is asking things like, 'What are the assumptions being made of this project?'"

As a risk management tool, Exhibit 300 takes a classic approach, he said. Specifically, the document asks agencies to identify information that will allow OMB officials to gauge a project's success at staying on budget and meeting deadlines, measures that are useful but go only so far, he added.

"The easiest two things to measure are cost and schedule. Forget performance," he said. "A project can be delivered on time and can be a piece of trash, or can be dead-on in terms of cost but can be a piece of trash. The hardest thing to measure is performance."

Although it is more difficult to assess, OMB officials are aiming to check risks that may hamper performance by determining the degree to which IT efforts adhere to the President's Management Agenda. OMB officials may require other research, interviews or more documentation in addition to Exhibit 300s.

According to some experts, however, OMB may have ventured into risk avoidance rather than risk management by relying so heavily on the 300s.

"OMB is pushing hard to make sure that agencies in their 300 reports identify and eliminate risks in their budgets," said Glenn Dunnington, senior program manager at Robbins-Gioia LLC. "The problem is that it is really important to balance risk and return. The complete aversion to risk and the exclusion of any projects that pose a risk is, quite frankly, a mistake."

To strike that balance, agencies will need to work closely with OMB officials and communicate what they believe they should be measuring. "Are we working with OMB? Heck yes," said Tony Maturo, who heads NASA's Academy of Program Project Leadership. "But you always have to be careful that you are measuring the right things and developing the correct metrics to achieve your strategic goals."