RiskBased Acquisition Management RBAM

1
Risk-Based Acquisition Management(R-BAM)

• Ken Sateriale
• July 27, 2000
• ksateria_at_pop200.gsfc.nasa.gov
• http//gsfc-artemis.gsfc.nasa.gov/210/proclib.htm

2
Major Points

• Risk Management is a Government-wide, OMB-driven
  initiative.
• Risk Management will drive decision making.
• The Office of Safety and Mission Assurance leads
  Risk Management at NASA.

3
Our Challenging Environment

• NASA is a discretionary agency - safety and
  mission success are necessary for our survival!
• Diminished Resources (human resources and
  funding)
• Projects are generally smaller and faster
• Acquisition rules have changed
• Surveillance methods are evolving (oversight to
  insight)
• Completion form contracts/PBC are becoming the
  norm
• Government emphasis on commercialization
• Issues of recent special focus
• IT Security, Export Control, Health, Environment

4
Programmatic Risks

• Safety
• Security
• Environmental
• Technical
• Export Control
• Cost
• Schedule

5
Project Considerations

• What is currently important to the project,
  management, customer, or user?
• Are there critical milestones the project is
  currently facing?
• What limits and constraints do the project,
  organization, group, or manager have?
• What milestones and limits are fixed? flexible?
• What resources are available for mitigation?
• How does this risk fit into the overall project
  issues and concerns? When is the best time to
  address or mitigate a risk?

6
Why Manage Risk?

• Obtain early identification of potential problems
• Acquire essential information needed to make
  tradeoffs based on priorities and quantified
  assessments
• Enable more efficient use of resources
• Increase probability of mission success
• Risk Management Proactive Project Management

7
Risk Management Background

• OMB Circular A-11, Capital Programming Guide
• (Effectively supercedes OMB Circular A-109,
  dated 04/05/76, Major Systems Acquisitions)
• NASA Administrator Safety and Risk
• Chief Engineer NPG 7120.5, NASA Program and
  Project Management Processes and Requirements
• Office of Safety and Mission Assurance
• CRM/New Core Competencies/NPG Updates
• Office of Procurement Strengthen PBC

8
OMBCapital Programming Guide

• Risk management should be central to the
  planning, budgeting, and acquisition process.
  Failure to analyze and manage the inherent risk
  in all capital asset acquisitions may contribute
  to cost overruns, schedule shortfalls, and
  acquisitions that fail to perform as expected.
  For each major capital project a risk analysis
  that includes how risks will be isolated,
  minimized, monitored, and controlled may help
  prevent these problems.

9
OMB Circular A-11Capital Programming Guide

• Elements of Risk Management
• Risk Assessment
• Risk Analysis
• Risk Treatment
• Lessons Learned

10
Risk Assessment

• The first step in risk management is to identify
  and assess all potential risk areas.
• A risk area is any part of a project where there
  is an uncertainty regarding future events that
  could have a detrimental effect on meeting the
  program goal.
• Risk assessment continues throughout the life
  cycle of a program.
• As the program progresses, previous uncertainties
  will become known and new uncertainties will
  arise.

11
Risk Analysis

• Once risks are identified, each risk should be
  characterized as to the likelihood of its
  occurrence and the severity of potential
  consequences.
• Risk analysis will result in a watch list of
  potential areas of risk. The watch list may
  identify early warning signs that a problem is
  going to arise.
• As in risk assessment, risk analysis continues
  through the life cycle of the program the watch
  list should be updated as appropriate.

12
Risk Treatment

• After a risk has been assessed and analyzed, the
  agency should consider what to do about it.
  Alternatives include
• Transfer
• Avoidance
• Reduction
• Assumption
• Sharing

13
NASA Administrator

• ... accept risk, but only in an informed
  manner...consistent with our unwillingness to
  compromise the safety and health of people and
  property or do harm to the environment... I have
  designated safety and health as our highest core
  value...incorporate safety and health principles
  and practices into our daily decision-making
  processes and lives.
• Daniel S. Goldin January 19, 1999

14
NASA Administrator

• I request that all employees become familiar
  with failure modes and effects analysis, fault
  tree analysis, and probabilistic risk
  assessments.improved safety and mission success
  will result only from your complete, thorough,
  and across-the-board understanding and management
  of risk. Daniel S. Goldin June 1, 2000

15
Risk Management Technologies

• Failure Modes and Effects Analysis (FMEA). The
  FMEA is a bottom-up analysis of component-level
  failures and their effects on higher-level
  systems.
• Fault Tree Analysis (FTA). FTA is a top-down
  analysis used to evaluate specific undesired
  events. It is a deductive logic tree linking a
  top event to the combinations of sub-events that
  could cause it.
• Probabilistic Risk Assessment (PRA). PRA is an
  analysis of the probability (or frequency) of
  occurrence of a top-level undesired event,
  including an assessment and display of our degree
  of uncertainty surrounding the probability.

16
Chief EngineerNPG 7120.5

• Risk management is a continuous process that
  identifies risks analyzes their impact and
  prioritizes them develops and carries out plans
  for risk mitigation, acceptance, or other action
  tracks risks and the implementation of mitigation
  plans supports informed, timely, and effective
  decisions to control risks and mitigation plans
  and assures that risk information is communicated
  among all levels of a program/project. Risk
  management begins in the formulation phase with
  an initial risk identification and development of
  a Risk Management Plan and continues throughout
  the products life cycle through the disposition
  and tracking of existing and new risks.

17
Chief Engineer NPG 7120.5 Risk Management Plan

• A Risk Management Plan (included in the NASA
• Program/Project Plans) describes how the project
  will perform risk management, including
• introduction
• practice overview
• project organization, roles, and responsibilities
• practice details
• risk management resources and milestones
• risk information documentation

18
Office of Safety and Mission Assurance

• Continuous Risk Management (CRM)
• New Core Competencies
• NPG Updates

19
Continuous Risk Management

• Continuous Risk Management (CRM) is a process
  that searches for and identifies risks before
  they become problems and provides mitigation
  actions to reduce their likelihood and/or impact.
  The goal of CRM is to reduce the impact of
  issues and uncertainties on a project to an
  acceptable level.

20
Office of Safety and Mission Assurance NASAs
Continuous Risk Management Paradigm

21
Risk Management Steps

• (1) Identify. State the risk in terms of
  condition and consequence(s) capture the context
  of the risk e.g., what, when, where, how, and
  why.
• (2) Analyze. Evaluate risk probability,
  impact/severity, and time-frame (when action
  needs to be taken) classify/group with
  similar/related risks and prioritize.

22
Risk Management Steps

• (3) Plan. Assign responsibility, determine
  approach (research, accept, mitigate, or
  monitor) if risk will be mitigated, define
  mitigation level (e.g., action item list or more
  detailed task plan) and goal execute plan.
• (4) Track. Acquire/update, compile, analyze, and
  organize risk data report tracking results and
  verify and validate mitigation actions.

23
Risk Management Steps

• (5) Control. Analyze tracking results, decide
  how to proceed (re-plan, close the risk, invoke
  contingency plans, continue tracking) execute
  the control decisions.
• (6) Communication and documentation. These are
  present in all of the preceding functions and are
  essential for the management of risks. A system
  for documentation and tracking of risk decisions
  shall be implemented.

24
New SMA Core Competencies

• Risk management
• SMA plan development/surveillance plan
  development
• System safety analysis/hazard analysis
• Reliability analysis/modeling/testing and
  evaluation
• Probabilistic risk assessment
• Qualification/certification of products
• Configuration management/process control
• Failure/anomaly investigation/root cause analysis
• Emergency preparedness planning

25
SMA Supporting Acquisition

• SMA is your risk management consultant to the
  project throughout the acquisition process. SMA
• Supports requirements development
• Supports acquisition strategy planning
• Supports risk management plan development
• Supports up-front risk assessments and analyses
• Provides risk management training as required
• SMAs role in acquisition must be strengthened!

26
RM/CRM/R-BAM Implementation

• OMB Circular A-11 Supplement CPG July
  1997
• NPG 7120.5 April 1998
• At a Glance Procurement Initiatives April
  1999
• Procurement Information Circular April 1999
• Procurement Notice (NFS) Proposed Rule July
  1999
• Procurement Notice (NFS) Interim Rule June
  2000
• NPG 8715.3, NASA Safety Program Manual January
  2000
• NPG 8621.1, Mishap Reporting June 2000
• NPG 8735, SMA Surveillance ... Contracts August
  2000
• NPG 8705 Risk Management Sep 2000
• Outreach Procurement and Technical Ongoing

27
http//satc.gsfc.nasa.gov/crm/
28
Office of Procurement Strengthen PBC Framework

• Agency goal of 80 is being met!
• Butsome application of PBC is nominal.
• Since program and project management
  accountability still resides with NASA, there is
  a tendency to exercise pervasive control.
• Risk management provides a framework for
  determining the appropriate level of
  NASA-Contractor engagement.

29
Incorporating Risk Management into the
Acquisition Process
30
Procurement Notice 97-46 Interim Changes to the
NASA FAR Supplement Applicable to solicitations
issued on or after July 13, 2000
31
Interim Rule - 1 of 3

• Acquisition plan must discuss risk.
• Acquisition planning must include input from
  safety, health, information technology, export
  control, security, and environment.
• Draft RFP must invite industry comment on safety,
  security, health, and environmental concerns.
• RFPs shall require offerors to identify/discuss
  risk issues throughout the proposal, where
  relevant.

32
Interim Rule - 2 of 3

• Source Selection
• Mission suitability must include consideration of
  safety and health, when that plan is required.
  For acquisitions or gt10M or, or gt25M
  Commercial, a sub-factor for safety and health
  must be used.
• Past performance evaluation must include
  security, safety, and environmental damage, where
  germane.

33
Interim Rule - 3 of 3

• Pre-Negotiation Position Memorandum must address
  any safety and risk issues.
• Risk Management must be considered under the
  technical award fee factor.
• No award fee for periods with fatality, mission
  failure, 1M damage, or willful or repeat OSHA
  violations.
• New clause, Major Breach of Safety or Security
  allows for Termination for Default. Required for
  contracts gt500K.

34
Implementation IssuesThe Devils In the
Details

• Agency Procurement Working Group
• Section L and M language?
• Mid-Range applicability?
• Resolution of liability issues may delay
  close-out?
• Identifying Known Risks to Offerors?

35
(No Transcript)
36
SUMMARY RBAM Enables Key Decisions
Surveillance Mode Insight/Oversight
Evaluation Criteria Selection of Contractor
Contract Type and Fee Structure
Contracting Technique
Mode of Implementation In-house, Grant,
Cooperative Agreement, Contract
Development of Work Statement/Requirements
Feasibility Program Go/No Go