leveraging strategic risk assessments to inform...
TRANSCRIPT
Leveraging Strategic Risk Assessments to Inform Budgetary and Strategic Decisions
Ms. Denise LippunerPartner, Grant Thornton
Ms. Ann McDermottAssistant Deputy Commandant, Programs and Resources
1 June 2017
2
Agenda
What is a Strategic Risk Assessment
How Strategic Risk Assessment Informs Strategic Planning
How Strategic Risk Assessment Informs Budgeting
DoD Risk Management Framework
Risk Profile Example
Prioritizing Risks
Overview of Programs & Resources (P&R)
DoD Decision Support Systems
Overview of PPBE Process
Strategic Risk Assessment (Example)
Summary
3
What is a Strategic Risk Assessment?
As defined by The Risk Management Society
(RIMS), A Strategic Risk Assessment (SRA) is a
systematic and continual process for assessing
significant risks facing an enterprise
3
4
How SRA Informs Strategic Planning
Organizations seek to maximize value when setting
goals by finding an optimal balance between
expected value and risk level
5
How SRA Informs Budgeting
Strategic risk assessments can serve as a basis to formulate budget
requests that are informed by, but not controlled by, prior year budgets
6
DoD Risk Management Framework
1. Risk Identification
2. Risk Analysis
3. Risk Mitigation Planning
4. Risk Mitigation Plan
Implementation
5. Risk TrackingDoD
Risk
Management
Framework
A systematic risk management approach is essential for ensure that
scarce resources are assigned to address the most critical needs
As risks are identified and
prioritized they are used as
inputs into the Strategic
Planning process
As risks responses are
identified they are used as
inputs into the Budget Planning
process
7
Risk Profile Example
Risk Type. Strategic, Operational, Reporting or Compliance
Objective. Description of strategic objective being considered
Risks. Description of related risks (both positive and negative)
Inherent Risk. Rating of risk considering the Likelihood (L) and Consequence (C) given no controls in place
Current Risk Response. Overview of plans to respond to risk
Residual Risk. Rating of risk considering the Likelihood (L) and Consequence (C) given existing controls in place
Proposed Activities. Details of activities proposed to respond to risk
Target Risk. Rating of risk considering the Likelihood (L) and Consequence (C) given planned controls in place
Risk
TypeObjective
Risks (Positive and
Negative)Inherent Risk Current Risk Response Residual Risk Proposed Activities Target Risk
L C L C L C
StrategicMaintain a Ready and
Sustainable Reserve
Loss of institutional
knowledge due to retirement
projections may impact our
ability to achieve our mission
in certain regions
A –
Frequent
I –
Catastro
phic
Pursue policies and
operational practices to
better develop
and access the skill,
knowledge, and
expertise of Marines in
the Reserve Component
B - LikelyII –
Critical
institutionalize training and
advisory duties as legitimate,
normal career activities for all
Marines, and ensure promotion
policies reflect appropriate
consideration of these duties
C -
Occasion
al
II –
Critical
Operation
al
Ensure the stability of
the global system
Potential cybersecurity gaps
and weaknesses in
information security
A –
Frequent
I –
Catastro
phic
Anticipate how current
systems may be
exploited through
conducting periodic risk
assessments and testing
potential vulnerabilities
B - Likely II –
Critical
System Security Plans are
developed for all IT systems.
Additionally, systems are patched
and tested routinely to ensure
adequate coverage from different
types of cyber attacks
C -
Occasion
al
III -
Moderate
8
Prioritizing Risks
Frequent Likely Occasional Seldom Unlikely
A B C D E
Catastrophic I
Critical II
Moderate III
Negligible IV
Likelihood
Consequence
Risk Heat Map
H-High M-Moderate L-LowE-Extremely High
Levels of Risk
2
2
33
5
5
7
7
Risk Types
Strategic
Operational
Reporting
Compliance
Inherent Risk
Residual Risk
Risk Map Legend
Risk Shapes
Target Risk
2
5
7
3
9
Overview of Programs & Resources
Mission. The Programs & Resources Department (P&R) is the principal
staff agency responsible for developing, defending and overseeing Marine
Corps financial requirements, policies and programs in order to support
the Commandant of the Marine Corps (CMC) in executing his Title 10
responsibilities as a service chief
11
Overview of PPBE Process
Ex
ec
uti
on
PMF
FY
20
Strategic
RiskTactical
Risk
Continuous risk assessment is inherent throughout
12
Strategic Risk Assessment (Example)
Task. The Marine Corps (USMC) is tasked with being capable of
conducting a 2 Marine Expeditionary Brigade (MEB) size force
amphibious assault (AA)
Strategy. Ground Combat Vehicle Strategy (GCTVS) addresses all
combat vehicles
Goals:
• Informs investment decisions by clarifying criteria for Service Life Extension
Program (SLEP) v. Replacement/Modernization of ground combat vehicles
• Facilitates planning over the Future Years Defense Plan (FYDP)
Examples:
• Amphibious Combat Vehicle (ACV) replaces Amphibious Assault Vehicle (AAV)
• Joint Light Tactical Vehicle (JLTV) replaces High Mobility Multi-Purpose Wheeled
Vehicle (HMMWV)
• Light Armored Vehicle (LAV) – extending service life, replacement still in Research,
Development, Testing & Evaluation (RDT&E)
• M1A1 Tank – developing additional protective systems, not a replacement
13
Strategic Risk Assessment (Example)
1. Risk Identification:
• Current amphibious assault vehicle may jeopardize operational readiness
2. Risk Analysis
• Risk level is subject to current mission priorities
3. Risk Mitigation Planning
• Additional funds were allocated to accelerate ACV and LCAC replacement procurement
4. Risk Mitigation Plan
Implementation
• Programming additional funds in ACV by reducing fleet size and accepting risk in AAV
5. Risk Tracking
• Tracking execution to ensure Marines receive needed capability
Strategic Risk. In POM-18, the USMC had a 2 MEB AA capability, but
the current amphibious assault vehicle (over 40 years old) was deemed
inadequate to accomplish the mission and protect Marines in an evolving
combat environment
14
Planning
Task. Identify gaps and solutions in the investment plan for the
Marine Corps – the Marine Corps Enterprise Integration Plan
(MCEIP)
Input Documents. Guidance from the Commandant of the Marine Corps
(CMC), Department of the Navy (DoN), and Department of Defense (DoD)
Timeline. ~ 7 Months (May to November) to develop and submit
Output. MCEIP (in November)
• Identified AAVs as inadequate for mission accomplishment
• Recommended reducing the AAV fleet to produce funds to accelerate ACV
procurement
15
Programming
Task. Develop a risk mitigation plan for the AAV and ACV vehicles
in POM-18
Input Documents. MCEIP, Defense Planning Guidance (DPG), Guidance
from Department of the Navy (DoN) and Department of Defense (DoD),
Fiscal Guidance
ROM Timeline. ~ 7 Months (Oct to May) to develop and submit
Output. POM (in May)
• Reduced AAV sustainment by a specific number from FY2020-2022
• Residual funds were reallocated to accelerate the ACV program
• Additional ACVs were programmed to be procured in FY2021-2022
16
Budgeting
Task. Develop, submit and defend the Marine Corps’ portion of the
President’s Budget request to Congress
Input. CMC approved POM
Timeline.
• ~ 3-4 weeks (May) POM-to-Budget transition (integrated with ADC (P))
• ~ 9 months (May to Jan) develop and submit (ADC (R) in lead)
Output. President’s Budget Submission
• Budget analysts defended why the AAV sustainment program was having
funding reduced in FY2020-2022
• Budget analysts also defended an increase to ACV funding in FY2021-
2022
• Defense of the Budget was conducted with DoN, OSD, OMB, and
Congress
17
Execution
Task. Headquarters Marine Corps distributes funds to commands for
execution as planned and to address evolving risks
Input. Funds appropriated by Congress (Continuing Resolution
funding / Appropriations)
Timeline.
• Fiscal Year begins 1 October
• Mid-year review during March/April
• Reprogramming / budget transfers during May/June
• Close-out in September
• Certification / audit October +
Output.
• To be determined. FY 2018 execution has not yet commenced.
Execution Strategic Risk.
• During execution, analysis is crucial to validate that budgetary decisions
also achieve strategic objectives.