RiskAoA

RiskAoA, input and results display

RiskAoA is a United States Department of Defense (USDoD) project Risk Management tool, allowing the instantaneous review of portfolio (see Project Portfolio Management), proposal or alternatives Risk. It was designed by Air Force Research Laboratory (AFRL) Headquarters to perform proactive risk analysis for the Analysis of Alternatives (AoA) process. The prototype, "RiskHammer" was approved by the US Air Force Electronic Systems Center-Acquisition Center of Excellence (ESC/ACE) in 2002 (see Hanscom Air Force Base). RiskAoA is proprietary to the United States Government, but is available from Air Force Materiel Command (AFMC) Headquarters, the office of AFMC/A5, in accordance with Distribution B.

RiskAoA is a simple to use Excel and Visual Basic -based program that allows the predictive and quantitative assessment of Risk. The results are statistically based values of the relative risk associated with the evaluated alternatives. The capability and algorithms for the program are unprecedented; making RiskAoA the most advanced alternatives management technology employed institutionally and the first demonstrating the predictive character of the risk discipline.^[1]

RiskAoA fulfills a unique role among risk management tools-transforming qualitative statements of an alternative or option risk into a single quantitative value as useful as the cost and schedule. An aim of the USDoD acquisition process is to maximize “value” or return on investment, using the fundamental properties of Cost, Schedule, Performance (CSP) and Risk (or CSPR) as metrics. Just as the cost of one proposal can be higher than another, or one schedule take longer, so risk can be prioritized with RiskAoA. It is further unique in being the only technology ever produced by AFRL Headquarters.

RiskAoA is also well suited for the Evaluation of Alternatives (EoA) process.

RiskAoA Objectives are:

1. Support US Government program managers and decision makers in the assessment of risks and events for any selection of alternatives for Capability-Based Planning or Joint Capabilities Integration Development System (JCIDS), the military equivalent of Enterprise Resource Planning (ERP). This application provides a predictive ‘at-a-glance’ assessment of the number and magnitude of difficulties expected from different alternatives, necessary for Enterprise Risk Management, supported by RiskAoA.

2. Provide easily reviewable documentation for support or defense of acquisition decisions. RiskAoA helps justify risk vs. return propositions from alternatives and proposals.

3. Provide the Risk Adjusted Life Cycle Costs (LCC) estimates required by the General Services Administration (GSA) for the Analysis of Alternatives.^[2]

The USDoD uses a "Probability-Consequence Model” (also known as "Probability-Impact" as one of its key risk metrics.^[3] A difficulty with this metric is the constructive “adding” of risk. Probabilities add as:

P1 + P2(1- P1) + P1(1- P1) (1- P2) +…; P1 is probability of event 1, P2 event 2, etc..

Multiplying these by a consequence that can be cost, time or action, makes the addition and summary of these risks challenging. Further complicating matters is the Probability Consequence Models inability to adjust for compound effects from the same risk. An example from network security: If a network of 10 computers comes under network attack, the risk depends on the defense mechanism. If only one of the computers succumbs to the attack and infects the entire network, the risk scenario is different than if each computer must be attacked and infected individually.

RiskAoA solves these issues by developing a function which uniquely identifies each probability series as a value relative to one another, utilizing the property from probability theory that the order of occurrences does not affect the result.

The program is easy to use requiring only a few entries:

1. Name and save the analysis.

2. Determine the number of interacting systems, enter this number.

For each row:

3. Identify each risk.

3a. Name the risk

3b. Describe the risk

3c. Mitigation plan (if any)

3d. Determine the number of compounding effects from each risk-for the network attack example above, enter 10 for one attack being successful, 1/10 if all need to succumb.

3e. Assess the risk, High (H), Medium (M), Low (L), Negligible (N) or use a quantitative numbered assessment (1-99%) under the impact columns-Catastrophic, Critical, Moderate and Negligible. The text in the impact column may be changed; "Negligible" may be changed to "Schedule" or "Low" for example.

3f. Determine if this risk impacts the entire program (critical path, key performance characteristic, etc..) and rate H,M,L.

4. Repeat step 3 for each risk for each alternative.

RiskAoA includes a forecasting tool, allowing users to determine the level of confidence in the results. The forecasting tool is based on two elements; the worst-case confidence in each of the alternative’s risks, and the number of these risks. This is the equivalent of a shot-gun approach to risk management-the more germane data, the more likely the result is to be correct. If well understood data is input this function is unnecessary.

Because of the nature of the RiskAoA approach, errors tend to cancel and be moderated. This makes the forecasting tool itself a worst-case model. If the confidence in the individual risks is greater than 50%, this approach remains accurate.

RiskAoA algorithms were invented and developed by Gregory M. Tyler, and its user interface developed by the MITRE Corporation.^[4] Since it first release in 2002, it has been validated by other DoD organizations: Air Force Material Command (AFMC) Reporting Units; Validated, Verified and Accredited (VV&A) by AFRL^[5] and reviewed by AFMC/EN. It was endorsed DoD wide by the Office of the Under Secretary of Defense for Acquisition, Technology and Logistics^[6] in 2007 and by the Defense Acquisition University.^[7]

RiskAoA is available to all members of the US DoD, and Federal Government employees, in accordance with Distribution B, by contacting AFMC/A5.

References

1. https://acc.dau.mil/CommunityBrowser.aspx?id=126070
2. U.S. General Services Administration. IT Budget Submission Instructions: Guide for Major IT Initiatives (BY2009 Exhibit 300 & Exhibit 53). Washington, DC: Office of the Chief Information Officer, 2007
3. Risk Management Guide for DoD Acquisition, Aug 2006
4. RiskAoA program, users manual
5. http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA463123&Location=U2&doc=GetTRDoc.pdf AFRL Alternatives Planning Technology Aids Decision Makers
6. Defense ATL, Quantifying Risk across the Department of Defense, Jan-Feb 2007
7. https://dap.dau.mil/aphome/das/Lists/Software%20Tools/DispForm.aspx?ID=57>