practical skills and applied knowledge in Security, defense, and risk management


How can we improve the acquisition of expensive systems?

Governments and corporations have been caught out spending years and billions of dollars on large acquisitions that fail. For instance, in 2002, the British National Health Service launched a National Programme for Information Technology with a budget of £6.2 billion, but after costing more than twice as much, most of its projects were canceled in 2011 by a different political administration, on the recommendation of a new Major Projects Authority. Similarly, the U.S. Department of Homeland Security has been criticized by the Government Accountability Office repeatedly for procuring unproven technologies, such as systems (“puffers”) designed to test the human body for the scent of explosives. From 2004 to 2006, the Transportation Security Administration acquired 116 systems at 37 airports, despite poor detection and availability rates during tests. All were deleted at a procurement cost of at least $30 million.

Routinely, it seems, democratic governments have been caught out investing billions in weapons and information technology that do not deliver what was specified or at the cost promised. 

Large acquisitions are perhaps riskier, but most of these instances also reveal poor risk assessment and risk management. Why?

One explanation is that program managers are not sufficiently skilled in risk management and the technical risks of the project/program of the moment. 

Traditionally, within government and large commercial organizations, the official centers of excellence or influence have been the departments of finance, defense, intelligence, internal or homeland security, and information management. Each of these departments offers some generalizable skills in risk or security management, but none can offer expertise across all departments and domains. 

Project risk managers can have surprisingly shallow knowledge of risk management - they understand the process of managing risk in general but lack the skills to research particular risks. They are good at assessing the stark financial risks of projects (such as potential lost investment) but are less qualified to assess the technical risks (such as potential technological failures) that would compound the financial risks (such as the extra costs of urgently procuring an off-the-shelf replacement for the intended product of a failed project). Stereotypical security and defense professionals are good at estimating the capabilities that they would want to use, but they are less qualified to assess technically the products that potential suppliers would offer them in order to deliver those capabilities. 

What are the solutions?

Project/program managers should be trained and selected for wider skills than just a basic project management certificate. They should be supported by people with research skills and subject-matter expertise. They should hold regular reviews of the technology risks with external technology experts and other subject-matter experts. They should be hired for the duration of the project/program, rather than for shorter-term tours (typically one year or two years in government). They should be accountable for their role in final project/program performance even if they leave early.