Login
iscover
Opinion: Risk aversion and risk management has increasingly been at the forefront of the ADF’s uniformed services, public service and national policymakers, with little room for error in such nationally consequential projects, but Group Captain David Hood asks: Has this approach caused more problems than it has solved?
The Defence Strategic Review (DSR) found that the Australian Defence Force’s current approach to capability acquisition is not fit for purpose. Specifically, the review found that Defence’s acquisition processes are burdensome and misguidedly risk-averse, and that Defence must move away from processes based on project management risk to those which take into account strategic risk.
The National Defence Strategy (NDS) has reaffirmed this assertion. This paper argues that to remedy the acquisition risk management problems identified by the DSR and NDS, Defence must actively pursue a change in risk management mindset.
The observations of the DSR cited above are the latest in a long line of similar critiques. There has been persistent criticism, from multiple sources and over a sustained period of time, regarding Defence’s ability to manage risk during capability acquisitions.
Since its first report in 2008, the annual reviews of the Australian National Audit Office into Defence major projects have consistently raised concerns relating to risk management, including failures to remediate known issues.
Over 15 years ago, the Pappas review identified, as one of only two “major classes of risk” for Defence procurements, the risk that “strategic requirements and procurement priorities are not aligned … The chief form of this risk is that … platform[s] will either not deliver or over-deliver on what is required to meet strategic objectives”.
In 2012, a Senate committee review into procurement procedures for Defence capital projects found risk management to be a “dominant issue” requiring rectification.
Looking to the future, the NDS called for “simplifying and accelerating Defence’s acquisition processes to deliver capability more quickly … including embracing greater levels of risk”.
And the Defence Industry Development Strategy urged Defence to accept greater levels of risk and have an increased risk appetite in relation to capability acquisitions.
I will argue that a defining feature of Defence’s current risk management approach, and the root cause of the issues identified in multiple previous reviews including those cited above, is a mindset which drives a disconnection between project-level and strategic-level contexts, resulting in a failure to deliver meaningful capability at the right time.
Given the current and trending strategic context, the need for Defence to change how it manages acquisition risk has arguably never been more important. Will the strategic environment itself be a trigger for change? Perhaps. But Defence cannot afford to take a passive stance and allow change to be driven by increasingly bleak external circumstances.
Here, I seek to answer what can be done, in the face of the multiple claims that Defence is incapable of change. Defence must actively and aggressively pursue a change in risk management mindset which will propel the cultural and procedural changes needed to address persistent concerns.
I interpret a passage of the DSR on acquisition risk management to identify and then examine two opposing risk management mindsets: a project risk management mindset and a strategic risk management mindset. I argue that Defence has embodied a tactically focused project risk management mindset.
On the contrary, I then propose ways for risk managers at all levels to adopt a strategic risk management mindset to best ensure acquisition risks are managed in support of the timely delivery of relevant capability.
Interpreting the DSR’s observations on acquisition risk management
Under a heading of “capability acquisition, risk and accountability”, the DSR noted that “Defence must move away from processes based around project management risk rather than strategic risk management. It must be based on minimum viable capability in the shortest possible time.”
The phrase “project management risk” refers to a means of managing risk which focuses on the applicable project in isolation to the broader strategic context. Risk is managed in a tactical-level vacuum. There is little or no consideration given to the operational or strategic drivers for the project, and decisions regarding risk are not weighed against broader opportunity benefits. Consequently, there is a bias towards conservatism. Risk is managed through the imposition of limitations and controls.
The phrase “strategic risk management” refers to a means of managing risk with the strategic context front of mind. Risk is managed in light of the broader strategic context, not simply the localised project context. Risk to project outcomes is assessed against potential operational and strategic opportunity benefits. There is a bias towards accommodating project risk, where doing so offers a calculated opportunity benefit in the form of creating strategic advantage.
The purpose of this advantage is to deliver minimum viable capability (MVC) in the shortest possible time period to support strategic objectives, including deterrence and “impactful projection”.
The phrase “[i]t must be based on” in the last sentence of the DSR quote above means “risk management must be based on”. This sentence follows on immediately from the observation concerning how risk should be managed, and therefore implies the best, if not the only, way to deliver MVC in the shortest possible time is to manage risk with the strategic context in mind.
Two distinct approaches
The two means by which risk is managed (project and strategic) do not simply constitute different processes. They are enabled by different mindsets, which cause the processes to manifest. The interpretation above allows the characteristics and results of managing risk with a project risk management mindset to be contrasted with those of a strategic risk management mindset.
1. The project risk management mindset
Managing risk with a project risk management mindset means the broader context is generally ignored. Risks are identified by looking only inwards and downwards into the project itself. Because risk is managed in a vacuum, the broader opportunity benefits of doing something tend to be ignored. Rather, risk is “managed” by applying conservatism, limitations and controls to minimise or eliminate project risks.
Options and opportunities may be constrained by deliberately prohibiting or limiting the undertaking of things. This approach means it is not likely that strategic advantage can be created. It follows that a project management mindset will be unlikely to deliver MVC in the shortest possible time.
If a project risk management mindset is adopted, the primary focus for managers is to control hazards to project cost, scope and schedule. This means, for example, a tendency to define very prescriptively the full scope of materiel capability being delivered so that project cost and schedule can be estimated with apparent precision. Uncertainty is viewed as a hazard. Managers will likely seek to demonstrate they have control over uncertainty by showing they can deliver project outcomes to a defined budget and schedule.
This mindset prevents consideration of the broader context, such as whether or not such certainty of outcomes at an early stage of the project life is strategically wise. Managers are unlikely to be concerned with whether the capability being delivered is fit for purpose towards the end of the project’s life. Further, managers are predisposed to ignore the wealth of research and Defence acquisition experience that shows cost and schedule forecasts are likely to be flawed, perhaps deeply flawed, because of inherent biases such as the misplaced belief that future events can be predicted and controlled with precision and accuracy.
Instead, the focus in and down on project risk and the significant effort expended in estimating project cost, scope and schedule likely reinforce the sense of confidence in the accuracy and correctness of estimates. Finally, because project risk is not linked to its operational and strategic context, managers are unable to identify the opportunity benefits of taking a calculated risk to create strategic advantage. Under the project risk management mindset, even if project-level objectives such as budget and schedule are achieved, the delivery of an MVC in the shortest possible time is likely to be compromised.
While Defence may not like to admit it, the DSR makes clear that the system that drives acquisition risk management decision making is firmly entrenched in a tactically focused, risk-averse project risk management mindset. This begs the question “Why?” The DSR does not provide an answer; however, it would be a serious misjudgement to assume that the root cause relates to individual risk managers themselves.
Defence attracts highly competent people and provides them with high-quality professionalisation and training opportunities. The real cause is likely related to the nature of the military organisation itself. Several studies have identified that Western military institutions favour highly disciplined, structured processes; seek precise solutions driven by quantitative rather than qualitative inputs; and strive to control the environment through elaborate governance and reporting mechanisms and a deference to rank and positional status.
Ignoring the inherent falsehoods of these approaches when applied to complex or chaotic environments (which, paradoxically, are precisely the environments that the military is immersed in), it is self-evident that these attributes will drive a reductionist “inwards and downwards” approach to identifying risk; ignore the unquantifiable complexity of the broader environment; avoid risk and uncertainty through the imposition of constraints and controls; and become naturally self-censoring even when weaknesses in the risk management approach are known by risk managers.
Further, the organisation may attract and, once recruited, reward individuals who are motivated towards and perpetuate entrenched behaviours. Finally, like other bureaucratic organisations, the military will resist change where it requires the relinquishment of power and control or reduces stability.
Change is viewed as a threat and it translates very naturally to the project risk management mindset which views uncertainty as a hazard. The obvious conclusion is that adopting a strategic management mindset will be resisted not because it is an inferior approach but because it threatens the foundations of the system itself, even if those foundations are inherently unsound. Practical ways to address these issues are discussed later in this paper.
In the second part of this short series, Group Captain David Hood will unpack the second approach to risk management in Defence’s acquisition cycle and present a model for cultural change to drive better outcomes for Defence.
This was republished with the author’s approval, with the full version previously published by the Air and Space Power Centre.
Group Captain David Hood is an aeronautical engineer working for the Royal Australian Air Force. He holds a master of gas turbine technology (Cranfield, UK) and a master of military and defence studies (Australian National University).
