Risk management or risk myopia? Changing the ADF’s acquisition risk management culture: Part 2

The obvious conclusion is that adopting a strategic management mindset will be resisted not because it is an inferior approach but because it threatens the foundations of the system itself, even if those foundations are inherently unsound.

In the first part of this short series, I looked at the culture and approach to date that permeates Australia’s defence acquisition apparatus, processes and bureaucracy that, as per the 2023 Defence Strategic Review, have been recognised as out of date for the current strategic environment; accordingly, overcoming these challenges is now of paramount importance.

2. The strategic risk management mindset

Managing risk with a strategic risk management mindset means the strategic environment is accounted for by looking outwards and upwards into the strategic realm. This enables the identification of potentially significant opportunity benefits through doing things.

VIEW ALL

Risk is managed by reducing conservatism, limitations and controls, which may increase project-level risk where a deliberate decision is made to accommodate a strategic opportunity. Under a strategic risk management mindset, creation of strategic advantage is more likely because project risk is weighed against strategic reward, and opportunities are pursued where doing so is judged to represent an optimum balance in overall risk versus reward.

This mindset will be more likely to deliver a minimum viable capability (MVC) in the shortest possible time.

If a strategic risk management mindset is adopted, managers focus on both project-level and strategic contexts and recognise that the former must be informed by the latter. Managers may identify, for example, that a dynamic strategic environment exists in which capability needs should evolve in response to both swiftly advancing adversary capabilities and rapidly evolving technology.

In this case, managers would recognise that capability needs and solutions may change quickly, and in ways not able to be predicted. At the project level, this means that defining prescriptively the full scope of materiel capability up front is counterproductive because there is a higher risk of delivering obsolete capability. Certainty is viewed as a hazard. Managers will accept that project cost, scope and schedule must be defined to some degree to allow for investment decisions to be made. They will, however, limit such definition to enable flexibility in decision making as the project executes.

Managers will seek to demonstrate they can adapt capability outcomes to the evolving strategic environment, thereby creating strategic advantage. While this necessitates the acceptance of risk relating to project cost, scope and schedule, managers will recognise that if such risk is realised, they can, for example, trade scope to deliver more meaningful capabilities in response to emerging technology or adversary capabilities, bring forward funding from future years to capitalise on short-term procurement opportunities, or hand back funds unable to be committed or expended.

Managers recognise the risk relating to cost, scope and schedule is worth taking because there is greater strategic risk associated with delivering late or obsolete capability. By retaining flexible capability delivery, managers are more likely to realise strategic opportunity through delivering MVC in the shortest possible time.

Embodying the strategic risk management mindset

How does Defence evolve to embody the strategic risk management mindset called out by the Defence Strategic Review (DSR), noting the potential for systemic resistance? First, there must be an acceptance that the root problem is mindset, not process. Often, organisational change is attempted by changing process or structure, probably because they are relatively simple to do, and also because they can be easily exhibited as changes for apparent good. A more cynical but equally credible argument is that changes to process and structure are pursued because they can be enacted in ways that do not disrupt the ingrained mindset and culture which serves senior leadership.

The First Principles Review into Defence identified that “there have been over 35 significant reviews and many more supplementary reviews of Defence” since 1973, but that the “consistent and recurring themes” identified by these reviews focused on procedural and structural factors such as ambiguity in roles and responsibilities, inadequate governance and performance monitoring and poor planning.

While these themes are important, it is clear the multitude of reviews into Defence have not identified mindset as the most fundamental driver of organisational change. The problem is that undertaken in isolation, structural or procedural changes are among the least-effective methods to institutionalise lasting change. While changing mindset is both harder to do and less directly observable, it can create far more fundamental and longer-lasting change in organisations.

Cultural, structural and procedural changes then follow organically.

Defence must place more emphasis on identifying and rewarding traits associated with the strategic management mindset when recruiting and promoting risk managers. Defence requires risk managers who are naturally strategic as opposed to tactical in their outlook, and leaders who are calculated revisionists. Leaders and risk managers must be able to cope with complexity but recognise that focusing in and down on the minutiae will draw their attention in the wrong direction.

Defence needs risk management professionals who have a more open-minded, optimistic and less risk-averse predisposition so that strategic opportunity can be pursued. These traits conform to Isaiah Berlin’s prototypical “fox” who “knows many things” and “accepts that he can only know many things … the unity of reality must escape his grasp”, rather than the “hedgehog” who “will not make peace with the world. He … cannot accept that he knows only many things. He seeks to know one big thing [that] give[s] reality a unifying shape”.

The association between foxes and good risk management is grounded in research which suggests that hedgehogs are more conservative, pessimistic, closed-minded and risk-averse, while also more likely to be overconfident in their own abilities. This means they are more likely than foxes to suffer from availability bias, denominator neglect and loss aversion, all of which tend to induce an in and down approach to risk management. In contrast to hedgehogs, foxes are more likely to “think the right way” and hence “get decisions right”.

It is also likely that hedgehogs focus on reducing risk rather than seeking opportunity through their fondness of what economist John Kenneth Galbraith termed “the conventional wisdom”. This concept describes the predisposition of certain individuals to seek the safety and comfort of the status quo in thought and action. In doing so, they sacrifice opportunities for “acceptable ideas” which are always based on what is best understood and hence most familiar.

The fundamental problem with this approach is that acceptable ideas have great stability, but they neither describe the world as it actually is nor do they apply to a world that constantly changes, “the conventional wisdom accommodates itself not to the world that it is meant to interpret, but to the audience’s view of the world. Since the latter remains with the comfortable and the familiar, while the world moves on, the conventional wisdom is always in danger of obsolescence.”

In the context of risk management, the obvious problem with a mindset driven by the conventional wisdom is that strategic opportunities, unfamiliar by their very nature, will be avoided. In addition, actions taken to manage risk may also be flawed, because the strategic context always changes. Berlin’s work implies foxes are less prone to favouring the conventional wisdom. Seminal literature on judgement and forecasting offers a range of cognitive tests that can be used to identify the fox-like traits more conducive to strategic risk management.

Cognitive testing could be adopted to aid selection of risk managers in a manner similar to the testing undertaken to select aircrew candidates. Defence could also lobby professional bodies like the Australian Institute of Project Management to include such tests for Defence personnel seeking risk management accreditation, and then identify this tailored accreditation as a desirable or essential prerequisite for specified risk management roles. Defence could also include testing as part of internal professionalisation programs for risk managers.

The mindset held by senior leaders is most important because they have the ability to shape the mindset of individuals below them and hence the culture of their organisations writ large. If senior leaders hold a project risk management mindset, it will be difficult to create a culture in which subordinates embody a strategic risk management mindset because the former will impose constraints preventing the latter thriving.

To enable change, the current promotion system could be amended to reflect the value of a strategic risk management mindset by requiring performance reports to provide evidence of the mindset in action, including specific examples where calculated risks have been taken in pursuit of opportunities for strategic advantage.

Leadership roles in acquisition projects should be filled not simply based on project management skills and experience but on strategic acumen and a demonstrated understanding of how current strategic issues apply to Defence capability acquisitions. Senior leadership positions within acquisition projects are typically filled by engineers. Opening these positions to other specialisations would provide a diversity of mindset to challenge traditional, conservative risk management practices.

To assist changing the mindset of risk managers and senior leaders, current training programs could be adapted to focus on the importance of a strategic risk management mindset. Risk management training should begin by exploring contemporary strategic issues and emphasise that these issues must be accounted for in acquisition risk management. Professional military education programs which expose risk managers at all levels to strategic issues affecting Defence acquisitions should be encouraged and rewarded.

Defence personnel eligible to post to acquisition projects after courses such as the Australian Command and Staff Course, the Capability and Technology Management Program and the Defence and Strategic Studies Course could be allocated a major research project relating to the study of risk management and the importance of taking a strategic perspective as part of their studies.

To further support senior leaders making the transition from a project to a strategic risk management mindset and avoid the pitfalls of decisions made on the basis of the “highest paid person’s opinion”, controls could be introduced to inoculate against risk adversity and escalated decision making. For example, similar to Defence Chief of Service (O9 level) letters provided to O5(E) and O6(E) commanders, heads of defence acquisition organisations could provide letters to key project leadership positions at O5(E) and O6(E) levels, encouraging them to manage risk with a strategic risk management mindset and providing them explicit authority to make certain specified decisions.

These letters should be complemented by letters to more senior executives at O7(E) and O8(E) levels, expressly prohibiting them from making decisions in the same areas. This initiative does not disempower senior leaders in any way because leadership relates to influence, not the giving of orders. Rather, it would help prevent any tendency of senior leaders to feel compelled to focus in and down to manage project risk, and it would allow them to focus on their primary responsibility of establishing and maintaining an environment which enables their subordinate project staff to succeed.

Arguably, the healthy mindset and culture underpinning Defence’s health and safety risk management framework has become counterproductive in capability acquisition, having been adopted to manage non-safety related risks. While Defence has a moral and legal duty to ensure risks to the health and safety of personnel are eliminated or otherwise minimised So Far As Reasonably Practicable (SFARP), many project acquisition risks do not relate to safety and hence the “eliminate or reduce SFARP” obligation does not strictly apply. Defence has rightly embodied James Reason’s concept of “chronic unease” (“wariness to risk”) in the safety environment.

However, in the acquisition risk management environment, Defence should adopt a complementary concept that could be described as “attentive optimism” (alertness to opportunity). Doing so will ensure risk management is viewed as the means to evaluate both risk and reward, enabling MVC to be delivered in the shortest possible time. Adopting this approach will also address the inherent paradoxes of risk management which go unnoticed if the inwards and downwards project risk management mindset is adopted. These paradoxes include that controls focused only on enhancing the safety of a system can also bring about its destruction; drives to decrease safety risk can actually increase it by encouraging new risks to be taken; and adapting to the environment, rather than consistency, can treat risks most effectively.

Little change is needed in terms of policy. For example, the risk management policy of Defence’s principal acquisition organisation (Capability Acquisition and Sustainment Group [CASG]) already reflects best practice as articulated by the International Organization for Standardization (ISO) 31000:2018 risk management standard (Department of Defence, 2021a).

At an operating level, CASG policy requires the risk context to be established, including identification of “the strategic, internal and external contexts within which risk management activities are undertaken” (Department of Defence, 2021a). The problem is simply that those with a project risk management mindset will not likely identify external (strategic) factors as part of the identified context: almost by definition, individuals with a project risk management mindset will assume no relevant “context” outside the project itself exists. Once a strategic risk management mindset is adopted, this problem evaporates.

Only two important gaps between CASG policy and the ISO standard require closing. The first is that during the risk identification step, ISO 31000 is explicit that both risks and opportunities should be identified, whereas CASG policy focuses only on risk. The second is that during the risk treatment step, ISO 31000 (Risk management – ISO) recommends consideration of “taking or increasing the risk in order to pursue an opportunity”.

CASG policy is silent on any kind of risk–reward calculation. These considerations should be embodied in CASG policy in support of managers adopting a strategic risk management mindset and ensuring project risk is weighed against strategic opportunity.

CASG risk management policy guidance is also generally appropriate but should be amended to include explanatory information on the two mindsets explored in this paper, and that best practice risk management can only be undertaken by adopting a strategic risk management mindset which accounts for both risk and opportunity.

The definition of “risk” itself should also be better explained. While CASG defines “risk” identically to the ISO 31000 standard, the former does not adopt the latter’s acknowledgement of the relationship between risk and opportunity, as part of a note immediately following the definition of risk: “[i]t can be positive, negative, or both, and can address, create or result in opportunities and threats”.

To further assist risk management practitioners, CASG policy guidance should be updated to discuss how to identify relevant strategic factors during the context establishment step and how to undertake an opportunity–benefit analysis as part of the risk analysis, evaluation and treatment steps through which options and opportunities to achieve strategic advantage can be explored.

Finally, the problematic traits of hedgehogs (identified previously) should be described, with guidance on how to establish testing and procedural rules which guard against these human traits, for example the construction of “broad frames” to avoid loss aversion.

The necessary changes at the procedural level will follow once a strategic risk management mindset is adopted. Consistent with current CASG policy, the current tool (Predict!) used by CASG to manage risk supports a project risk management mindset by identifying only the requirement to evaluate “the seriousness of the consequences (impacts) should the risk event occur”, rather than also assessing the value of potential opportunities should they be realised.

This is reinforced by requiring controls to be identified and their effect on risk measured. There is no requirement whatsoever to consider opportunities and undertake trade-off studies between risk and reward.

To facilitate a strategic risk management mindset, a set of questions could be introduced into Predict!, such as “What strategic context relates to the specific risk?”; “How could eliminating or minimising the risk through imposing controls affect the creation of strategic advantage?”; “What opportunities exist through which risk could be retained in a calculated manner, in order to achieve strategic advantage?”; “How does the opportunity benefit analysis affect risk management options?”; “Do risk management controls delay MVC being delivered and if so, are they justifiable?”; and “What strategic risks could be realised if MVC is not delivered in the shortest possible time?”

Other, complementary procedural activities could be undertaken in support of embodying a strategic risk management mindset within Defence acquisition projects. For example, while good communication and collaboration often occurs between CASG as a delivery organisation and representatives from the capability manager (e.g., the three Defence Services), CASG risk management activities themselves do not always involve direct input from operators who may have a broader contextual perspective on managing risk. Operators should be involved in risk management activities, including the risk assessment process prescribed in Predict! As part of the CASG Balanced Matrix.

Functions could be charged with promoting the strategic risk management mindset, professionalising the CASG workforce to enable adoption of the mindset and developing supporting policy and procedures. Finally, governance and assurance mechanisms including CASG independent assurance reviews and Contestability Division could be tasked with ensuring risk managers adopt a strategic risk management mindset and that CASG culture supports managing risk to enable MVC in the shortest possible time.

Final thoughts

While I have taken a critical view of Defence’s current project risk management mindset, the more important message is one of optimism and opportunity.

If Defence adopts a strategic risk management mindset in which acquisition risks are managed with reference to the broader strategic context, it can more easily work to achieve the recommendations of the DSR and NDS and deliver MVC in the shortest possible time.

It is important to recognise that there are complicating factors within the strategic context, some of which Defence does not control. Defence acquisition projects are often highly complex undertakings, meaning that risk management is, by nature, difficult, akin more to an art than a science.

Furthermore, because Defence projects are often high cost, long duration and high profile, there will necessarily be limitations on how far calculated risks can be taken before bureaucratic and political influences impose constraints.

Nevertheless, the DSR’s observations about acquisition risk management are clear and have been reiterated in more recent policy including the NDS and DIDS. These strategic papers are clearly reflective of Australia’s current strategic environment and Defence can and should do more to balance its ingrained aversion to risk by adopting a mindset that evaluates calculated risk taking against potential strategic rewards.

Adopting a strategic risk management mindset is the key to that endeavour. While this article focuses on acquisition risk management, the principles articulated can be applied to managing Defence’s business more generally, especially in removing management processes which stifle or slow down Defence activities and work against the delivery of effective outcomes.

For example, the Defence Culture Leadership Companion recognises Defence must undergo “significant improvement” in “streamlining and reforming the current … systems of governance, decision making, and management” and ensure leaders embody a “mindset … [of] letting go of existing or long-standing practices and habits and being the person who has traditionally known ‘everything’”.

The need for a strategic risk management mindset applies even to the most fundamental Defence activities. As a raft of influential literature has acknowledged, defence planning itself is all about risk management.

This was republished with the author’s approval, with the full version previously published by the Air and Space Power Centre.

Group Captain David Hood is an aeronautical engineer working for the Royal Australian Air Force. He holds a master of gas turbine technology (Cranfield, UK) and a master of military and defence studies (Australian National University).