Risk Management Cannot Be Static

Risk management should not be thought of as a one-time, static accomplishment. Instead, Department of Defense (DoD) officials need to manage risk constantly across the enterprise and take more risks in testing environments, according to a panel of Defense Department and industry leaders speaking November 2 at AFCEA’s TechNet Indo-Pacific conference in Honolulu, Hawaii.

“I think that we try to put risk management in a box sometimes and assume that we need one restrictive thing,” emphasized Lauren Barrett Knausenberger, chief information officer, Department of the Air Force. “To me, risk management is looking at the whole of what I need to accomplish and making sure that the risk of acting does not outweigh the risk of not acting.”

Miyi Chung, chief, Infrastructure and Services Division, and technical director, Defense Information Systems Agency Pacific (DISA PAC), enhances operational readiness of enterprise infrastructure and services at DISA PAC. She emphasized that the military’s current, important goals of increased collaboration and building joint combined coalition environments naturally bring more risk. “Each one of these imperatives increases risk,” Chung said. “We have to collectively buy down risk in this theater.”

Rear Adm. Susan BryerJoyner, USN, deputy J-6 for Joint All-Domain Command and Control (JADC2), deputy director, the Joint Staff, who leads the JADC2 Cross-Functional Team said, “For me, risk management is about how we get to ‘yes’ and getting the mission done. At the end of the day, cybersecurity risk management, it is not about saying no. [It is] how do we make sure that the mission gets accomplished securely and safely. And when I talk about that, it's important to understand that risk management is not static. The environment is changing constantly. And if we are not managing risk constantly across the enterprise, the adversary gets a vote. Our configuration management gets overlooked, and our vendors get a vote because at the end of the day when we talk about risk management, it's about all of the components that comprise our warfighting capability.”

In addition, Knausenberger cautioned leaders from equating mission risks and taking risks in testing. When she first came to the DoD in 2017, many people warned her that the Defense Department would be very risk averse and that it would be difficult to accomplish anything given the aversion to risk. Knausenberger found, however, in speaking to the Defense Innovation Board and experts such as Neil deGrasse Tyson, that the DoD was not necessarily risk averse.

“We take absolutely crazy risks that I do not understand at all because we put unreasonable litmus tests to try new things,” she stated. “We are very uncomfortable with trying new things. We don't know how to assess new things. But that doesn't mean that it's riskier to do a new thing …. These are the types of discussions that we have over and over again: ‘What's more important? My ability to fly tonight and fight and win and know that the operational commander and the pilots and the operators know what is at stake.’ We are not going to let something [get in the way] of the mission, but it all has to come into the calculus.”

And after seeing Space X’s Gwynne Shotwell speak last year at the Air and Space Forces Association’s (AFA’s) annual meetings, Knausenberger could see that the DoD understands how risks must be balanced for mission success but is falling short on risk taking in testing environments and how some military leaders are conjoining the two.

“[The thing is] we are not taking risks in the test range, and as a result, we're pushing the risks to warfighters,” she said. “I heard Gwynne Shotwell speak at AFA last year, and someone asked her a question about risk. ‘Are you guys risk averse and what do you think about failure?’ And she started with ‘failure is not an option.’ She said, ‘We will take lots of risks at the test range. We’ll blow up a dozen rockets on the test range, but when it is time for mission go, failure is not an option.’ And so I think that we at DoD sometimes equate the two things and they are not [equal].”

Juliana Vida, group vice president and chief strategy advisor, Splunk, who spent 24 years in the Navy as a surface warfare officer and naval aviator, explained that Splunk has a global intelligence team, similar to a lot of companies, where the team identifies risks that affect corporate decisions.

Their team defines the process “as identifying threats, communicating them effectively to decision-makers to keep people safe and keep the business running,” she said. “And this helps us make investments, mitigate risk and respond to residual risks.”

Vida suggests that the DoD consider innovation risk in a different way.

“I think the department falls down when they look at technology risk mitigation as risk management that is different than any other kind of risk management, and it isn't,” she stated. “It's the same. You learn, you gather intelligence, you figure out what the risks and opportunities are, you make trades. And you can't stop [mitigating] risks. You can’t stop moving towards the mission.”

Meanwhile, Mary Smith, an assistant professor of computer science at Hawaii Pacific University, offered a perspective from academia, given her 25 years of information system experience and educating and raising the next generation of computer professionals. She advised that it is important to construct a robust initial risk management process.

“Before talking about risk management, whether it's a software engineering class or whether it's a computer programming class or capstone class, I first talk about knowing your objective and what are you trying to accomplish,” Smith said. "And I have them go through the risk management process as far as knowing your objective, jotting it down, focusing on that and identifying the possible risks that could prevent them from getting to whatever the objective is. And then we might use a matrix to categorize how likely a risk is …. how likely it would occur, as well as what's the magnitude and what's the cost of that risk. It is all first explaining the risk process, how to identify, how we prioritize and then what comfort level we are with taking those risks because we can't control all risks. We need to identify and will pick those that have the highest cost to us.”