If you read between the lines of Sun Tzu’s classic The Art of War, you will find much of the book is dedicated to risk identification and mitigation. Sun Tzu explains “Now the general who wins a battle makes many calculations in his temple before the battle is fought. The general who loses a battle makes but few calculations beforehand.” This session will present a model for rapidly forecasting risk and assessing your risk exposure. To facilitate the assessment of a bid’s risk exposure, attendees will receive risk symptom checklists. They can use the checklists to detect the early warning signs risks are approaching or test their overall risk awareness. The session will also present case studies explaining how you can rebound from risks including limited information about the client or competition, tight schedules, moving deadlines, scarce resources, and delusional colleagues.
1. Risk and Response Brenda Crist, Managing DirectorLohfeld Consulting Group
2. Agenda Recognize Risks Be Aware of Risk Standards and Frameworks Use Risk Management Processes and Best Practices Use Risk Management Tools Address Risks Throughout the Bid Lifecycle Establish a Risk Management Policy 2
3. Learning Objectives This presentation covers multiple topics required for accreditation training including: Risk definition and recognition How to establish and implement a proposal risk management policy How to escalate or own proposal risks 3
4. Recognize Risks Risks to your proposalmanagement(schedule, resources, equipment, process, communications, cost) Risks to your proposed solution (price, technical solution, past performance, management, past performance, personnel) 4 Both types of risks impact the win probability
5. 5 Not Addressing Risks…… Is like a snow ball rolling down the hill, it keeps getting bigger and bigger
6. Group Discussion of Common Risks Little executive focus and dilution of resources away from business targets Lack of teamwork between operations, business development, capture, and proposals Inadequate proposal-related Knowledge Management (KM) processes and tools “Incumbentitis," "We Know Best," "We Know This Customer" Limited knowledge of the customer and competitors 6
7. Leading Risk Standards and Frameworks Project Management Institute National Institute of Science and Technology International Organization for Standardization (risk management ISO 31000) Other Resources 7
9. Communications and Escalation 9 Have a single Risk Register to document and manage risks Assign risk communications roles and responsibilities Identify and communication risks in the standup meeting Have a defined and efficient risk mitigation path leading to executives
10. Quantitative Risk Assessment Sample 10 Risk score = Probability * Impact Risk Score values are between 1-4 with 4 being the highest risk) or red, yellow, green, blue Risk Probability values are between 0.1 (Remote Chance) -1.0 (Certain) Risk Impact values are between 1 (Insignificant) – 4 (Unable to meet objectives)
12. Use Risk Management Tools Risk management tools embedded with an enterprise database products Ticket management systems Risk registers installed on automated collaboration tools enabled with automated workflow Open source risk management tools Risk management mobile apps 12 The tools will help record, track, and analyze risks
13. Use Risk Symptom Checklists 13 The Checklists Should Cover the Entire Business Development, Capture, and Proposal Life Cycle
14. Conduct Testing and Contingency Planning Routinely test all production equipment and tools to verify they are in good working condition A good rule is to always have a primary risk mitigation plan (Plan A) and a contingency plan (Plan B) for all risks 14 CONTINGENCY
15. Address Risks Throughout the Bid Lifecycle 15 Pursuit Identification Lessons Learned (White Team) Solution Development (Blue Team) Delivery Competitive Analysis (Black Hat Team) Production Planning Phase (at Kick-Off) Business Case Review (Gold Team) Final Document Development (Red Team) Proposal Strategy (Pink Team)
23. Solution Development (Blue Team) Risks By the time the RFP arrives you should have: Ability to transition without impacting operations Identified your past performance and obtained the customer’s approval Clearly documented your understanding of the requirements Created a technical/mgt solution w/customer buy-in Identified labor categories/personnel Drafted an executive summary and compelling win themes Completed a realistic price to win 18 Early identification of risks mitigates issues and reduces costs during proposal development
25. Competitive Analysis (Black Hat Team) Risks Misunderstanding your strengths, weakness, opportunities and threats Misunderstanding of the competition’s strengths, weakness, opportunities and threats 20
27. Proposal Strategy (Pink Team) Risks Solution Risks Limited executive support for proposal strategy Unconvincing proposal strategy Critical information is missing Proposal Risks Roles and responsibilities are not clearly defined Cumbersome strategy development process Insufficient resources for writing and reviewing Proposal strategy not effectively communicated vertically and horizontally across the organization 22
29. Final Document Development/Review (Red Team) Final Document Solution Risk Insufficient understanding Incomplete tech/mgt solution Missing information/resumes Final Document Proposal Management Risks Non-compliance w/RFP requirements/instructions Insufficient review time Intelligible comments from review team 24 This is where the snow ball-size risks become an avalanche if not been addressed previously
31. Production and Delivery Risks Inadequate production and delivery planning resulting in errors or a late proposal Insufficient time for production and delivery resulting in quality or compliance errors Single points of failure Configuration control problems resulting in the wrong proposal/sections being delivered Security risks resulting in virus-infected files or inadvertent release of the proposal 26
33. Lessons Learned (White Team) Risks Not supported or scheduled by executives No method for using findings to improve processes, tools or resources Insufficient access to lessonslearned 28 Always conduct a lessons learned review session it is one of the best methods of ensuring risks do not happen twice
34. Create a Risk Management Policy Define risk mitigation and escalation procedures Promote accountability by assigning roles and responsibilities Raise the visibilityofrisks through defined escalation procedures Increase the likelihood schedules are met through specific risk mitigationactions 29
35. Risk Management Policy Contents Risk Policy Elements Roles and responsibilities Communications Risk identification Risk impact assessment Escalation process Recommendations process Approval process Risk monitoring and testing Lessons Learned 30
37. 32 Contact Information Brenda CristPrincipal Consultant, Lohfeld Consulting Group, Inc. Creating Winning Proposals for Government Contractors 301-466-9566 (m) bcrist@lohfeldconsulting.com www.LohfeldConsulting.com @Lohfeld facebook.com/LohfeldConsulting 32 Copyright 2011 Lohfeld Consulting Group, Inc. All rights reserved.
Notas do Editor
Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events. Reference:Hubbard, Douglas (2009). The Failure of Risk Management: Why It's Broken and How to Fix It. John Wiley & Sons. p. 46.Also see the Shipley Associates Proposal Guide Third Edition, pages 229-230, entitled Risk Management.
What you don’t address upstream comes downstream
This list came from a LinkedIn discussion I initiated about common risks that affect your proposal; however, the list is infinite, and I will invite the class to identify their most common proposal risks.
One of the foundations of the Project Management Institute (PMI) Project Management Body of Knowledge (PMBoK®) is risk management. The PMBoK covers how to identify risks, create a risk register, apply quantitative/qualitative risk analyses, plan for the risk response, implementing and completing risk monitoring and control, and examining the results of risk control. PMI has also created a Risk Management Professional certification.In their 800-30 Special Publication, the U.S. National Institute of Standards and Technology published the Risk Management Guide for Information Technology Systems by Gary Stoneburner, Alice Goguen, and Alexis Feringa, July 2002. Presents a practical guide for mitigating risk related to system development. The special publication describes how to conduct risk migration by: Step 1 System Characterization;Step 2 Threat Identification; Step 3 Vulnerability Identification; Step 4 Control Analysis;Step 5 Likelihood Determination; Step 6 Impact Analysis; Step 7 Risk Determination;Step 8 Control Recommendations; and Step 9 Results Documentation. Many of these practices can be applied to mitigation or risks associated with a specific solution or proposal.ISO 31000:2009 provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization. The standard focuses on The focus of identifying and mitigating accountability gaps in enterprise risk management, developing risk reporting systems, and implementing uniform risk criteria and metrics.Other ResourcesLarry Newman (2006). Shipley Associates Proposal Guide Third Edition, pages 229-230, entitled Risk Management. (Note: This book discusses how to recognize risks, develop a risk management strategy, how to mitigate solution risk and discuss risk in each proposal section.)Michel Crouhy, Dan Galai, and Robert Mark (2005). The Essentials of Risk Management. McGraw-Hill Companies. Hubbard, Douglas (2009). The Failure of Risk Management: Why It's Broken and How to Fix It. John Wiley & Sons.
A risk management approach should deliver a quantitative and realistic assessment of risk impact, provides targeted solutions that resolve the risk from the customer’s point of view, and keep all parties informed of the risk mitigation status.Encourage proposal team members to identify and report risks to designated Risk Manager or Capture/Proposal ManagerTo assist staff members in the proactive risk identification, distribute a Risk Symptom Checklist that describes indicators for cost, schedule, technical, and resource risks. Routinely update the checklist with new risk indicators and lessons learned.Document the risk is a Risk RegisterOnce documented, categorize and prioritize the risk and analyze the risk in terms of its likelihood of occurrence and impact, and assign it a score. Determine the root cause of the risk and if it is a single incident or recurring problemDevelop risk mitigation strategies and backup or contingency plans in case our original solution does not work as plannedImplement the solutionMonitor the solution to ensure it accomplishes its intended result
Here is an example scorecard format for making pursuit decisions. Note that each factor is weighted differently for each company/opportunity. Strategic fit may be more important that financial objectives to one company, but the least important to another company. Set thresholds below which you will not bid.Develop a scale to measure progress that is easily understood within the company.1. Make sure you have a strategic fit with corporate goals2. Ensure you understand the customer’s requirements, if the customer wants a help desk for $100k don’t sell them a network operating center for $1M3. Deliver a solution that fits the requirements, budget, and culture.4. If you don’t know you are delivering the solution don’t send them a proposal to introduce yourself5. Understand the competitive landscape and your competitors strengths, weaknesses, opportunities, and strengths6. Ensure the bid meets your financial objectives. Some bids may take up to a year to win, so ensure you can wait that long to return profits. 7. Ensure you can afford to pursue the bid some bids like IDIQs, can be expensive to bid and do not provide immediate returns.
Create a Risk Register in the earliest stages of bid identification.There are may categories of application enabling you to manage risk. Select the one that matches your organization’s needs:Many large companies have access to enterprise databases with sophisticated risk management toolsTicket management systems ranging from complex to simple also allow you to create a ticket, assign risk, and escalate the ticket Most companies have access to automated collaboration tools enabling you to create a risk register and automate/escalate workflowThere are a limited number of free/shareware risk management tools; however, most are geared to the insurance industryThere also a number of mobile apps available on iPhones that enable you to manage risks
Hand out Risk Symptom Checklists
Roles and ResponsibilitiesExecutives: Create risk management policiesProvide sufficient resourcesDeliver risk management guidancePromptly review/approve mitigation solutionsCapture and Proposal Managers: Proactively identify risksProvide forums for communicating risksDeliver methods for tracking risksOversee the implementation of risk mitigation solutionsEntire Capture/Proposal Team Identify, document, and communicate risksDefine the risk impactImplement risk management solutions and monitor solutions Identification - make early risk identification everyone’s responsibility; define a process for risk identification and documentationCommunications – make risk reviews part of the standup or weekly communications meetingsEscalation – define a specific a specific escalation path and timeline for resolving risks with SLAsApproval andAccountability – Identify who is responsible for accountable for seeing the risk is resolved and approving the solution
Remember the snowball – address risks early in the lifecycle before the risks impact operations
Case History: a mid-sized company had recently won a GWAC with limited competition. Soon a large $10M task order came out. The incumbent was a large call center management and data center firm to whom the client outsourced the work. The intelligence gathered by the company indicated the customer generally liked the incumbent’s work but thought the cost was high. The RFP required a mature call center operation with multiple backup centers across the country and sophisticated information retrieval system and monitoring capabilities. The company was excited by the new task order. The company’s core competency was call center operations and executives immediately decided to bid on the job. The bid was complex and would require a significant amount of the company’s resources over the six week bid period. However, the company lacked many of the features and capabilities required (not desired) by the client. In addition they had never met the customer or performed work for the customer’s organization. What risks do you see?
During the Solution Review validate your strategy/solution and ensures it provides a clear advantage in comparison to the competition. Case History: The company appointed the BD and Capture Manager to gather as much information as possible about the customer and respond to the bid requirements. The company also appointed a lead SME to start coordinating the technical solution. The SME was in their main office located two time zones away. The SMEs in the technical office were unfamiliar with addressing government proposals because they had only responded to commercial proposals to date and where annoyed by the level of detail required and did not want to give away their secret sauce. So they sent portions of previous commercial proposals to respond to the RFP requirements. They tried to fill technical solution gaps, but were only able to fill 75% of the gaps. The proposal team began working on getting templates, past performance information, resumes, etc. into shape while they waited for the technical and management solution. What risks did you detect?
Case History: The company had not done an extensive analysis of its competition.
Case History: By the time the Pink Team arrived. Executives were still energetic about the proposal. They had developed a win strategy based on the company’s strengths and strong past performance. They had found small businesses to meet the small business requirements. The executives had still not made contact with the customer or the customer’s organization; however, they had talked to one of the customer’s vendors. The company was also missing key pieces of the solution including a secure backup call center and an information retrieval system. The executives decided to by-pass storyboard and start writing a final document. What risks to you see here?
Case History: The proposal team had done their best to present a final document given the information and solutions provided. They were confused in some cases about what the client wanted, because the RFP was poorly written . When they did not have solution to a customer requirement they fluffed over it vague wording. The document was compliant, attractive, and reviewers had given sufficient time to review the document. When the executives and partners read the document a meltdown occurred and they scored the technical and management sections as red. The executives decided to resolve the problem by calling in a new capture manager and called for another red team review. What risks do you see?Luckily the task order was given a two week extension due to extensive questions by offerors. However, the client either did not have the staff to respond to the questions and the responses were non-existent and the pricing became even more confusing. So the executives decided to redouble the proposal efforts and start working nights and weekends. When the business case review was presented to them, they saw the technical requirements were still not met and in an effort to unseat the incumbent the pricing was overly risky. What risks do you see?
Case History: The company never got to this step, because they pulled the plug on the proposal. Case History 2: A company planned sufficient time for proposal preparation and delivery. The proposal was for the U.S. Post Office and they sent the package via the U.S. postal system. However, the package was lost the day before it was to be delivered. How would you mitigate the risk?
What lessons did you learn from our case histories?
To mitigate risk implement a Risk Management Policy in your organization
Roles and ResponsibilitiesExecutives: Create risk management policiesProvide sufficient resourcesDeliver risk management guidancePromptly review/approve mitigation solutionsCapture and Proposal Managers: Proactively identify risksProvide forums for communicating risksDeliver methods for tracking risksOversee the implementation of risk mitigation solutionsEntire Capture/Proposal Team Identify, document, and communicate risksDefine the risk impactImplement risk management solutions and monitor solutions Identification - make early risk identification everyone’s responsibility; define a process for risk identification and documentationCommunications – make risk reviews part of the standup or weekly communications meetingsEscalation – define a specific a specific escalation path and timeline for resolving risks with SLAsApproval andAccountability – Identify who is responsible for accountable for seeing the risk is resolved and approving the solution