This post first appeared on GAO Reports. Read the original article.
What GAO Found
Managing acquisition risks—potential negative effects on a program’s cost, schedule, and performance—is critical for a program to achieve its objectives. GAO previously found that acquisition programs tend to be overly optimistic when assessing their risks, underestimating the resources or time needed to develop and field capabilities. GAO and others identified six leading principles of acquisition risk management that are applicable to programs and portfolios, which are groups of related programs, such as Coast Guard ships.
Leading Principles for Acquisition Risk Management Applicable to Programs and Portfolios
At the program level, the Department of Homeland Security’s (DHS) risk management guidance broadly reflects these leading principles. DHS guidance encourages programs to engage with stakeholders and leadership throughout their acquisition life cycles. GAO found examples of this communication in practice, such as when programs prepared for acquisition decision events, a series of critical milestones designed for oversight. However, GAO found gaps in DHS guidance and programs’ implementation of the communication leading principle. Specifically, GAO found instances in which selected programs did not consistently track and incorporate stakeholder input or provide current risk data to DHS leadership. Ensuring that DHS guidance conforms with leading principles on documenting stakeholder input and communicating up-to-date information to leadership would improve DHS’s ability to manage acquisition risks.
DHS’s guidance also falls short in addressing leading principles at the portfolio level, which involves consideration of interdependencies and enterprise-level risks. For example, the guidance does not address how officials should identify portfolio-level risks—one of the six leading principles. Further, officials from two DHS components stated that having portfolio risk management guidance would be helpful to ensure consideration of these risks. Having such guidance would enhance DHS’s ability to manage risks across its portfolio of programs and make decisions that optimize the portfolio’s resources rather than considering risks solely on a program-by-program basis. DHS plans to update its acquisition risk management guidance by fall of 2023, which presents an opportunity to address these gaps and enhance DHS’s risk management process.
Why GAO Did This Study
DHS and its components acquire systems to help carry out multiple critical missions. In fiscal year 2023, DHS plans to spend over $4 billion on these systems. In May 2019, DHS revised its acquisition policy to better incorporate risk management—a continuous process to systematically track and manage risks.
GAO was asked to review DHS’s acquisition risk management process for its major acquisition programs—those with life-cycle cost estimates of $300 million or more. This report assesses, among other issues, the extent to which DHS has addressed risk management at (1) the program-level, including involving stakeholders and leadership, and (2) the portfolio level.
GAO reviewed acquisition risk management policies and guidance from DHS and the eight components that manage major acquisition programs. GAO also reviewed how a nongeneralizable sample of five programs from within these components managed risks. GAO selected the sample based on a representation of components and a mix of IT and non-IT programs, among other criteria.