When bidding on a federal contract, an RFP often asks for a risk management plan and a description of risks and how you plan to mitigate them.
Here's how to identify and address risk in your technical section.
Guest: Michael Cushman, Cushman and Associates
Prefer to read? Here's the transcript.
Ray Thibodeaux: Welcome to Keys to Winning, a podcast where we talk about government contracting topics, such as proposal development, business development, wind strategies, and more. Keys to Winning, produced by AOC Key Solutions, a leading bid and proposal development firm, gives you a chance to learn from leaders and experts in their fields. I am Raymond Thibodeaux, today's host of Keys to Winning.
Ray Thibodeaux: Risk comes in many flavors: program risk, schedule risk, transition risk, et cetera. When bidding on a federal proposal, an RFP often asks for a risk management plan and a description of risk and how you plan to mitigate them. Sounds simple enough, but there are factors that need to be considered when addressing risk in your technical section and other sections. Luckily, we have Mike Cushman, a risk specialist and a Key Solutions associate to talk us through the process of identifying risks and beyond. Mike, thanks for being on the podcast.
Mike Cushman: Hi, Ray. Pleased to be here.
Ray Thibodeaux: First of all, you've handled risk identification and mitigation. Let's just say risk management for some fairly big clients: British Petroleum, Shell, Exxon and others. Can you tell us a little bit about your experience with that?
Mike Cushman: Sure. In fact, working for very large oil and gas companies has given me different insight into federal government procurement, particularly when it comes to risk management, particularly the level of rigor that folks in different industries, such as oil and gas or airline industry for example ... just different industries bring different perspectives, and that's kind of what I was going to talk to you about today.
Ray Thibodeaux: I like the idea that you have worked for these companies where risk is taken seriously, which kind of leads me to the next question. Most companies measure risk on a three by three or five by five matrix. Some companies you've worked for are much more detailed about their risks, which stands to reason since there's more at stake. Can you describe the difference between the way risk is handled in say oil and gas industry as opposed to the typical federal contractor?
Mike Cushman: Absolutely. In its essence, it's about rigor. By that I mean it's the definition behind the process that gives you confidence that the process is going to work. By that I mean, you've got a situation where you may have a several billion dollar project, which can be similar to some government programs, but in the oil and gas industry for example, think about the things that can go wrong. You can have a big environmental disaster as we've heard about in recent years. You can have multiple fatalities. You can have very significant multi-million dollar cost overruns.
Mike Cushman: So the rigor behind their risk management process is to define the risks around these potential consequences. They'll add definitions to environmental damage. They'll add definitions to costs and schedule overruns. They'll add definitions to health and safety. By that measurement, you talked about a three by three or a five by five, I've seen companies that use an eight by eight or a ten by ten. That allows them to add a lot of specificity along the impact parameters, not just for cost, but like I said it could be health, safety, environmental, schedule, et cetera.
Mike Cushman: You have a low impact with a low likelihood of recurrence, that might be a green level risk. A medium and a medium may be a yellow level risk. A high and a high might get you into some red categories on your three by three. Same thing with a five by five or however many columns of definition you have.
Ray Thibodeaux: You and I have talked before about a process or a cycle more like with six or seven clearly defined steps for identifying, assessing, and tracking risk. Can you elaborate on it a little bit?
Mike Cushman: Sure. A typical seven step process. Risk planning, risk identification, risk assessment, risk response, monitoring and control, and then learning and closure and governance. So risk planning would be to have a process in place. The process in place explains how you're going to get the right people in the room that you have your information identified. We talked about the risk matrix, for example. Likewise, to the impacts, you would have the likelihood of occurrence explained as well for the various low, medium, high or however many definitions you have.
Mike Cushman: So when you have that planning together, then you got the next step, which is risk identification. Again, it depends on what you're talking about in your proposal. If you're talking about your risk process, then you would explain the risk identification that you're talking about getting risk for a specific section such as the transition section, for example, or the project management section. You might have a different audience in the group. By audience, I mean do you need to have an HR rep in there? Do you need to have a QA rep? Do you need to have project managers or technical experts? Is this an IT project you're talking about? Is it a construction project you're talking about?
Mike Cushman: So the risk identification session is really where you get the folks in the room and you really want to capture these risks. I think that a lot of folks will just start with a list of issues and concerns and then call that your risk. What I'm preaching here is that you take a little bit more rigor, and by asking yourselves a set of questions such as, what is the risk impact? That's what most people think of as the risk, but what caused that risk? What were the consequences? Did it lead to additional cost, rework, scheduled delays?
Mike Cushman: So the impact is what goes into that matrix we talked about earlier. That may either help us to avoid the risk or should the risk take place, hopefully you would have less of an impact because we've planned in advance. All of this feeds into your risk register, and that's where the monitoring and controls takes place. Those mitigations we talked about, if they're just our quality control plan addresses this. That's not as hard hitting as, "Ray is going to do this action by this due date." If you track those in either your regular risk meetings, your client meetings, your project meetings, et cetera, you've got a bit more rigor behind it. It becomes part of your program management philosophy, and then you learn from that because as you go on an repeat contracts if it's small contracts, if you do several smaller ones, you learn from each one, and you can document your risk the same way you do with your lessons learned and best practices, for example.
Mike Cushman: Then governance, the seventh step, is tying it into your philosophy of your business and making this a part of your project management approach, making it part of if you bring this level of rigor and put it into a page or two in your proposal where it's called for demonstrating that you take this seriously and have a solid industry best practice process behind methodology to your risk management, you're bringing value to your client.
Mike Cushman: So hopefully that did not take too long to explain that.
Ray Thibodeaux: That's a thorough description of that cycle and the steps involved in that. So that's good. Often during a proposal, if it's a requirement a proposal team will cobble together a risk table for their solution and it seems to be more like a list of issues and concerns. It feels cursory, almost like, "We need a risk table. Anybody know of any risks?" I'm exaggerating of course, but some companies as you've mentioned take risk very seriously. Why is it important to have the right people in the room when defining risk and strategies for mitigating them?
Mike Cushman: Well, any risk that's identified is as good as the people that were identifying the risk. If you're lucky and you've got a seasoned government contracting professional that happened to have been either a contracting officer or a contracting manager for 30 years, you're probably going to get fantastic advice. If you're not so lucky, the best thing to do is get many skilled people together. So you should get your proposed project manager in there. You should get your proposed transition manager in there or your proposed quality manager.
Ray Thibodeaux: There's often resistance by some companies to mention some risk or to have maybe too big a risk table, as if that would tip off the government to weaknesses in your solution that it might not have considered otherwise. It's as if some risks need to stay hidden from the customer. Is there some truth to that?
Mike Cushman: Well, I know you've seen it and I've seen it before as well. I think that that's something that's sort of the fear of the unknown. I think the open, honest approach is the best, but certainly there's some folks that are like, "Okay, if we do too good a job at identifying risk, it looks like we're really not prepared for this contract or we're really worried or we're ..." some negative connotation to risk management. People have this artificial thing where they just say, "Six sounds like the right number of risks I'd like to propose. No more than eight certainly. Definitely not ten or twelve."
Mike Cushman: Oftentimes, we're not going to win those arguments with our clients, but we can educate them on the process. We can explain to them that it doesn't necessarily mean it's a weakness of our part. It means it's an acknowledgement of the risk.
Ray Thibodeaux: Some companies and government agencies for that matter distinguish between issues and risks to indicate issues that haven't risen to the level of a risk. Can you explain what that distinction is?
Mike Cushman: So from my experience, a lot of folks will just very bluntly say, "Look, that laundry list of issues you have, that's your day job. That doesn't need to be reported because quite frankly, that's why we pay you, right? That list of things that you're concerned about, you should be concerned about because that's your day job." Again, going back to the rigorous process, if you were to put the things that are on your day to day issues list and rank them, do they all come out green? It's okay to have some green risks. Some people say, "I don't want to know about it if it's that low."
Ray Thibodeaux: This might be an obvious question, but how and why do you document and track risk besides the fact that some contracts require it? Shouldn't companies be doing this as a matter of course?
Mike Cushman: I would certainly hope so, Ray. I think that if you're going to track lessons learned and best practices, this kind of goes hand in hand, particularly if a risk takes place. It's good to know when you do an after action review, for example, what did you think beforehand? Did this come up in conversations? Did we know that this could happen? Did we think about it? Did we dismiss it or did we say that it could be caused by the following things and then we had eight mitigation items to address those things?
Mike Cushman: By having all this documented and in a living register of both open risk and previously closed and addressed risk, and it's good to be able to come back to it.
Ray Thibodeaux: Very practical advice and probably a good note to end on. Thanks, Mike, for being on the podcast. I appreciate it.
Mike Cushman: Hey, Ray. Thanks a lot. I look forward to working with you again in the near future.
Ray Thibodeaux: And we'll close there. I am Raymond Thibodeaux and this has been Keys to Winning from AOC Key Solutions Incorporated, or KSI, a consulting firm that has helped companies across the country win billions of dollars in federal contracts. Learn more at www.aockeysolutions.com or follow us on LinkedIn. Be sure to subscribe for more podcasts from this series, and thank you for listening.
ABOUT KEYS TO WINNING:
Keys to Winning is a podcast that shares practical advice for GovCon professionals from industry experts. Topics covered include Proposal Development, Government Contracting, VOSBs, WOSBs, and more. Episodes are 15 minutes or less and are posted bi-weekly on Thursday morning. The podcast is hosted by Raymond Thibodeaux, a Senior Proposal Specialist with AOC Key Solutions.