There is no better way to convince a potential customer that yours is the right company for the job than to demonstrate a true understanding of the risks the program will be up against and to come up with plans to mitigate those risks upfront. But in many proposals, the Risk Management section ends up as a missed opportunity to shine at best and a setback at worst. Rather than showcasing a real knowledge and understanding of the program and proposed solutions, the risk section falls flat or actually does harm.
It happens for two reasons. One reason is that many proposal teams fail to put enough time and consideration into developing a solid risk section. They assign one author to write it and then shift their focus to other work. What they do not realize is that great risk sections are usually born from hours of intensive brainstorming and input from every key player who truly understands the program. Instead, the process by which most risk management sections are written leaves little room for success. It is impossible for a single author to draw out and evaluate all of the program’s risks.
The second reason is that some people simply do not know what good risk management sections should look like. Usually a risk management section includes an introduction that discusses your risk management methodology, and then a risk matrix presenting specific program risks.
You can find good fodder on risk management methodologies for your section’s introduction by reading the NAVSO P-3686 Top Eleven Ways to Manage Technical Risk at http://acquisition.navy.mil/content/view/full/3988, or visiting the Defense Acquisition University’s risk management community at https://acc.dau.mil/rm. The more difficult part of the section, however, is describing the actual risks in a form of a risk matrix.
Whereas the discussion of the risk management process is normally adequate, the quality of the risk matrix for the program is usually poor. Many risk matrices tend to follow this train of broken logic: “If we fail to provide such and such (with “such and such” standing for something that is expected from any good company doing well in this line of business), this horrible thing will happen.” For example, “If no Customer Satisfaction Survey is established, there will be no feedback on Service Desk performance, which may lead to undetected systemic problems resulting in lower customer satisfaction.” Then, the risk mitigation strategy is to “Establish a Customer Satisfaction Survey.” This type of risk and mitigation statement reads as an exercise in shooting oneself in the foot. Essentially, it says to the customer, “If we do not know what we are doing and we fail to do what any decent company should do if it wins the bid, then we will fail.” It is ineffective to offer a risk like this and then to offer a mitigation such as, “But we do know what we are doing.”
Consider another example where the risk is of “Equipment not identified early enough or critical equipment items not identified” and the mitigation is something as rudimentary as “Ensure early identification of long-lead items.” Think about this from the standpoint of the customer. If the customer is choosing an expert logistics company, and one of your company’s key programmatic risks is that someone will fail to identify equipment in advance, what kind of image are you projecting?
A good rule for risks is to avoid representing as a risk anything that is within your company’s control as well as anything that any reasonably good company would do in this line of business. The examples of “risks” cited above do belong in the proposal, but only as elements of the technical or management approach, and not as components of the risk matrix. What goes into the risk matrix should be something that is truly a risk. A risk is a potential event which, if it occurs and becomes a problem, will negatively affect the ability of the project to achieve its cost, schedule, or performance goals. Although program risks can be both internal and external, the kinds of risks you need to show in your proposal must be those external to the company’s own abilities to plan and manage the program well, or, in other words, those that are inherent to the nature of the job.
To drive this concept home, let’s use an analogy of a woman going through pregnancy and childbirth. Let’s say that there are things that educated pregnant women know to do to maximize their chances of success, such as going to the doctor for exams, taking their supplements, and getting plenty of rest. And then, there are risks that could possibly occur due to the nature of the process, such as any number of medical complications that are common to pregnancy and childbirth that could affect the cost (medical bills), schedule (carrying the baby to term), or performance goals (giving birth to a healthy child). If a woman were to put together a risk matrix for a proposal to become pregnant, documenting the risks of what would happen if she did not have timely medical exams would usually spell out her irresponsibility, whereas documenting possible medical complications inherent to the nature of pregnancy would demonstrate a thorough and thoughtful understanding of the risks.
There are only three categories of risks that should be presented in proposals:
1. Risks due to lack of information or knowledge about the project that could only be gained in the process of project execution;
2. Risks due to lack of control or resources to deal with the external events or authorities; and
3. Risk due to lack of time to complete tasks sequentially and methodically.
An example of a good risk statement, if performing a project at a facility where no site survey has been completed, would be that the “Existing facility is not large enough to support the required number of personnel for the Service Desk function, which could lead to inability to provide the required services.” The mitigation would then be identifying an alternative to the existing facility in case the survey findings confirm this risk instance. Not getting environmental licenses and regulatory approvals in time because of the issuing agency’s notorious scrutiny is another example of a well-identified risk. A good mitigation could talk about expert bodies, relationships with the regulators and local authorities, and the ability to design and build in accordance with every possible standard.
If the proposal requirements do not call for a separate risk section, risks analysis is still important. Discussion of applicable risks and mitigation strategies should be included into each section, to showcase your understanding of the job at hand.
It is critical to remember that the only way to come up with solid risk section content is to collaborate as an entire team, rather than assigning a single author to complete the entire section. It is a good idea to have a mediator who can point out the holes and flaws in your risk ideas. A mediator will also ensure that you avoid the pitfall of inadvertently stating as a risk that your company is unfit for the job, and then stating for the mitigation that your company is fit for the job. Falling into such a trap is a sure way for your company to lose in a close competition. But if you are systematic and you put enough time into creating an outstanding risk section, it is one of the surest ways to convince the customer that yours is the right company for the job.
-------
Olessia Smotrova-Taylor is president of OST Global Solutions, Inc, a Washington, DC Metro Area company providing
capture and proposal management support and training to companies seeking to win business. You can visit her website at
www.OSTGlobalSolutions.com.
