We have always looked to Lockheed Martin for leading practices in subcontractor management. Unlike far too many other A&D contractors, LockMart has created a position of Subcontract Project Manager—acknowledging and reinforcing the position that subcontractor management is a critical aspect of program management.

We are not going to recap our many posted pleas to get your subcontract management act together. We are not going to repeat our assertion—posted here many times—that effective subcontractor management is the key to effective program management. Instead we are going to focus today on subcontractor risk management, which is a subset of overall program risk management.

The state of the art with respect to program risk management is unfortunately immature. Sure, almost every program has a “risk register” (which is almost always offset by an “opportunity register” as if risks and opportunities were mathematically required to equally balance each other). In some companies the risks are dollarized (probability of occurrence times estimated impact) and then used in Estimate-at-Completion (EAC) calculations. That’s all fine, but it’s not enough. Following are some observations with respect to the state of A&D industry risk management, based on the last time we took a deep dive into the subject. Granted, that was about five years ago, but we don’t believe things have changed dramatically since then.

• Risk identification is lacking. At best, risk identification is based on similar risks and/or issues dealt with on prior programs of similar complexity. In most instances, risks are identified by PM or engineering staff. Almost nobody is creating cross-functional teams to focus exclusively on risk identification. Almost nobody is continually adding new risks to the risk register as the program matures. (This is in part because for every risk identified there is pressure to add another opportunity.)

• Risk management assumes a static environment. In contrast, the risk environment is dynamic. Risk probabilities change over time, sometimes increasing and sometimes decreasing. Almost nobody is reviewing risk probabilities and seeking to identify critical inflection points. Almost nobody is actually “burning down” risk probabilities in a manner commensurate with implementation of risk mitigation plans.

• Risk mitigation tends to be formalistic. In other words, the risk mitigation plans tend to be for show. Typically, risk mitigation plans aren’t implemented in response to new risks or changing risk probabilities; instead, they are designed and approved—and then never used. One way to assess the efficacy of a risk mitigation plan is to ask who has approval to implement it. If the answer is that an approved risk mitigation plan requires additional approvals in order to implement it, then you know it’s simply for show; it’s not really intended to mitigate a risk that’s evolving towards actualization.

In a true risk-based culture (which we have not yet observed in the A&D industry), risks are identified, assigned a probability and a consequence, and a risk mitigation plan consistent with the probability and consequence. The risk mitigation plan is executed immediately when the cost of risk mitigation is less than the dollarized risk (probability x consequence). Both risk and risk mitigation plans are constantly monitored by a cross-functional team (or IPT), and that team acts like an advisory committee with respect to the PM and the PM team.

So what happens when risk management fails in a major defense program? Here’s one very recent story.

The story from Bloomberg (link above) quoted MG Teague (USAF Chief of Space Programs) as saying of the latest program setback: “This was an avoidable situation and raised significant concerns with Lockheed Martin subcontractor management/oversight and Harris program management.”

What’s the problem?

According to the Bloomberg story—

Last year, the Air Force and contractors discovered that Harris hadn’t conducted tests on the components, including how long they would operate without failing, that should have been completed in 2010. Now, the Air Force says it found that Harris spent June to October of last year doing follow-up testing on the wrong parts instead of samples of the suspect capacitors installed on the first three satellites.

Let’s be clear here: building satellites to meet specialized technical requirements is about the toughest thing there is. A next generation military satellite program is about the toughest PM challenge one can imagine. So let’s not pile on Lockheed Martin and its GPS III satellite program; and let’s not pile on Harris Corp. Instead, let’s look at this situation from a subcontractor risk management perspective.

• What were the risks involved in the Harris subcontract?

• Was there a risk that Harris (or any subcontractor, really) would not perform required testing?

• Was there a risk that Harris, once it learned of improper or non-performed tests, would make another testing mistake?

• What was the probability of occurrence? (Certainly it was greater than zero.)

• What was the consequence? (Putting entire multi-billion dollar program at risk.)

Based on the answers above, what were appropriate risk mitigation strategies that Lockheed Martin could have employed? (Hint: One potential strategy could involve deploying test oversight personnel at the Harris facility to ensure required testing was properly performed.)

Typically, risk mitigation is not implemented because of budget concerns. In this example, we would speculate that nobody budgeted the labor and expenses associated with deploying test oversight personnel at the subcontractor facility. It was judged to be too expensive. But that is a myopic view, isn’t it? Now the program has had yet another schedule slip and the customer is upset. Thus, a failure to implement effective risk mitigation strategies (perhaps stemming from budgetary concerns) has jeopardized the entire program. From the government customer’s viewpoint, it needs to implement its own risk mitigation strategy, which may involve asking other contractors to act as prime (instead of Lockheed Martin) on future GPS III satellite builds.

Perhaps those other contractors will employ a more effective subcontractor risk mitigation strategy.