This is the accessible text file for GAO report number GAO-06-13 
entitled 'Defense Management: Additional Actions Needed to Enhance 
DOD's Risk-Based Approach for Making Resource Decisions' which was 
released on November 16, 2005. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Subcommittee on Readiness and Management Support, 
Committee on Armed Services, U.S. Senate: 

United States Government Accountability Office: 

GAO: 

November 2005: 

Defense Management: 

Additional Actions Needed to Enhance DOD's Risk-Based Approach for 
Making Resource Decisions: 

GAO-06-13: 

GAO Highlights: 

Highlights of GAO-06-13, a report to the Subcommittee on Readiness and 
Management Support, Committee on Armed Services, U.S. Senate: 

Why GAO Did This Study: 

The Department of Defense (DOD) is simultaneously conducting costly 
military operations and transforming its forces and business practices 
while it is also competing for resources in an increasingly constrained 
fiscal environment. As a result, GAO has advocated that DOD adopt a 
comprehensive threat or risk management approach as a framework for 
decision making. In its 2001 strategic plan, the Quadrennial Defense 
Review (QDR), DOD stated its intent to establish an approach—the risk 
management framework—to balance priorities against risk over time and 
monitor results against its strategic goals. 

GAO was asked to (1) assess the extent to which DOD has implemented the 
framework, including using it to make investment decisions, and (2) 
identify the most significant challenges DOD faces in implementing the 
framework, or a similar approach. 

What GAO Found: 

DOD has taken some positive steps to implement the framework, but 
additional actions are needed before DOD can show real and sustainable 
progress in using a risk-based and results-oriented approach to 
strategically allocate resources across the spectrum of its investment 
priorities. For example, DOD defined four risk areas, and developed 
performance goals and department-level measures, but it needs to, among 
other things, further develop and refine the measures so that they 
clearly demonstrate results and provide a well-rounded depiction of 
departmental performance. DOD’s current strategic plan and goals also 
are not clearly linked to the framework’s performance goals and 
measures, and linkages between the framework and budget are also 
unclear. While DOD officials stated that risk was considered during the 
fiscal year 2006 budget cycle, DOD’s budget submission does not 
specifically discuss how DOD identified or assessed risks to establish 
DOD-wide investment priorities. Without better measures, clear 
linkages, and greater transparency, DOD will be unable to fully measure 
progress in achieving strategic goals or demonstrate to Congress and 
others how it considered risks, and made trade-off decisions, balancing 
needs and costs for weapon programs and other investment priorities. 

DOD’s Risk Management Framework: 

Force Management Risk; 
Definition: Challenge of sustaining personnel, infrastructure, and 
equipment. 

Operational Risk; 
Definition: Challenge of deterring or defeating near-term threats. 

Future Challenges Risk; 
Definition: Challenge of dissuading, deterring, defeating longer-term 
threats. 

Institutional Risk; 
Definition: Challenge of improving efficiency (includes financial 
management). 

Source: DOD. 

[End of table] 

DOD faces four challenges that have affected the implementation of the 
framework. First, DOD’s organizational culture resists department-level 
approaches to priority setting and investment decisions. Second, 
sustained leadership, adequate transparency, and appropriate 
accountability are lacking. Further, no one individual or office has 
been assigned overall responsibility or sufficient authority for the 
framework’s implementation. DOD also has not developed implementation 
goals or timelines with which to establish accountability, or measure 
progress. Finally, integrating the risk management framework with 
decision support processes and related reform initiatives into a 
coherent, unified management approach for the department is a challenge 
that DOD plans to address during the 2005 QDR. However, GAO has 
concerns about DOD’s ability to follow through on this integration, 
because of its limited success in implementing other management 
reforms. Unless DOD successfully addresses these challenges and 
effectively implements the framework, or a similar approach, it will 
likely continue to experience (1) a mismatch between programs and 
budgets, and (2) a proportional, rather than strategic, allocation of 
resources to the services. 

What GAO Recommends: 

GAO recommends that DOD take various actions to increase its chances of 
successfully implementing a risk-based approach for investment decision 
making, such as developing results-oriented measures and assigning 
clear leadership with appropriate accountability and authority to 
implement the framework. DOD partially concurred with our 
recommendations. 

www.gao.gov/cgi-bin/getrpt?GAO-06-13. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Sharon Pickup at (202) 
512-9619 or pickups@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Despite Positive Steps, Additional Actions Needed to Fully Implement 
the Risk Management Framework: 

Cultural Resistance, Combined with the Lack of Leadership, 
Implementation Goals, and Process Integration, Affects DOD's 
Implementation of the Risk Management Framework: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Scope and Methodology: 

Appendix II: Comments from the Department of Defense: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Definitions and Examples of DOD Department-Level Measures (as 
of November 2004): 

Table 2: The Number of Activity and Performance Measures for Each 
Quadrant: 

Table 3: Military Service and Defense-Wide Percentage of the 2005 and 
2006 Future Years Defense Programs: 

Table 4: Select Initiatives to Improve Investment Decision Making: 

Figures: 

Figure 1: The Risk Management Cycle: 

Figure 2: Comparison of the Balanced Scorecard and the Risk Management 
Framework: 

Abbreviations: 

CBO: Congressional Budget Office: 

CMO: chief management official: 

DOD: Department of Defense: 

FYDP: Future Years Defense Program: 

GAO: Government Accountability Office: 

GPRA: Government Performance and Results Act: 

JCIDS: Joint Capabilities Integration and Development System: 

OSD: Office of the Secretary of Defense: 

PA&E: Program Analysis and Evaluation (PA&E): 

PPBE: Planning, Programming, Budgeting, and Execution: 

P&R: Personnel and Readiness: 

PART: Program Assessment Rating Tool: 

QDR: Quadrennial Defense Review: 

United States Government Accountability Office: 

Washington, DC 20548: 

November 15, 2005: 

The Honorable John Ensign: 
Chairman: 
The Honorable Daniel K. Akaka 
Ranking Minority Member: 
Subcommittee on Readiness and Management Support: 
Committee on Armed Services: 
United States Senate: 

Among the 21st century challenges facing the Department of Defense 
(DOD) and the nation as a whole are difficult decisions concerning how 
to strike an affordable balance between current and future national 
security needs and between national security and domestic 
needs.[Footnote 1] For example, DOD is simultaneously maintaining a 
high pace of military operations for combating terrorism and 
transforming its military forces and business operations for the 21st 
century while it is also competing for federal resources in an 
increasingly fiscally constrained environment. We have advocated that 
DOD--as well as the rest of the federal government--adopt a 
comprehensive threat or risk management approach as a framework for 
decision making.[Footnote 2] This approach would fully link strategic 
goals to plans and budgets; assess the values and risks of various 
courses of actions as a tool for reexamining defense programs, setting 
priorities, and allocating resources; and use performance measures to 
assess outcomes. 

To its credit, DOD introduced a balanced scorecard for risk management, 
commonly known as the risk management framework, in its strategic plan, 
the 2001 Quadrennial Defense Review (QDR) report. The 2001 strategic 
plan articulated the new administration's emphasis on transforming 
military forces and defense business practices to meet the emerging 
challenges facing our nation. DOD intended the framework to be used as 
a management tool to focus DOD's efforts on implementing the defense 
program as outlined in the strategic plan. In particular, DOD's senior 
leadership intended the risk management framework to assist decision 
makers in formulating top-down strategy, balancing investment 
priorities against risk over time, measuring near-and midterm outputs 
against strategic goals, and focusing on actual performance results. 
According to DOD officials, the risk management framework also was 
intended to increase transparency within the department over the 
decision-making process. During the ongoing 2005 QDR, DOD plans to 
refine the risk management framework. 

You asked us to examine the status of DOD's efforts to adopt a risk- 
based approach to decision making, given the emphasis that DOD was 
placing on the risk management framework. In response, we (1) assessed 
the extent to which DOD has implemented its risk management framework, 
including the extent to which DOD has used the framework to make 
investment decisions; and (2) identified the most significant 
challenges DOD faced in implementing the risk management framework or a 
similar risk-based and results-oriented management approach. 

To assess the extent to which DOD has implemented the risk management 
framework, we analyzed key documents, policy guidance, data, and 
interview results, and compared the analysis to the principles for 
managing risk and results identified in prior GAO reports. In addition, 
we conducted interviews with DOD and service officials, and members of 
the Joint Staff. We discussed the department's progress in implementing 
the risk management framework with members of the Defense Business 
Board. We also analyzed DOD's department-level performance goals and 
measures that are associated with the risk management framework and 
assessed how DOD reported that information externally. We did not 
validate the appropriateness of the risk management framework's risk 
quadrants or the procedures that DOD has in place to ascertain the 
reliability of performance data and we also did not assess the basis 
for DOD's investment decisions. To identify the most significant 
challenges DOD faced in implementing the risk management framework, we 
analyzed documents, data, and interview results, and compared the 
results of this analysis to the key practices to assist mergers and 
organizational transformation identified in prior GAO reports.[Footnote 
3] A more detailed discussion of our scope and methodology is presented 
in appendix I. 

Our work was performed from October 2004 through September 2005 in 
accordance with generally accepted government auditing standards. 

Results in Brief: 

DOD has taken positive steps toward implementing the risk management 
framework; however, additional actions are needed before the framework 
is fully implemented and DOD can demonstrate real and sustainable 
progress in using a risk-based and results-oriented approach to 
strategically allocate resources across the spectrum of its investment 
priorities. For example, while DOD established four risk areas, or 
quadrants, and developed performance goals and measures of two types-- 
activity measures (measures to track initiatives) and performance 
measures--the majority of these measures do not provide sufficient 
information to monitor performance against the risk quadrants' goals. 
Specifically, and contrary to results-oriented management principles, 
the risk management framework's measures (1) do not clearly demonstrate 
results, (2) do not provide a well-rounded depiction of performance 
across the department, and (3) are not being systemically monitored 
across all quadrants, except for the force management quadrant. In 
addition, the framework's performance goals and measures are not 
clearly linked to DOD's current strategic plan and strategic goals. 
Lacking measures that follow results-oriented management principles and 
clear linkages to strategic goals, DOD may be unable to provide a clear 
roadmap of how its activities at all levels contribute to meeting DOD's 
strategic goals. Finally, although DOD officials stated that risk was 
considered in the fiscal year 2006 budget cycle, the fiscal year 2006 
budget submission does not include any specific information on how DOD 
systematically identified or assessed departmental risks to establish 
DOD-wide investment priorities. Therefore, the linkages between the 
risk management framework and the budget are unclear. Without better 
measures, clear linkages, and greater transparency, DOD will be unable 
to fully measure progress in achieving strategic goals or demonstrate 
to Congress and others how it considered risks and made trade-off 
decisions, balancing needs and costs for weapon system programs and 
other investment priorities. 

DOD faces four key challenges that affect its ability to fully 
implement the risk management framework, or a similar risk-based and 
results-oriented management approach: (1) overcoming cultural 
resistance to the transformational change represented by such an 
approach in a department as massive, complex, and decentralized as DOD; 
(2) maintaining sustained leadership and clear accountability for this 
cultural transformation; (3) providing implementation goals and 
timelines to gauge progress in transforming the culture; and (4) 
integrating the risk management framework with decision support 
processes and related reform initiatives into a coherent, unified 
management approach for the department. Our prior work on results- 
oriented management and organizational transformation and mergers has 
shown that addressing these challenges is at the center of successful 
change management efforts in leading organizations. DOD is having 
difficulties implementing the framework because it has not addressed 
these four challenges. With respect to the first challenge, DOD's size 
and complexity result in a culture that makes developing department- 
level approaches to priority setting and investment decision making 
difficult. For example, the allocation of budgets on a proportional, 
rather than a strategic, basis among the services is a long-standing 
budgetary problem that we have reported about for years. Second, the 
lack of sustained leadership and clear accountability for the 
framework's implementation has resulted in a lack of emphasis and 
understanding of its status and purpose within the department. Because 
of the lack of sustained leadership for other management reform 
efforts, we have supported legislation to create a chief management 
official (CMO) at DOD to provide this leadership.[Footnote 4] Third, 
DOD did not establish implementation goals or timelines with which to 
establish accountability, measure progress, and build momentum. 
Finally, integrating the risk management framework with other decision 
support processes and related reform initiatives into a coherent, 
unified management approach is a challenge that DOD intends to address 
in the ongoing 2005 QDR. Illustrating this challenge, DOD is attempting 
to implement the risk management framework while it is also shifting to 
biennial budgeting and reforming defense planning. Our work has shown 
that if risk-based and results-oriented management approaches are to be 
successfully implemented, they must be integrated into the usual cycle 
of agency decision making. Unless DOD addresses these challenges and 
successfully implements the risk management framework, or a similar 
approach, it may continue to experience (1) a mismatch between programs 
and budgets, and (2) the proportional, rather than strategic, 
allocation of resources to the services. Therefore, Congress may have 
insufficient transparency into how DOD has identified and assessed 
risks and made trade-offs in its investment decision making. 

In this report, we recommend that DOD take various actions to increase 
its chances of successfully implementing a risk-based approach for 
investment decision making. This includes developing results-oriented 
measures and assigning clear leadership with appropriate accountability 
and authority to implement and sustain the risk management framework, 
or a similar approach. In written comments on a draft of this report, 
DOD partially concurred with our recommendations. DOD's comments and 
our evaluation of them are on page 25 of this report. 

Background: 

In our report, High-Risk Series: An Update,[Footnote 5] we identified 
agencies' lack of comprehensive risk management strategies as an 
emerging challenge for the federal government. Increasingly limited 
fiscal resources across the federal government, coupled with the 
emerging requirements from the changing security environment, emphasize 
the need for DOD to develop a risk-based strategic investment approach. 
For this reason, we have advocated that DOD adopt a comprehensive risk 
management approach for decision making.[Footnote 6] Furthermore, DOD 
and other federal agencies are required by statute to develop a results-
oriented management approach to strategically allocate resources on the 
basis of performance.[Footnote 7] The balanced scorecard--a concept to 
balance an organization's focus across financial, customer, internal 
business, and learning and growth management areas--is one approach for 
developing results-oriented management that government agencies have 
recently started to adopt.[Footnote 8] At the direction of the 
Secretary of Defense, DOD developed a risk management framework that 
DOD later aligned with its results-oriented management activities 
through a DOD balanced scorecard. 

Risk Management Is an Emerging 21st Century Challenge: 

An emerging challenge for the federal government involves the need for 
the completion of comprehensive national threat and risk assessments in 
a variety of areas. For example, emerging requirements from the 
changing security environment, coupled with increasingly limited fiscal 
resources across the federal government, emphasize the need for 
agencies to adopt a sound approach to establishing resource 
decisions.[Footnote 9] We have advocated that the federal government, 
including DOD, adopt a comprehensive threat or risk management approach 
as a framework for decision making that fully links strategic goals to 
plans and budgets, assesses values and risks of various courses of 
actions as a tool for setting priorities and allocating resources, and 
provides for the use of performance measures to assess outcomes. Based 
on our review of the literature,[Footnote 10] as shown in figure 1, the 
goal of risk management is to integrate systematic concern for risk 
into the usual cycle of agency decision making and implementation. 

Figure 1: The Risk Management Cycle: 

[See PDF for image] 

[End of figure] 

A risk management cycle represents a series of analytical and 
managerial steps, basically sequential, that can be used to assess 
risk, evaluate alternatives for reducing risks, choose among those 
alternatives, implement the alternatives, monitor their implementation, 
and continually use new information to adjust and revise the 
assessments and actions, as needed. Adoption of a risk management cycle 
such as this can aid in assessing risk by determining which 
vulnerabilities should be addressed, and how they should be addressed, 
within available resources. For the purposes of this report, we focused 
on the stages of the risk management cycle that involve DOD's actions 
to set strategic goals and objectives, establish investment priorities 
based on risk assessments, and implementation and monitoring. 

Risk management's objectives are essentially the same as those of good 
management, and they are consistent with the broad economy and 
efficiency objectives of good government--namely, to provide better 
outcomes for the same amount of money, or to provide the same outcomes 
with less money. Therefore, risk management's objectives are also 
compatible with those of the federal government's results-oriented 
management approach, which was enacted in the Government Performance 
and Results Act (GPRA) of 1993,[Footnote 11] and the balanced scorecard 
approach. Congress enacted GPRA to focus the federal government on 
achieving results through the creation of clear links between the 
process of allocating scarce resources and an agency's strategic goals, 
or the expected results to be achieved with those resources. Building 
on GPRA's foundation, the current administration has taken steps to 
strengthen the integration of budget, cost, and performance information 
by including budget and performance integration as one of its 
management initiatives under the umbrella of the President's Management 
Agenda.[Footnote 12] The Budget and Performance Integration initiative 
includes efforts such as the Program Assessment Rating Tool (PART), 
improving outcome measures, and improving monitoring of program 
performance.[Footnote 13] The balanced scorecard approach is a 
management tool that some federal agencies have adopted to help them 
translate the strategy set forth in a results-oriented management 
approach into the operational objectives that drive both behavior and 
performance. The balanced scorecard consists of four management areas 
that organizations should focus on--financial, customer, internal 
business, and learning and growth. 

DOD's 2001 Strategic Plan Outlines a New Risk Management Framework: 

DOD introduced the risk management framework in its strategic plan, the 
2001 QDR report. The 2001 strategic plan articulated the new 
administration's emphasis on transforming military forces and defense 
business practices to meet the changing threats facing our nation. In 
his guidance to the department for the 2001 QDR strategic planning 
process, the Secretary of Defense stated the need for DOD to use a risk 
mitigation approach for balancing force, resource, and modernization 
requirements across defense planning timelines. This guidance also 
stated that DOD must include the identification of output-based 
measures to reduce inefficiencies through the department in any 
approach to risk management. Building on the guidance, the 2001 QDR 
outlined DOD's risk management framework. According to the QDR, the 
framework would enable DOD to address the tension between preparing for 
future threats and meeting the demands of the present with finite 
resources. It was also intended to ensure that DOD was sized, shaped, 
postured, committed, and managed with a view toward accomplishing the 
strategic plan's defense policy goals. 

DOD adapted the balanced scorecard concept to the risk management 
framework by substituting the four dimensions of risk--force 
management, operational, future challenges, and institutional--for the 
scorecard's four management areas. The risk management framework was to 
be a transformational tool that would provide a balanced perspective of 
the organization's execution of strategy and ensure a top-down 
approach. The 2002 policy guidance also designated four preliminary 
performance goals for each of the four risk quadrants. In addition, the 
guidance required that performance goals and measures were to be 
cascaded to the services and defense agencies. Figure 2 shows a 
comparison, as provided by DOD. 

Figure 2: Comparison of the Balanced Scorecard and the Risk Management 
Framework: 

[See PDF for image] 

[End of figure] 

Despite Positive Steps, Additional Actions Needed to Fully Implement 
the Risk Management Framework: 

Despite positive steps, DOD needs to take additional actions before the 
risk management framework is fully implemented and DOD can demonstrate 
real and sustainable progress in using a risk-based and results- 
oriented approach to strategically allocate resources across the 
spectrum of its investment priorities. For example, DOD is still in the 
process of developing department-level measures for the framework that 
address results-based management principles, such as linking 
performance information to strategic goals so that this information can 
be used to monitor performance results and determine how well the 
department is doing in achieving its strategy. Without more results- 
oriented performance measures, DOD may be unable to provide the 
services and other defense components with clear roadmaps of how their 
activities contribute to meeting DOD's strategic goals. In addition, 
the framework's performance goals and measures are not clearly linked 
to DOD's current strategic plan and strategic goals. Furthermore, the 
extent to which the risk management framework is linked to the budget 
cycle is unclear. Without better measures, clear linkages, and greater 
transparency, DOD will be unable to fully measure progress in achieving 
strategic goals or demonstrate to Congress and others how it considered 
risks and made trade-offs in making investment decisions. 

Developing a Set of Measures That Can Be Used to Monitor Performance Is 
a Work in Progress: 

DOD has taken positive steps toward developing measures for each of the 
performance goals under the framework's four risk quadrants; however, 
developing a set of measures that can be used to monitor performance 
results is still a work in progress. Based on GAO's prior work on 
results-based management principles, we found that leading 
organizations' performance measures are: (1) designed to demonstrate 
results, or provide information on how well the organization is 
achieving its goals; (2) limited to a vital few, and balanced across 
priorities; and (3) used by management to improve performance.[Footnote 
14] However, the set of measures DOD has developed for the risk 
management framework do not adequately address these principles. While 
DOD established four risk quadrants and developed performance goals and 
measures of two types--activity measures (measures to track 
initiatives) and performance measures--the majority of its measures do 
not provide sufficient information to monitor performance against the 
risk quadrants' goals. 

First, DOD officials acknowledge that establishing department-level 
measures for the framework that demonstrate results is still a work in 
progress, as the majority of the risk management framework's measures 
require further development or refinement. In fact, as shown in table 
1, 44 of the 77 department-level measures for all four quadrants, or 
over 50 percent, are activity measures. According to DOD sources, 
activity measures are to result in a new performance measure, a new 
baseline or benchmark, or define a new capability, rather than monitor 
a specific annual performance target. Once these activities are 
completed, DOD officials stated that the department will be better able 
to monitor department-level performance against strategic goals. 
However, our analysis found that the activity measures, as defined in 
DOD's external reports, typically do not provide sufficient information 
to monitor the department's progress in achieving the stated goal they 
are to measure, such as developing a new performance measure or 
baseline. The desired outcomes for activity measures generally state 
that a task was or will be completed by a certain date but they do not 
provide sufficient information on whether the activity is on schedule, 
the interdependencies among tasks, or the contribution toward enhancing 
the department's performance. Therefore, Congress and other external 
stakeholders lack information and adequate assurances that DOD is 
making progress in implementing a risk-based and results-oriented 
management approach to making investment decisions. 

Table 1: Definitions and Examples of DOD Department-Level Measures (as 
of November 2004): 

Type: Activity measures; 
Number: 44[A]; 
Definition: Activity measures track developmental activities, are 
usually qualitative, and track key milestones or events in lieu of a 
specific annual performance target; 
Examples: Deny enemy advantages and exploit weaknesses; 
Description of desired outcome monitored by measure: Roadmap will be 
complete by the end of fiscal year 2005. 

Examples: Enhance homeland defense and consequence management; 
Description of desired outcome monitored by measure: Strategy will be 
complete by the first quarter of fiscal year 2005. 

Type: Performance measures; 
Number: 33[A]; 
Definition: Performance measures track current outputs and set 
quantitative annual targets for performance that are measurable; 
Examples: Reserve component enlisted recruiting quality; 
Description of desired outcome monitored by measure: Target > 90% of 
recruits holding high school diplomas; Actual 88% of recruits holding 
high school diplomas. 

Examples: Reduce customer wait time (in days); 
Description of desired outcome monitored by measure: Target 15 days 
from order to receipt for material goods; Actual 24 days from order to 
receipt for material goods. 

Source: GAO analysis of the Risk Management Framework's performance 
measures. 

[A] We have recoded five performance measures as activity measures as 
these measures tracked milestones and events, which corresponds with 
DOD's definition of an activity measure. 

[End of table] 

Second, DOD's department-level performance measures are still a work in 
progress in that these measures do not provide a well-rounded depiction 
of DOD's performance. In our previous work, we have found that 
performance measurement efforts that are not balanced across priorities 
may skew an agency's performance and keep its senior leadership from 
seeing the whole picture.[Footnote 15] For example, in developing 
department-level measures for the risk management framework, DOD 
appears to have overemphasized its force management priorities at the 
expense of operational risk. As illustrated in table 2, the operational 
risk quadrant has no performance measures, while the force management 
risk quadrant has a total of 36 measures, including 15 activity 
measures and 21 performance measures. 

Table 2: The Number of Activity and Performance Measures for Each 
Quadrant: 

Activity measures: Operational: 15; 
Performance measures: Operational: 21; 
Total measures: Operational: 36[A]. 

Force Management: Operational; 
Activity measures: 9; 
Performance measures: 0; 
Total measures: 9. 

Activity measures: 11; 
Performance measures: 10; 
Total measures: 21[B]. 

Force Management; 
Activity measures: 9; 
Performance measures: 2; 
Total measures: 11[C]. 

Source: GAO analysis of DOD data. 

[A] We have recoded two performance measures as activity measures as 
these measures tracked milestones and events, which corresponds with 
DOD's definition of an activity measure. 

[B] We have recoded one performance measure as an activity measure as 
this measure tracked milestones and events, which corresponds with 
DOD's definition of an activity measure. 

[C] We have recoded two performance measures as activity measures as 
these measures tracked milestones and events, which corresponds with 
DOD's definition of an activity measure. 

[End of table] 

In providing technical comments to a draft of this report, DOD objected 
to our recoding of five department-level performance measures as 
activity measures. We recoded these measures because they tracked 
milestones and events, which corresponded to DOD's definition of an 
activity measure. The measures we recoded addressed the following: 

* a civilian human resources strategic plan, 

* a military human resources strategic plan, 

* monitor the status of defense technology objectives, 

* strategic transformation appraisal, and: 

* support acquisition excellence goals. 

Finally, DOD officials indicated that DOD is systematically using 
performance measures to monitor progress and improve performance for 
only one risk quadrant, although individual measures under the other 
three risk quadrants may be monitored. We have found that leading 
organizations use performance information to improve organizational 
performance and identify performance gaps, and to provide incentives 
that reinforce a results-oriented management approach.[Footnote 16] 
According to DOD officials, the force management quadrant is the only 
quadrant that is managed by one individual and one office--the Under 
Secretary of Defense for Personnel and Readiness and his office. These 
officials stated that this situation is a critical factor in the 
progress DOD has made in systematically monitoring performance across 
the force management quadrant on a routine basis. For example, 
officials stated that the Under Secretary of Defense personally leads 
quarterly monitoring sessions on the force management quadrant's 
performance. DOD officials also told us that the Under Secretary of 
Defense for Personnel and Readiness has greatly facilitated this 
monitoring by developing a centralized database to capture the 
performance data used to track DOD's performance in meeting the 
quadrant's goals. Unless all of the risk management framework's 
quadrants are systematically monitored, implementation of the framework 
may be hindered and the framework risks becoming a paper-driven, 
compliance exercise. Indeed, one DOD official told us that he views the 
risk management framework and its measures as a "reporting drill" and, 
in addition, his office would not change its processes if DOD was to no 
longer use the framework. 

Cascading the Risk Management Framework's Goals and Measures Is an 
Ongoing Effort: 

DOD is still in the process of cascading the risk management 
framework's goals and measures to the services. We have found that 
leading organizations seek to establish clear hierarchies of goals and 
measures that cascade down so that subordinate units have 
straightforward roadmaps to demonstrate how their activities contribute 
to meeting the organization's strategy.[Footnote 17] According to DOD 
officials, all of the services are attempting to align their existing 
performance measures with the department-level performance goals and 
measures. However, service officials said that it is challenging to 
cascade the department-level activity measures, because these measures 
represent very broad initiatives that may not be applicable at all DOD 
levels. Officials from one service said they have had to develop new 
measures to align with the department-level measures, because they had 
been assessing performance with fewer measures than the Office of the 
Secretary of Defense had developed. 

Developing a Strategic Plan with Clear Linkages between the Risk 
Management Framework and Strategic Goals Is a Critical Next Step: 

The risk management framework's performance goals and measures are not 
clearly linked--a key principle of results-oriented management--to a 
coherent strategic plan.[Footnote 18] The development of such a 
strategic plan is a critical next step in using a risk-based and 
results-oriented approach to making investment decisions. Without these 
linkages, DOD cannot easily demonstrate how achievement of a 
performance goal or measure contributes to the achievement of strategic 
goals and ultimately the organization's mission. Our previous work 
indicated that DOD's strategic plan, the 2001 QDR, did not provide a 
sound foundation for the risk management framework.[Footnote 19] We 
reported that the usefulness of the 2001 QDR was limited by the lack of 
focus on longer-term threats and requirements for critical support 
capabilities, and provided few insights into how future threats and 
planned technical advances could affect future force requirements. In 
turn, this lack of focus and insight limited the QDR's usefulness as a 
foundation for fundamentally reassessing U.S. defense plans and 
programs and for balancing resources across near-and midterm risks. 

DOD officials indicated that DOD has not yet defined the linkages 
between the risk management framework's performance goals and the 
strategic goals in the 2001 QDR. Furthermore, the Defense Business 
Board's official minutes for its July 28, 2005, meeting contained a 
recommendation that the Secretary of Defense define department-level 
objectives, which should then be cascaded down the department.[Footnote 
20] In discussing the ongoing 2005 QDR, DOD stated that although the 
department would continue its efforts to do so, establishing these 
linkages was very challenging because of the size and scope of DOD's 
operations. However, as suggested by the Defense Business Board and our 
previous work, if DOD's strategic plan is to drive the department's 
operations, a straightforward linkage is needed among strategic goals, 
annual performance goals, and day-to-day activities.[Footnote 21] The 
ongoing 2005 QDR offers DOD the opportunity to strengthen its strategic 
planning. 

Although Risk Considered, Linkages Between the Risk Management 
Framework and Budget Are Unclear: 

According to DOD officials, the department has begun to consider risk 
in its investment decision making; however, the full extent to which 
the framework's risk-based and results-oriented approach has been 
linked to the fiscal year 2006 budget cycle is unclear. Our work 
indicates that leading organizations link strategy to the budget 
process through results-oriented management to evaluate potential 
investments or initiatives.[Footnote 22] 

DOD sources indicated that the department has begun to consider risk 
during its usual cycle of investment decision making. For example, 
according to DOD sources, the Secretary of Defense articulated broad 
areas for increasing or decreasing risk under each quadrant in the 
fiscal years 2006-2011 planning guidance, leaving it up to the defense 
components to decide how to structure their investment decisions within 
those broad areas consistent with the Secretary's risk guidance. In 
addition, DOD officials stated that the framework has increased 
awareness within the department on the need to balance risk over time. 
For example, when DOD reduced the fiscal years 2006-2011 defense 
program by $30 billion, DOD officials stated that the department did 
not take the traditional budgetary approach of cutting each defense 
component's budget by a certain percentage. Instead, DOD officials 
stated that the Secretary of Defense used a collaborative approach with 
service participation to discuss where to take the budget reductions 
and how these cuts would affect risk, although DOD officials offered 
various views on how extensively the framework was used to make those 
decisions. 

Second, DOD required that the services and other defense components 
offset any funding increase in one area with a funding decrease in 
another area for the fiscal years 2006-2007 budget submission. 
According to DOD officials, risk--whether on the basis of "professional 
judgment" or analysis--was considered in these deliberations. For 
example, the Army's plan for fiscal years 2006-2023 articulated areas 
for increasing risks so that it could decrease risk in the operational 
risk dimension by investing in current capacity. 

However, the fiscal year 2006 budget submission does not include any 
specific information on how DOD systematically identified or assessed 
departmental risks to establish DOD-wide investment priorities. For 
example, the military services' share of the Future Years Defense 
Program (FYDP) remained relatively unchanged from fiscal year 2005 to 
fiscal year 2006 (see table 3),[Footnote 23] providing one indication 
that the risk management framework may not yet be a useful tool for 
balancing departmental risks across the services. 

Table 3: Military Service and Defense-Wide Percentage of the 2005 and 
2006 Future Years Defense Programs: 

Department of the Army; 
2005 Percentage of FYDP: 24.23; 
2006 Percentage of FYDP: 24.63; 
Percentage change by department: 0.40. 

Department of the Navy; 
2005 Percentage of FYDP: 29.75; 
2006 Percentage of FYDP: 29.47; 
Percentage change by department: -0.28. 

Department of the Air Force; 
2005 Percentage of FYDP: 29.80; 
2006 Percentage of FYDP: 29.82; 
Percentage change by department: 0.02. 

Defense-wide; 
2005 Percentage of FYDP: 16.22; 
2006 Percentage of FYDP: 16.08; 
Percentage change by department: -0.14. 

Total; 
2005 Percentage of FYDP: 100.00; 
2006 Percentage of FYDP: 100.00. 

Source: GAO analysis of DOD FYDP data. 

Note: Totals may not add due to rounding. 

[End of table] 

DOD has reported on the risk management framework in the department's 
GPRA and other reporting requirements. For example, the fiscal year 
2004 Performance and Accountability Report describes what DOD is doing, 
or plans to do, to define, measure, and monitor performance goals in 
the four risk quadrants but does not discuss the implementation status 
of the risk management framework. Furthermore, the fiscal year 2004 
report, the most recent available, provided insufficient information to 
assist Congress in overseeing how DOD plans to prioritize investment 
decisions within or across the risk quadrants. Without more detailed 
information, Congress may have insufficient transparency into how DOD 
has identified and assessed risks and made trade-offs in its investment 
decision making. In addition, we reported in May 2004 that 
congressional visibility over investment decision making also was 
limited by the absence of linkages between the risk management 
framework and military capabilities planning and the FYDP.[Footnote 24] 
Because the FYDP lacked these linkages, we concluded that decision 
makers could not use it to determine how a proposed increase in 
capability would affect the risk management framework. 

Our work also has shown that the FYDP may understate the costs of 
weapon system programs; therefore, DOD may be starting more programs 
than it can afford. For example, our assessment of 54 major programs, 
representing an investment of over $800 billion, found that the 
majority of these programs were costing more and taking longer to 
develop than planned.[Footnote 25] Problems occurred because of DOD's 
overly optimistic planning assumptions about the long-term costs of 
weapon system programs and its failure to capture early on the 
requisite knowledge that is needed to efficiently and effectively 
manage program risks. When DOD has too many programs competing for 
funding and approves programs with low levels of knowledge, it is 
accepting the attendant likely adverse cost and schedule risks. As a 
result, it will probably get fewer quantities for the same investment 
or face difficult choices on which investments it cannot afford to 
pursue. The findings of our work suggest that having a departmentwide 
investment strategy for weapon systems, to allocate resources across 
investment priorities, would help reduce these risks. 

Cultural Resistance, Combined with the Lack of Leadership, 
Implementation Goals, and Process Integration, Affects DOD's 
Implementation of the Risk Management Framework: 

Four key challenges impede DOD's progress toward implementing the risk 
management framework. The first implementation challenge facing DOD is 
overcoming cultural resistance to change in a department as massive, 
complex, and decentralized as DOD. The second challenge is the lack of 
sustained leadership, and the third challenge is the absence of 
implementation goals and timelines. These challenges relate to DOD's 
failure to follow crucial transformational steps. The fourth challenge-
-integrating the risk management framework with decision support 
processes and related reform initiatives, into a coherent, unified 
management approach for the department--relates to key results-oriented 
management practices. Unless DOD addresses these challenges and 
successfully implements the risk management framework, or a similar 
approach, it may continue to experience (1) a mismatch between programs 
and budgets, and (2) the proportional, rather than strategic, 
allocation of resources to the services. 

Transforming DOD's Organizational Culture Is a Significant Challenge: 

Transforming DOD's organizational culture--from a focus on inputs and 
programs to strategically balancing investment risks and monitoring 
outcomes across the department--through the implementation of the risk 
management framework is a significant challenge for the department for 
several reasons. First, as we noted in our 21st Century Challenges 
report, to successfully transform, DOD needs to overcome the inertia of 
various organizations, policies, and practices that became rooted in 
the Cold War era.[Footnote 26] The department's expense, size, and 
complexity, however, make overcoming this resistance and inertia 
difficult. In fiscal year 2004, DOD reported that its operations 
involved $1.2 trillion in assets, $1.7 trillion in liabilities, over 
$605 billion in net cost of operations, and over 3.3 million military 
and civilian personnel. For fiscal year 2005, DOD received 
appropriations of about $417 billion. Moreover, execution of its 
operations spans a wide range of defense organizations, including the 
military services and their respective major commands and functional 
activities, numerous large defense agencies and field activities, and 
various combatant and joint operation commands, which are responsible 
for military operations for specific geographic regions or theaters of 
operations. 

Second, DOD's highly decentralized management structure is another 
contributing factor that makes cultural change difficult. Although 
under the authority, direction, and control of the Secretary of 
Defense, the military services have the legislative authority to 
organize, equip, and train the nation's armed forces for combat under 
Title 10 of the U.S. Code. Furthermore, Congress directly appropriates 
funds to the services for programs and activities that support these 
purposes. In the opinion of knowledgeable DOD officials, this 
legislative authority has resulted in a culture that makes it difficult 
to develop department-level, or joint, management approaches. For 
example, the allocation of budgets on a proportional, rather than a 
strategic basis, among the military services is a long-standing 
budgetary problem that we have identified as a major management 
challenge for the department.[Footnote 27] In addition, the Joint 
Defense Capabilities Study, chartered by the Secretary of Defense in 
March 2003, made the following observations on how DOD's organizational 
culture does not reinforce a departmental or joint approach to 
investment decision making and results management:[Footnote 28] 

* DOD's bottom-up strategic planning process did not support early 
senior leadership involvement and did not provide integrated 
departmentwide objectives, priorities, and roles as a framework for 
planning joint capabilities. 

* Service-centric focus on programs and weapons platforms resulted in a 
process that did not provide an accurate picture of joint needs, nor 
did it provide a consistent view of priorities and acceptable risks 
across the department. 

* The resulting budget did not optimize capabilities at either the 
department or the service level. 

* Accountability and feedback focused on monetary input rather than 
output; therefore, much of the information provided did not support the 
senior leaders' decision making as it did not tell how well the 
department was being resourced to meet current and future mission 
requirements. 

Lack of Sustained Leadership and Appropriate Accountability Has 
Challenged DOD's Implementation of the Risk Management Framework: 

The lack of sustained leadership attention and appropriate 
accountability has challenged DOD's progress in implementing the risk 
management framework. Our work has indicated that sustained leadership 
is a key transformational, or change management, practice.[Footnote 29] 
However, knowledgeable DOD officials indicated that DOD's senior 
leadership did not provide sustained attention to the framework's 
implementation. For example, a DOD official actively involved in the 
framework's implementation stated that meetings with senior leadership 
that were to provide oversight of the framework's implementation have 
not been regularly scheduled. DOD officials indicated that as a result 
of this lack of sustained leadership, DOD has not placed much emphasis 
on implementing the risk management framework at the department level. 
In addition, other DOD officials stated that changes in leadership have 
made it difficult to implement the risk management framework or develop 
performance measures. For example, since October 2004, DOD has 
experienced turnover in the following senior level positions, including 
the Deputy Secretary of Defense; the Under Secretary of Defense for 
Acquisition, Technology and Logistics; and the Director of Program 
Analysis and Evaluation (PA&E). Lacking sustained leadership attention, 
DOD officials offered conflicting perspectives on the status of the 
risk management framework with some officials suggesting that the 
framework had been overtaken by other performance-based or risk-based 
management initiatives while another suggested that the framework was 
primarily a compliance exercise. DOD officials also held differing 
perspectives on the purpose of the framework, including the beliefs 
that it was developed to monitor the Secretary of Defense's priority 
areas or that it was a programming and budgeting tool. 

Implementation of the risk management framework has also been 
challenged by the lack of clear lines of authority and appropriate 
accountability. No single individual or organization has been given 
overarching leadership responsibilities, authority, or the 
accountability for achieving the framework's implementation. Instead, 
the responsibility for various tasks and performance measures have been 
spread among several organizations, including the Director, PA&E; the 
Under Secretary of Defense for Personnel and Readiness (P&R); and the 
Under Secretary of Defense, Comptroller/Chief Financial Officer. 

We testified in April 2005 that as DOD embarks on large-scale change 
initiatives, the complexity and long-term nature of these initiatives 
require the development of an executive position capable of providing 
strong and sustained leadership--over a number of years and various 
administrations.[Footnote 30] For this reason, we have supported 
legislation to create a CMO at DOD to provide such sustained 
leadership.[Footnote 31] A CMO could also provide the leadership needed 
to successfully develop a risk-based and results-oriented management 
approach at DOD, such as the risk management framework. 

Lack of Implementation Goals and Timelines Further Challenges DOD's 
Implementation of Risk Management Framework: 

Accountability for implementation of the risk management framework also 
has been hindered by the absence of implementation goals and timelines 
with which to gauge progress. As we have previously reported, 
successful change management efforts use implementation goals and 
timelines to pinpoint performance shortfalls and gaps, suggest 
midcourse corrections, and build momentum by demonstrating 
progress.[Footnote 32] However, DOD's limited guidance on the risk 
management framework did not establish implementation goals and 
timelines, nor did it require that implementation goals and timelines 
be developed. According to knowledgeable DOD officials, DOD did not see 
the need for implementation goals or timelines because the framework 
was not meant to change processes or create new ones, but rather was a 
management tool to improve upon investment decision-making processes. 
Regardless of how DOD classifies the risk management framework, we have 
found that implementation goals and timelines are essential to any 
transformational change, such as that envisioned by the Secretary of 
Defense with the risk management framework, because of the number of 
years it can take to complete the change.[Footnote 33] Moreover, the 
absence of implementation goals and timelines makes it difficult to 
determine whether progress has been made in implementing the framework 
over the last 2 ˝ years, and whether DOD's revisiting of the framework 
during the 2005 QDR represents an evolutionary progression or 
implementation delays. 

Integrating the Risk Management Framework with Decision Support 
Processes and Related Reform Initiatives Is a Significant Challenge: 

DOD faces a significant challenge integrating the risk management 
framework with decision support processes for planning, programming, 
and budgeting and with related reform initiatives into a coherent, 
unified management approach. The goal of both risk management and 
results-oriented management is to integrate the systematic concern for 
risk and performance into the usual cycle of agency decision making and 
implementation. DOD's challenge in meeting these goals is demonstrated 
by the number of initiatives, as shown in table 4, that DOD has put in 
place to improve investment decision making and manage performance 
results. For example, both capabilities planning and the risk 
management framework are to define risks and develop performance 
measures but, according to DOD officials, the department is still 
determining how to align capabilities planning with the risk management 
framework. Other initiatives, including GPRA and PART, are also to 
develop performance measures and DOD is still working on integrating 
these initiatives with the risk management framework and individual 
performance monitoring approaches of the services and other defense 
components into a single, integrated system. In December 2002, the 
Deputy Secretary of Defense issued a memorandum to correct this 
situation by requiring the alignment of the risk management framework 
and the President's Management Agenda with DOD's results-oriented 
management activities, including those associated with GPRA. 

Table 4: Select Initiatives to Improve Investment Decision Making: 

Initiative: Two-Year Planning, Programming, Budgeting, and Execution 
Process (PPBE); 
Description: In 2003, DOD implemented a 2-year cycle for its strategic 
planning, program development, and resource determination process. DOD 
stated that this change was needed to integrate DOD's processes for 
strategic planning, identification of needs for military capabilities, 
systems development and acquisition, and program and budget 
development. During the second year of the biennial budget, DOD is to 
focus on budget execution and program performance. 

Initiative: Enhanced Planning Process; 
Description: In fiscal year 2004, DOD initiated a reform of defense 
planning to make it more responsive and adaptive to the needs of senior 
decision makers. The process is to result in fiscally constrained 
guidance and priorities-- for military forces, modernization, readiness 
and sustainability, and supporting business processes and 
infrastructure activities--for program development. The enhanced 
planning process is to integrate the outcomes of operational, 
enterprise, and capabilities planning efforts in a document called the 
Joint Programming Guidance. The Joint Programming Guidance is to 
provide a link between planning and programming, and it is to provide 
guidance to the DOD components for the development of their program 
proposals. 

Initiative: Capabilities Planning; 
Description: The 2001 QDR announced a defense strategy built around the 
concept of shifting to a "capabilities-based" approach to defense. 
According to the 2001 QDR, while DOD cannot know with confidence what 
nation, group of nations, or nonstate actor might pose a threat to U.S. 
vital interests, it is possible to anticipate the capabilities an 
adversary might employ. Capabilities planning is to provide a top-down, 
competitive approach to weigh options against resource constraints 
across a spectrum of challenges and to apportion risk against those 
challenges. It is also to enable risk assessments and trade-off 
decisions across DOD organizational stovepipes. The new concept 
stresses joint solutions to problems, requires the identification of 
risk trade-offs within and across mission areas, and treats uncertainty 
explicitly. 

Initiative: Program/Budget Framework Initiative; 
Description: As part of the financial management enterprise initiatives 
of the Business Management Modernization Program, this initiative is to 
provide a foundation for a new program and budget data structure using 
a common language that enables senior level DOD decision makers to 
weigh options versus resource constraints across a spectrum of 
challenges. The framework is to consist of a number of related data 
transparency initiatives that span across all portions of the PPBE 
process, including creating department-level definitions for the four 
risk quadrants. One of the stated benefits is establishing an ability 
to view programs and resources based on the risk management framework. 

Initiative: Joint Capabilities Integration and Development System 
(JCIDS); 
Description: A system for the Joint Staff to assess gaps in military 
joint warfighting capabilities and recommend solutions to resolve those 
gaps. This system is replacing DOD's requirements- generation process 
for major acquisitions in an effort to shift the focus to a more 
capabilities-based approach for determining joint warfighting needs 
rather than a threat-based approach focused on individual systems and 
platforms. Under this system, boards comprised of high-level DOD 
civilians and military officials are to identify future capabilities 
needed around key functional concepts and areas, such as command and 
control, force application, and battlespace awareness, and to make 
trade-offs among air, space, land, and sea platforms in doing so. 

Initiative: President's Management Agenda; 
Description: The President's Management Agenda contains five 
initiatives aimed at improving federal agency management and 
performance: (1) strategic human capital management, (2) competitive 
sourcing, (3) improved financial performance, (4) expand electronic 
government, and (5) budget and performance integration. The President 
cited our work on high-risk areas and major management challenges in 
developing his initiatives, and implementation of the agenda has 
reinforced the need to focus agencies' efforts on achieving key 
management and performance improvements. 

Initiative: Budget and Performance Integration; 
Description: The budget and performance integration initiatives of the 
President's Management Agenda include elements such as the PART used to 
review programs, an emphasis on improving outcome measures, and 
improving monitoring of program performance. PART is the central 
element in the performance budgeting piece of the President's 
Management Agenda. PART builds on GPRA by actively promoting the use of 
results-oriented information to assess programs in the budget. 

Source: GAO analysis. 

[End of table] 

We note that these reform initiatives address key business processes 
within the department and that we have placed DOD's overall business 
transformation on our list of federal programs and activities at high 
risk of waste, fraud, abuse, and mismanagement.[Footnote 34] 

The Under Secretary of Defense for Acquisition, Technology and 
Logistics indicated that DOD plans to address the challenge associated 
with the integration of DOD's planning, resourcing, and execution 
processes and initiatives, including the risk management framework. The 
Under Secretary stated that one task of the ongoing 2005 QDR was 
"strategic process integration." The Under Secretary also stated that 
the department is planning to provide a roadmap with performance goals 
and timelines on how it will implement initiatives to improve strategic 
process integration. This roadmap is to be submitted with the 2005 QDR 
report to Congress in early 2006 with the fiscal year 2007 budget. 

Conclusions: 

DOD has made some progress in implementing the risk management 
framework, including establishing risk quadrants and performance goals. 
However, more work will be required for DOD to be able to put in place 
a management tool, such as the risk management framework, to 
strategically balance the allocation of resources across the spectrum 
of its investment priorities against risk over time and to monitor 
performance. The development of performance measures that clearly 
demonstrate results and that are cascaded down throughout the 
department would enable DOD to provide a clear roadmap of how its 
activities at all levels contribute to meeting its strategic goals and 
would assist the department in aligning the core processes and 
resources of its four military services and multiple defense agencies 
to better support a departmental or joint approach to national 
security. Furthermore, the risk management framework cannot be fully 
implemented until its performance goals are clearly linked to DOD's 
strategic planning goals. Unless a cause and effect relationship can be 
demonstrated between the department's performance measures and 
strategic goals, the framework's usefulness as a tool for monitoring 
DOD's execution of its strategic plan and identifying performance goals 
will be severely restricted, if not eliminated. Furthermore, the fiscal 
year 2006 budget submission does not provide sufficient information on 
how DOD identified or assessed departmental risks to establish DOD-wide 
investment priorities; thus, the linkages between the framework and the 
budget are unclear. Without better measures, clear linkages, and 
greater transparency, DOD will be unable to fully measure progress in 
achieving strategic goals or demonstrate to Congress and others how it 
considered risks and made trade-off decisions, balancing needs and 
costs for weapon programs and other investment priorities. 

The efforts of DOD's senior leadership to establish a risk-based and 
results-oriented management approach have been impeded by some key 
challenges. The lack of sustained leadership and clear lines of 
accountability has hampered implementation of the risk management 
framework and the establishment and achievement of implementation goals 
and timelines. Strong and sustained leadership could enable DOD to 
overcome resistance to change that exists in a department as massive 
and complex as DOD. In addition, the establishment of implementation 
goals and timelines could enable DOD to determine what progress has 
been made in implementing the risk management framework. Furthermore, 
the successful integration of the risk management framework into DOD's 
investment decision-making processes, including recent reform 
initiatives, could assist DOD in its overall transformation efforts. 
Until DOD develops a risk-based and results-oriented management 
approach for making investment decisions, it will likely continue to 
experience a mismatch between programs and budgets, and the 
proportional, rather than strategic, allocation of resources to the 
services. 

Recommendations for Executive Action: 

To address the challenges associated with implementing the risk 
management framework, or a similar risk-based management approach, we 
recommend that the Secretary of Defense take the following four 
actions: 

* develop or refine department-level performance measures so that they 
clearly demonstrate performance results and cascade those measures down 
throughout the department, 

* assign clear leadership with accountability and authority to 
implement and sustain the risk management framework, 

* develop implementation goals and timelines, and: 

* demonstrate the integration of the risk management framework with 
DOD's decision support processes and related reform initiatives to 
improve investment decision making and manage performance results. 

Agency Comments and Our Evaluation: 

In written comments on a draft of this report, DOD partially concurred 
with our four recommendations. DOD's written comments are reprinted in 
their entirety in appendix II. DOD also provided technical comments, 
which we incorporated as appropriate. 

DOD partially concurred with our first recommendation. DOD stated that 
it concurred with our recommendation that the Secretary of Defense 
refine department-level performance measures so that they clearly 
demonstrate results, but that it did not concur with the notion that 
effectively cascading the risk management framework has been inhibited 
by the current suite of performance measures. DOD noted that that a 
number of defense components--including the Army, DOD Comptroller, the 
Defense Logistics Agency, and the Defense Information Systems Agency-- 
have successfully cascaded departmentwide strategic goals and 
implemented frameworks to measure their organization's performance. DOD 
also believes that empowering the leadership at the component level to 
develop measures, while ensuring strategic alignment, is the most 
effective way of encouraging performance management and increasing its 
utility. In our report, we acknowledge that DOD has taken positive 
steps toward developing a performance monitoring system and cascading 
the framework's goals and measures to defense components. However, our 
recommendation addresses limitations in those measures that currently 
hinder DOD's ability to use the risk management framework as a 
management tool for aligning the components' performance goals and 
measures with the risk management framework, or for strategic balancing 
investment decisions across the risk quadrants. For example, the 
majority of the risk management framework's measures are activity 
measures, or initiatives, that do not monitor a specific annual 
performance target, nor do these measures provide sufficient 
information to determine whether the activity is on schedule or 
contributes to enhancing the department's overall performance. Finally, 
our recommendation is not intended to suggest that DOD not empower the 
components to develop performance measures, but rather that DOD 
establish a clear hierarchy of goals and measures that provide 
straightforward roadmaps to demonstrate how the components' activities 
contribute to meeting DOD's strategic goals. 

DOD partially concurred with our second recommendation that the 
Secretary of Defense assign clear leadership with accountability and 
authority to implement and sustain the risk management framework. DOD 
stated that, although it agrees that such leadership is key to any 
successful performance management system, the department's senior 
executives provide sufficient leadership and accountability for 
implementing and sustaining the risk management framework. DOD also 
stated that it did not agree that a new organization or bureaucratic 
structure is needed to ensure successful implementation and sustainment 
of the risk management framework. We agree that DOD has assigned 
specific roles and responsibilities for goals and measures associated 
with the risk management framework to various high-level DOD officials. 
However, we based our recommendation on the fact that no single 
individual, with appropriate authority, was held responsible for 
ensuring that the risk management framework was implemented across the 
department. Further, our recommendation does not propose that DOD set 
up a new organization or bureaucratic structure, but, as stated in this 
report, we continue to believe that one way to provide strong and 
sustained leadership for change initiatives, such as the risk 
management framework, over a number of years and various 
administrations is to legislatively establish a CMO. 

In partially concurring with our third recommendation to develop 
implementation goals and timelines, DOD agreed that tracking progress 
in implementing the risk management framework is a good management 
practice. DOD stated that it has established goals and timelines for 
the risk management framework that are unique to the individual 
metrics, or measures, and that because the risk management framework 
continually evolves over time, new metrics will be developed while 
others may be retired. As we stated in the report, successful change 
management efforts use implementation goals--such as, for example, 
linking the risk management framework to the budget--and timelines for 
meeting those goals, to pinpoint shortfalls and gaps, suggest midcourse 
corrections, and build momentum by demonstrating progress. Therefore, 
while DOD may continually refine the individual goals and measures 
associated with the framework's risk quadrants, we believe that goals 
and timelines for the overall implementation of the framework across 
the department are essential for keeping this reform initiative on 
track. 

DOD partially concurred with our fourth recommendation that the 
Secretary of Defense demonstrate the integration of the risk management 
framework with DOD's decision support processes and related reform 
initiatives to improve investment decision making and manage 
performance results. DOD stated that the department is currently 
studying ways to further integrate the risk management framework with 
other decision support processes, but no single framework or decision 
model can provide all the necessary information or flexibility needed 
by the Secretary of Defense and his senior leadership team. We 
recognize that DOD's senior leadership needs reliable information from 
a variety of sources and flexibility to make decisions among 
alternative actions or solutions. However, if the risk management 
framework is to successfully serve as a management tool to assist 
decision makers in formulating top-down strategy, balancing investment 
priorities against risk over time, measuring near-and midterm outputs 
against strategic goals, and focusing on actual performance results--as 
intended by DOD's senior leadership--it is crucial that it be 
successfully integrated with DOD's investment decision-making 
processes, including recent reform initiatives. 

We are sending copies of this report to interested congressional 
committees; the Secretaries of Defense, Army, Navy, and Air Force; the 
Commandant of the Marine Corps; and the Director, Office of Management 
and Budget. We will also make copies available to others upon request. 
In addition, the report will be available at no charge on GAO's Web 
site at http://www/gao.gov. 

If you or your staff have any questions about this report, please 
contact me at (202) 512-9619 or pickups@gao.gov. Contact points for our 
offices of Congressional Relations and Public Affairs may be found on 
the last page of this report. GAO staff who made major contributions to 
this report are listed in appendix III. 

Signed by: 

Sharon L. Pickup: 
Director, Defense Capabilities and Management: 

[End of section] 

Appendix I: Scope and Methodology: 

To assess to what extent the Department of Defense (DOD) has 
implemented the risk management framework, we obtained and analyzed DOD 
directives, briefings, and other documents that described the risk 
management framework's purpose, implementation status, and performance 
measures. We also obtained and analyzed DOD's 2001 Quadrennial Defense 
Review and annual strategic planning and budget documents. Moreover, we 
interviewed knowledgeable DOD and service officials involved with the 
implementation of the risk management framework. Specifically, we 
obtained testimonial evidence from officials representing the Office of 
the Secretary of Defense (OSD) offices--such as Program Analysis and 
Evaluation; Comptroller; Policy; Acquisition, Technology and Logistics; 
and Personnel and Readiness--the Joint Staff, the military services, 
and the Defense Business Board. To identify key risk-based and results-
oriented management principles, we reviewed our prior reports and other 
relevant literature, including information on the balanced scorecard 
concept. For example, we identified characteristics of results-oriented 
performance measures. These characteristics focused on performance 
measures that are (1) designed to demonstrate results by providing 
information on how well the organization is achieving its goals; (2) 
limited to a vital few, and balanced across priorities; and (3) used by 
management to improve performance. As another example, risk-based and 
results-oriented management principles indicate that leading 
organizations seek to establish clear hierarchies of goals and measures 
that cascade down so that subordinate units have straightforward 
roadmaps to demonstrate how their activities contribute to meeting the 
organization's strategy. We systematically analyzed and compared the 
risk management framework's department-level performance measures with 
these characteristics. However, we did not validate the procedures that 
DOD has in place to ascertain the reliability of the data used to 
support the performance measures. Regarding strategic planning, these 
principles focused on (1) establishing clear linkages among strategic 
planning goals, resources, performance goals and measures and (2) 
integrating the consideration of risk into the usual cycle of agency 
decision making and implementation. While these principles do not cover 
all attributes associated with risk-based and results-oriented 
management approaches, we believe that they are the most important ones 
for assessing DOD's progress in implementing the risk management 
framework. 

To identify the most significant challenges, we reviewed our previous 
work on change management principles. We then compared DOD's 
implementation of the risk management framework to sound change 
management principles and interviewed knowledgeable DOD officials about 
the challenges that faced the department in implementing the risk 
management framework. In addition, we reviewed our previous work to 
determine to what extent deficiencies in DOD's overall business 
transformation efforts might influence the implementation of the risk 
management framework. 

Our work was performed from October 2004 through September 2005 in 
accordance with generally accepted government auditing standards. 

[End of section] 

Appendix II: Comments from the Department of Defense: 

OFFICE OF THE SECRETARY OF DEFENSE: 
PROGRAM ANALYSIS AND EVALUATION: 
1600 DEFENSE PENTAGON: 
WASHINGTON, DC 20301-1600: 

NOV - 2 2005: 

Ms. Sharon Pickup: 
Director, Defense Capabilities and Management: 
U.S. Government Accountability Office: 
441 G Street, N.W.: 
Washington, DC 20548: 

Dear Ms. Pickup: 

This is the Department of Defense (DoD) response to the GAO draft 
report "DEFENSE MANAGEMENT: Additional Actions Needed to Enhance DoD's 
Risk-Based Approach for Making Resource Decisions," dated October 4, 
2005 (GAO Code 350611/GAO-06-13). 

DoD has reviewed the report for technical accuracy and content and 
partially concurs with the GAO's recommendations. The Department agrees 
that it is vitally important to have a coherent management process to 
set goals and objectives, measure performance, and respond rapidly to 
changing world events. Furthermore, DoD is committed to continuously 
refining its risk management framework to improve the linkages between 
strategy, performance goals, and performance results. While GAO 
recommends a number of actions to strengthen the risk management 
framework, the Department believes that its approach to date reflects a 
deliberate and tailored plan that has proven effective for managing 
this enterprise. 

Attached are specific comments on each recommendation, as well as 
technical comments. 

We appreciate the opportunity to comment on the draft report. 

Signed by: 

Stanley R. Szemborski: 
VADM, USN: 
Principal Deputy Director: 

Enclosures: As Stated: 

GAO DRAFT REPORT - DATED OCTOBER 4,2005: 
GAO CODE 350611/GAO-06-13: 

"DEFENSE MANAGEMENT: Additional Actions Needed to Enhance DoD's Risk- 
Based Approach for Making Resource Decisions" 

DEPARTMENT OF DEFENSE COMMENTS TO THE RECOMMENDATIONS: 

RECOMMENDATION 1: The GAO recommended that the Secretary of Defense 
develop or refine department-level performance measures so that they 
clearly demonstrate performance results. The GAO further recommended 
that the measures be cascaded through the Department. (p. 30/GAO Draft 
Report): 

DoD RESPONSE: Partially Concur. The Department concurs with the 
recommendation to refine department-level performance measures. DoD has 
worked continuously to refine both its performance measures and risk 
management framework in order to clearly demonstrate performance 
results and better link strategy to outcomes. In fact, one of the 
primary outputs of many activity metrics are new, refined measures that 
include the data necessary for quantitative evaluation. The Department 
believes that the process of developing better, more refined 
performance measures should continue, as no performance management 
system is ever truly "complete." 

However, DoD nonconcurs with the notion that effectively cascading the 
risk framework has been inhibited by the current suite of performance 
measures. DoD has demonstrated substantial progress in cascading 
measures throughout the Department. Upon introducing the risk 
management framework, the Department set out to ensure alignment across 
components and Defense agencies by requiring that each organization's 
performance plan or balanced scorecard: (t) reflect the balanced 
scorecard risk quadrants; (2) reflect the Department's overall 
performance objectives; and (3) align with and support the outcomes and 
performance metrics of the next higher organization. A number of 
Defense components-including the Army, DoD Comptroller, Defense 
Logistics Agency (DLA), and Defense Information Systems Agency (DISA)- 
have successfully cascaded Department-wide strategic goals and 
implemented frameworks to measure their organization's performance. DoD 
believes that empowering the leadership at the component level to 
develop measures that are meaningful and relevant to one's own 
organization, while ensuring strategic alignment, is the most effective 
way of encouraging performance management and increasing its utility. 

RECOMMENDATION 2: The GAO recommended that the Secretary of Defense 
assign clear leadership with accountability and authority to implement 
and sustain the risk management framework. (p. 30/GAO Draft Report): 

DOD RESPONSE: Partially Concur. The Department agrees-that clear 
leadership with accountability and authority are key characteristics of 
any successful performance management system. However, contrary to the 
GAO's assessment, the Department has taken a number of deliberate 
actions to ensure proper accountability and authority. Therefore, DoD 
does not agree that a new organization or bureaucratic structure is 
needed to ensure successful implementation and/or sustainment of the 
risk management framework. 

DoD's senior executives, including Principal Staff Assistants and their 
Performance Management Coordinators, provide sufficient leadership and 
accountability for implementing and sustaining the risk management 
framework. Specific roles and responsibilities include: 

(1) the development of annual performance targets to support the risk 
management framework; (2) data -collection; (3) verification and 
validation of performance data; and (4) management of activities to 
improve performance and achieve targets during, and following, the year 
of execution. By empowering senior leaders throughout the Department to 
measure organizational performance, and manage accordingly, the 
Department has made great progress in ensuring accountability. 

RECOMMENDATION 3: The GAO recommended that the Secretary of Defense 
develop implementation goals and timelines. (p. 30/GAO Draft Report): 

DoD RESPONSE: Partially Concur. DoD agrees that tracking progress in 
implementing the framework is a good management practice. However, DoD 
has taken the necessary steps to track implementation of the risk 
management framework. For example, DoD has established goals and 
timelines for the risk management framework that are unique to the 
individual metrics. The Department has also established either a 
performance metric or activity metric for every relevant area. Since 
the risk management framework continually evolves over time to reflect 
changes in strategy, priorities, and senior leadership interest, new 
metrics will be developed while others may retired. Because individual 
metric development occurs at different points in time, there is not one 
single milestone or event that will mark completion of the risk 
management framework as a whole. 

RECOMMENDATION 4: The GAO recommended that the Secretary of Defense 
demonstrate the integration of the risk management framework with DoD's 
decision support processes and related reform initiatives to improve 
investment decisionmaking and manage performance results. (p. 30/GAO 
Draft Report): 

DOD RESPONSE: Partially Concur. The Department agrees that integrating 
the risk management framework with other decision support processes and 
related reform initiatives is both a natural evolution of the risk 
management framework's maturation effort and a beneficial output of the 
process. As such, the Department is currently studying ways to further 
integrate the risk management framework with other decision support 
processes. However, the Secretary of Defense and his senior leadership 
team must be able to make well-informed decisions in a variety of 
circumstances. No single framework or decision model can provide all of 
the necessary information and/or flexibility. 

Technical Comments Draft GAO Report GAO-06-13, GAO Code 350611: 

Issue: Page 2, paragraph 2. Sentence reads: "..we conducted interviews 
with DoD and service officials, members of the Joint Staff, and members 
of the Defense Business Board." 

The Defense Business Board does not officially speak on the 
Department's behalf. 

Issue: Page 12, paragraph 2. The sentence reads: "44 of the 77 
departmental-level measures .. are activity measures." Page 13, Table 
1. Footnote describes a recoding of five performance measures to 
activity measures. 

DoD objects to recoding these metrics from performance metrics to 
activity metrics. 

[End of section] 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Sharon Pickup, (202) 512-9619 or pickups@gao.gov: 

Acknowledgments: 

In addition to the contact named above, David Moser, Assistant 
Director; Donna Byers; Gina Flacco; and Renee S. Brown made key 
contributions to this report. 

FOOTNOTES 

[1] See GAO, 21st Century Challenges: Reexamining the Base of the 
Federal Government, GAO-05-325SP (Washington, D.C.: February 2005) for 
a comprehensive compendium of areas throughout the federal government 
that could be considered for reexamination and review by Congress. 

[2] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: 
January 2005). 

[3] GAO, Highlights of a GAO Forum: Mergers and Transformation: Lessons 
Learned for a Department of Homeland Security and Other Federal 
Agencies, GAO-03-293SP (Washington, D.C.: Nov. 14, 2002), and Results- 
Oriented Cultures: Implementation Steps to Assist Mergers and 
Organizational Transformations, GAO-03-669 (Washington, D.C.: July 2, 
2003). 

[4] S. 780, 109th Cong. §1 (2005). 

[5] GAO-05-207. 

[6] GAO-05-207. 

[7] The Government Performance and Results Act of 1993 (Pub. L. No. 103-
62). 

[8] The balanced scorecard approach was advocated by Professor Robert 
Kaplan and Dr. David Norton in the November/December 1992 Harvard 
Business Review. 

[9] GAO-05-325SP. 

[10] See for example, Committee of Sponsoring Organizations of the 
Treadway Commission, Enterprise Risk Management--Integrated Framework: 
Executive Summary (New York, N.Y.: September 2004). 

[11] Pub. L. No. 103-62 (1993). 

[12] The President's Management Agenda, by focusing on a number of 
targeted areas, seeks to improve the performance management of the 
federal government. 

[13] For further information see: GAO, Performance Budgeting: PART 
Focuses Attention on Program Performance, but More Can Be Done to 
Engage Congress, GAO-06-28 (Washington, D.C.: Oct. 28, 2005); 
Management Reform: Assessing the President's Management Agenda, GAO-05-
574T (Washington, D.C.: Apr. 21, 2005); Results-Oriented Government: 
GPRA Has Established a Solid Foundation for Achieving Greater Results, 
GAO-04-38 (Washington, D.C.: Mar. 10, 2004); and Performance Budgeting: 
Observations on the Use of OMB's Program Assessment Rating Tool for the 
Fiscal Year 2004 Budget, GAO-04-174 (Washington, D.C.: Jan. 30, 2004). 

[14] GAO, Executive Guide: Effectively Implementing the Government 
Performance and Results Act, GAO/GGD-96-118 (Washington, D.C.: June 
1996) and Managing for Results: Enhancing Agency Use of Performance 
Information for Management Decision Making, GAO-05-927 (Washington, 
D.C.: Sept. 9, 2005). 

[15] GAO/GGD-96-118. 

[16] GAO/GGD-96-118 and GAO-05-927. 

[17] GAO/GGD-96-118. 

[18] GAO/GGD-96-118. 

[19] GAO, Quadrennial Defense Review: Future Reviews Can Benefit from 
Better Analysis and Changes in Timing and Scope, GAO-03-13 (Washington, 
D.C.: Nov. 4, 2002). 

[20] The Defense Business Board was established in 2001 by the 
Secretary of Defense to provide DOD's senior leadership with leading- 
edge, actionable advice on management improvements. 

[21] GAO, Managing for Results: Critical Issues for Improving Agencies' 
Strategic Plans, GAO/GGD-97-180 (Washington, D.C.: Sept. 16, 1997). 

[22] See GAO/GGD-96-118. 

[23] The Future Years Defense Program provides information on DOD's 
current and planned outyear budget requests. 

[24] GAO, Future Years Defense Program: Actions Needed to Improve 
Transparency of DOD's Projected Resource Needs, GAO-04-514 (Washington, 
D.C.: May 7, 2004). 

[25] GAO, Defense Acquisitions: Assessments of Selected Major Weapon 
Programs, GAO-05-301 (Washington, D.C.: Mar. 31, 2005). 

[26] GAO-05-325SP. 

[27] GAO-05-325SP. 

[28] Joint Defense Capabilities Study Team, Joint Defense Capabilities 
Study: Final Report (Washington, D.C.: December 2003). 

[29] GAO, Management Reform: Elements of Successful Improvement 
Initiatives, GAO/T-GGD-00-26 (Washington, D.C.: Oct. 15, 1999). 

[30] GAO-05-520T and GAO-05-629T. 

[31] S. 780, 109th Cong. §1 (2005). 

[32] GAO-03-669. 

[33] GAO-03-669. 

[34] GAO-05-207. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: