This is the accessible text file for GAO report number GAO-06-13 entitled 'Defense Management: Additional Actions Needed to Enhance DOD's Risk-Based Approach for Making Resource Decisions' which was released on November 16, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Subcommittee on Readiness and Management Support, Committee on Armed Services, U.S. Senate: United States Government Accountability Office: GAO: November 2005: Defense Management: Additional Actions Needed to Enhance DOD's Risk-Based Approach for Making Resource Decisions: GAO-06-13: GAO Highlights: Highlights of GAO-06-13, a report to the Subcommittee on Readiness and Management Support, Committee on Armed Services, U.S. Senate: Why GAO Did This Study: The Department of Defense (DOD) is simultaneously conducting costly military operations and transforming its forces and business practices while it is also competing for resources in an increasingly constrained fiscal environment. As a result, GAO has advocated that DOD adopt a comprehensive threat or risk management approach as a framework for decision making. In its 2001 strategic plan, the Quadrennial Defense Review (QDR), DOD stated its intent to establish an approach—the risk management framework—to balance priorities against risk over time and monitor results against its strategic goals. GAO was asked to (1) assess the extent to which DOD has implemented the framework, including using it to make investment decisions, and (2) identify the most significant challenges DOD faces in implementing the framework, or a similar approach. What GAO Found: DOD has taken some positive steps to implement the framework, but additional actions are needed before DOD can show real and sustainable progress in using a risk-based and results-oriented approach to strategically allocate resources across the spectrum of its investment priorities. For example, DOD defined four risk areas, and developed performance goals and department-level measures, but it needs to, among other things, further develop and refine the measures so that they clearly demonstrate results and provide a well-rounded depiction of departmental performance. DOD’s current strategic plan and goals also are not clearly linked to the framework’s performance goals and measures, and linkages between the framework and budget are also unclear. While DOD officials stated that risk was considered during the fiscal year 2006 budget cycle, DOD’s budget submission does not specifically discuss how DOD identified or assessed risks to establish DOD-wide investment priorities. Without better measures, clear linkages, and greater transparency, DOD will be unable to fully measure progress in achieving strategic goals or demonstrate to Congress and others how it considered risks, and made trade-off decisions, balancing needs and costs for weapon programs and other investment priorities. DOD’s Risk Management Framework: Force Management Risk; Definition: Challenge of sustaining personnel, infrastructure, and equipment. Operational Risk; Definition: Challenge of deterring or defeating near-term threats. Future Challenges Risk; Definition: Challenge of dissuading, deterring, defeating longer-term threats. Institutional Risk; Definition: Challenge of improving efficiency (includes financial management). Source: DOD. [End of table] DOD faces four challenges that have affected the implementation of the framework. First, DOD’s organizational culture resists department-level approaches to priority setting and investment decisions. Second, sustained leadership, adequate transparency, and appropriate accountability are lacking. Further, no one individual or office has been assigned overall responsibility or sufficient authority for the framework’s implementation. DOD also has not developed implementation goals or timelines with which to establish accountability, or measure progress. Finally, integrating the risk management framework with decision support processes and related reform initiatives into a coherent, unified management approach for the department is a challenge that DOD plans to address during the 2005 QDR. However, GAO has concerns about DOD’s ability to follow through on this integration, because of its limited success in implementing other management reforms. Unless DOD successfully addresses these challenges and effectively implements the framework, or a similar approach, it will likely continue to experience (1) a mismatch between programs and budgets, and (2) a proportional, rather than strategic, allocation of resources to the services. What GAO Recommends: GAO recommends that DOD take various actions to increase its chances of successfully implementing a risk-based approach for investment decision making, such as developing results-oriented measures and assigning clear leadership with appropriate accountability and authority to implement the framework. DOD partially concurred with our recommendations. www.gao.gov/cgi-bin/getrpt?GAO-06-13. To view the full product, including the scope and methodology, click on the link above. For more information, contact Sharon Pickup at (202) 512-9619 or pickups@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Despite Positive Steps, Additional Actions Needed to Fully Implement the Risk Management Framework: Cultural Resistance, Combined with the Lack of Leadership, Implementation Goals, and Process Integration, Affects DOD's Implementation of the Risk Management Framework: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Scope and Methodology: Appendix II: Comments from the Department of Defense: Appendix III: GAO Contact and Staff Acknowledgments: Tables: Table 1: Definitions and Examples of DOD Department-Level Measures (as of November 2004): Table 2: The Number of Activity and Performance Measures for Each Quadrant: Table 3: Military Service and Defense-Wide Percentage of the 2005 and 2006 Future Years Defense Programs: Table 4: Select Initiatives to Improve Investment Decision Making: Figures: Figure 1: The Risk Management Cycle: Figure 2: Comparison of the Balanced Scorecard and the Risk Management Framework: Abbreviations: CBO: Congressional Budget Office: CMO: chief management official: DOD: Department of Defense: FYDP: Future Years Defense Program: GAO: Government Accountability Office: GPRA: Government Performance and Results Act: JCIDS: Joint Capabilities Integration and Development System: OSD: Office of the Secretary of Defense: PA&E: Program Analysis and Evaluation (PA&E): PPBE: Planning, Programming, Budgeting, and Execution: P&R: Personnel and Readiness: PART: Program Assessment Rating Tool: QDR: Quadrennial Defense Review: United States Government Accountability Office: Washington, DC 20548: November 15, 2005: The Honorable John Ensign: Chairman: The Honorable Daniel K. Akaka Ranking Minority Member: Subcommittee on Readiness and Management Support: Committee on Armed Services: United States Senate: Among the 21st century challenges facing the Department of Defense (DOD) and the nation as a whole are difficult decisions concerning how to strike an affordable balance between current and future national security needs and between national security and domestic needs.[Footnote 1] For example, DOD is simultaneously maintaining a high pace of military operations for combating terrorism and transforming its military forces and business operations for the 21st century while it is also competing for federal resources in an increasingly fiscally constrained environment. We have advocated that DOD--as well as the rest of the federal government--adopt a comprehensive threat or risk management approach as a framework for decision making.[Footnote 2] This approach would fully link strategic goals to plans and budgets; assess the values and risks of various courses of actions as a tool for reexamining defense programs, setting priorities, and allocating resources; and use performance measures to assess outcomes. To its credit, DOD introduced a balanced scorecard for risk management, commonly known as the risk management framework, in its strategic plan, the 2001 Quadrennial Defense Review (QDR) report. The 2001 strategic plan articulated the new administration's emphasis on transforming military forces and defense business practices to meet the emerging challenges facing our nation. DOD intended the framework to be used as a management tool to focus DOD's efforts on implementing the defense program as outlined in the strategic plan. In particular, DOD's senior leadership intended the risk management framework to assist decision makers in formulating top-down strategy, balancing investment priorities against risk over time, measuring near-and midterm outputs against strategic goals, and focusing on actual performance results. According to DOD officials, the risk management framework also was intended to increase transparency within the department over the decision-making process. During the ongoing 2005 QDR, DOD plans to refine the risk management framework. You asked us to examine the status of DOD's efforts to adopt a risk- based approach to decision making, given the emphasis that DOD was placing on the risk management framework. In response, we (1) assessed the extent to which DOD has implemented its risk management framework, including the extent to which DOD has used the framework to make investment decisions; and (2) identified the most significant challenges DOD faced in implementing the risk management framework or a similar risk-based and results-oriented management approach. To assess the extent to which DOD has implemented the risk management framework, we analyzed key documents, policy guidance, data, and interview results, and compared the analysis to the principles for managing risk and results identified in prior GAO reports. In addition, we conducted interviews with DOD and service officials, and members of the Joint Staff. We discussed the department's progress in implementing the risk management framework with members of the Defense Business Board. We also analyzed DOD's department-level performance goals and measures that are associated with the risk management framework and assessed how DOD reported that information externally. We did not validate the appropriateness of the risk management framework's risk quadrants or the procedures that DOD has in place to ascertain the reliability of performance data and we also did not assess the basis for DOD's investment decisions. To identify the most significant challenges DOD faced in implementing the risk management framework, we analyzed documents, data, and interview results, and compared the results of this analysis to the key practices to assist mergers and organizational transformation identified in prior GAO reports.[Footnote 3] A more detailed discussion of our scope and methodology is presented in appendix I. Our work was performed from October 2004 through September 2005 in accordance with generally accepted government auditing standards. Results in Brief: DOD has taken positive steps toward implementing the risk management framework; however, additional actions are needed before the framework is fully implemented and DOD can demonstrate real and sustainable progress in using a risk-based and results-oriented approach to strategically allocate resources across the spectrum of its investment priorities. For example, while DOD established four risk areas, or quadrants, and developed performance goals and measures of two types-- activity measures (measures to track initiatives) and performance measures--the majority of these measures do not provide sufficient information to monitor performance against the risk quadrants' goals. Specifically, and contrary to results-oriented management principles, the risk management framework's measures (1) do not clearly demonstrate results, (2) do not provide a well-rounded depiction of performance across the department, and (3) are not being systemically monitored across all quadrants, except for the force management quadrant. In addition, the framework's performance goals and measures are not clearly linked to DOD's current strategic plan and strategic goals. Lacking measures that follow results-oriented management principles and clear linkages to strategic goals, DOD may be unable to provide a clear roadmap of how its activities at all levels contribute to meeting DOD's strategic goals. Finally, although DOD officials stated that risk was considered in the fiscal year 2006 budget cycle, the fiscal year 2006 budget submission does not include any specific information on how DOD systematically identified or assessed departmental risks to establish DOD-wide investment priorities. Therefore, the linkages between the risk management framework and the budget are unclear. Without better measures, clear linkages, and greater transparency, DOD will be unable to fully measure progress in achieving strategic goals or demonstrate to Congress and others how it considered risks and made trade-off decisions, balancing needs and costs for weapon system programs and other investment priorities. DOD faces four key challenges that affect its ability to fully implement the risk management framework, or a similar risk-based and results-oriented management approach: (1) overcoming cultural resistance to the transformational change represented by such an approach in a department as massive, complex, and decentralized as DOD; (2) maintaining sustained leadership and clear accountability for this cultural transformation; (3) providing implementation goals and timelines to gauge progress in transforming the culture; and (4) integrating the risk management framework with decision support processes and related reform initiatives into a coherent, unified management approach for the department. Our prior work on results- oriented management and organizational transformation and mergers has shown that addressing these challenges is at the center of successful change management efforts in leading organizations. DOD is having difficulties implementing the framework because it has not addressed these four challenges. With respect to the first challenge, DOD's size and complexity result in a culture that makes developing department- level approaches to priority setting and investment decision making difficult. For example, the allocation of budgets on a proportional, rather than a strategic, basis among the services is a long-standing budgetary problem that we have reported about for years. Second, the lack of sustained leadership and clear accountability for the framework's implementation has resulted in a lack of emphasis and understanding of its status and purpose within the department. Because of the lack of sustained leadership for other management reform efforts, we have supported legislation to create a chief management official (CMO) at DOD to provide this leadership.[Footnote 4] Third, DOD did not establish implementation goals or timelines with which to establish accountability, measure progress, and build momentum. Finally, integrating the risk management framework with other decision support processes and related reform initiatives into a coherent, unified management approach is a challenge that DOD intends to address in the ongoing 2005 QDR. Illustrating this challenge, DOD is attempting to implement the risk management framework while it is also shifting to biennial budgeting and reforming defense planning. Our work has shown that if risk-based and results-oriented management approaches are to be successfully implemented, they must be integrated into the usual cycle of agency decision making. Unless DOD addresses these challenges and successfully implements the risk management framework, or a similar approach, it may continue to experience (1) a mismatch between programs and budgets, and (2) the proportional, rather than strategic, allocation of resources to the services. Therefore, Congress may have insufficient transparency into how DOD has identified and assessed risks and made trade-offs in its investment decision making. In this report, we recommend that DOD take various actions to increase its chances of successfully implementing a risk-based approach for investment decision making. This includes developing results-oriented measures and assigning clear leadership with appropriate accountability and authority to implement and sustain the risk management framework, or a similar approach. In written comments on a draft of this report, DOD partially concurred with our recommendations. DOD's comments and our evaluation of them are on page 25 of this report. Background: In our report, High-Risk Series: An Update,[Footnote 5] we identified agencies' lack of comprehensive risk management strategies as an emerging challenge for the federal government. Increasingly limited fiscal resources across the federal government, coupled with the emerging requirements from the changing security environment, emphasize the need for DOD to develop a risk-based strategic investment approach. For this reason, we have advocated that DOD adopt a comprehensive risk management approach for decision making.[Footnote 6] Furthermore, DOD and other federal agencies are required by statute to develop a results- oriented management approach to strategically allocate resources on the basis of performance.[Footnote 7] The balanced scorecard--a concept to balance an organization's focus across financial, customer, internal business, and learning and growth management areas--is one approach for developing results-oriented management that government agencies have recently started to adopt.[Footnote 8] At the direction of the Secretary of Defense, DOD developed a risk management framework that DOD later aligned with its results-oriented management activities through a DOD balanced scorecard. Risk Management Is an Emerging 21st Century Challenge: An emerging challenge for the federal government involves the need for the completion of comprehensive national threat and risk assessments in a variety of areas. For example, emerging requirements from the changing security environment, coupled with increasingly limited fiscal resources across the federal government, emphasize the need for agencies to adopt a sound approach to establishing resource decisions.[Footnote 9] We have advocated that the federal government, including DOD, adopt a comprehensive threat or risk management approach as a framework for decision making that fully links strategic goals to plans and budgets, assesses values and risks of various courses of actions as a tool for setting priorities and allocating resources, and provides for the use of performance measures to assess outcomes. Based on our review of the literature,[Footnote 10] as shown in figure 1, the goal of risk management is to integrate systematic concern for risk into the usual cycle of agency decision making and implementation. Figure 1: The Risk Management Cycle: [See PDF for image] [End of figure] A risk management cycle represents a series of analytical and managerial steps, basically sequential, that can be used to assess risk, evaluate alternatives for reducing risks, choose among those alternatives, implement the alternatives, monitor their implementation, and continually use new information to adjust and revise the assessments and actions, as needed. Adoption of a risk management cycle such as this can aid in assessing risk by determining which vulnerabilities should be addressed, and how they should be addressed, within available resources. For the purposes of this report, we focused on the stages of the risk management cycle that involve DOD's actions to set strategic goals and objectives, establish investment priorities based on risk assessments, and implementation and monitoring. Risk management's objectives are essentially the same as those of good management, and they are consistent with the broad economy and efficiency objectives of good government--namely, to provide better outcomes for the same amount of money, or to provide the same outcomes with less money. Therefore, risk management's objectives are also compatible with those of the federal government's results-oriented management approach, which was enacted in the Government Performance and Results Act (GPRA) of 1993,[Footnote 11] and the balanced scorecard approach. Congress enacted GPRA to focus the federal government on achieving results through the creation of clear links between the process of allocating scarce resources and an agency's strategic goals, or the expected results to be achieved with those resources. Building on GPRA's foundation, the current administration has taken steps to strengthen the integration of budget, cost, and performance information by including budget and performance integration as one of its management initiatives under the umbrella of the President's Management Agenda.[Footnote 12] The Budget and Performance Integration initiative includes efforts such as the Program Assessment Rating Tool (PART), improving outcome measures, and improving monitoring of program performance.[Footnote 13] The balanced scorecard approach is a management tool that some federal agencies have adopted to help them translate the strategy set forth in a results-oriented management approach into the operational objectives that drive both behavior and performance. The balanced scorecard consists of four management areas that organizations should focus on--financial, customer, internal business, and learning and growth. DOD's 2001 Strategic Plan Outlines a New Risk Management Framework: DOD introduced the risk management framework in its strategic plan, the 2001 QDR report. The 2001 strategic plan articulated the new administration's emphasis on transforming military forces and defense business practices to meet the changing threats facing our nation. In his guidance to the department for the 2001 QDR strategic planning process, the Secretary of Defense stated the need for DOD to use a risk mitigation approach for balancing force, resource, and modernization requirements across defense planning timelines. This guidance also stated that DOD must include the identification of output-based measures to reduce inefficiencies through the department in any approach to risk management. Building on the guidance, the 2001 QDR outlined DOD's risk management framework. According to the QDR, the framework would enable DOD to address the tension between preparing for future threats and meeting the demands of the present with finite resources. It was also intended to ensure that DOD was sized, shaped, postured, committed, and managed with a view toward accomplishing the strategic plan's defense policy goals. DOD adapted the balanced scorecard concept to the risk management framework by substituting the four dimensions of risk--force management, operational, future challenges, and institutional--for the scorecard's four management areas. The risk management framework was to be a transformational tool that would provide a balanced perspective of the organization's execution of strategy and ensure a top-down approach. The 2002 policy guidance also designated four preliminary performance goals for each of the four risk quadrants. In addition, the guidance required that performance goals and measures were to be cascaded to the services and defense agencies. Figure 2 shows a comparison, as provided by DOD. Figure 2: Comparison of the Balanced Scorecard and the Risk Management Framework: [See PDF for image] [End of figure] Despite Positive Steps, Additional Actions Needed to Fully Implement the Risk Management Framework: Despite positive steps, DOD needs to take additional actions before the risk management framework is fully implemented and DOD can demonstrate real and sustainable progress in using a risk-based and results- oriented approach to strategically allocate resources across the spectrum of its investment priorities. For example, DOD is still in the process of developing department-level measures for the framework that address results-based management principles, such as linking performance information to strategic goals so that this information can be used to monitor performance results and determine how well the department is doing in achieving its strategy. Without more results- oriented performance measures, DOD may be unable to provide the services and other defense components with clear roadmaps of how their activities contribute to meeting DOD's strategic goals. In addition, the framework's performance goals and measures are not clearly linked to DOD's current strategic plan and strategic goals. Furthermore, the extent to which the risk management framework is linked to the budget cycle is unclear. Without better measures, clear linkages, and greater transparency, DOD will be unable to fully measure progress in achieving strategic goals or demonstrate to Congress and others how it considered risks and made trade-offs in making investment decisions. Developing a Set of Measures That Can Be Used to Monitor Performance Is a Work in Progress: DOD has taken positive steps toward developing measures for each of the performance goals under the framework's four risk quadrants; however, developing a set of measures that can be used to monitor performance results is still a work in progress. Based on GAO's prior work on results-based management principles, we found that leading organizations' performance measures are: (1) designed to demonstrate results, or provide information on how well the organization is achieving its goals; (2) limited to a vital few, and balanced across priorities; and (3) used by management to improve performance.[Footnote 14] However, the set of measures DOD has developed for the risk management framework do not adequately address these principles. While DOD established four risk quadrants and developed performance goals and measures of two types--activity measures (measures to track initiatives) and performance measures--the majority of its measures do not provide sufficient information to monitor performance against the risk quadrants' goals. First, DOD officials acknowledge that establishing department-level measures for the framework that demonstrate results is still a work in progress, as the majority of the risk management framework's measures require further development or refinement. In fact, as shown in table 1, 44 of the 77 department-level measures for all four quadrants, or over 50 percent, are activity measures. According to DOD sources, activity measures are to result in a new performance measure, a new baseline or benchmark, or define a new capability, rather than monitor a specific annual performance target. Once these activities are completed, DOD officials stated that the department will be better able to monitor department-level performance against strategic goals. However, our analysis found that the activity measures, as defined in DOD's external reports, typically do not provide sufficient information to monitor the department's progress in achieving the stated goal they are to measure, such as developing a new performance measure or baseline. The desired outcomes for activity measures generally state that a task was or will be completed by a certain date but they do not provide sufficient information on whether the activity is on schedule, the interdependencies among tasks, or the contribution toward enhancing the department's performance. Therefore, Congress and other external stakeholders lack information and adequate assurances that DOD is making progress in implementing a risk-based and results-oriented management approach to making investment decisions. Table 1: Definitions and Examples of DOD Department-Level Measures (as of November 2004): Type: Activity measures; Number: 44[A]; Definition: Activity measures track developmental activities, are usually qualitative, and track key milestones or events in lieu of a specific annual performance target; Examples: Deny enemy advantages and exploit weaknesses; Description of desired outcome monitored by measure: Roadmap will be complete by the end of fiscal year 2005. Examples: Enhance homeland defense and consequence management; Description of desired outcome monitored by measure: Strategy will be complete by the first quarter of fiscal year 2005. Type: Performance measures; Number: 33[A]; Definition: Performance measures track current outputs and set quantitative annual targets for performance that are measurable; Examples: Reserve component enlisted recruiting quality; Description of desired outcome monitored by measure: Target > 90% of recruits holding high school diplomas; Actual 88% of recruits holding high school diplomas. Examples: Reduce customer wait time (in days); Description of desired outcome monitored by measure: Target 15 days from order to receipt for material goods; Actual 24 days from order to receipt for material goods. Source: GAO analysis of the Risk Management Framework's performance measures. [A] We have recoded five performance measures as activity measures as these measures tracked milestones and events, which corresponds with DOD's definition of an activity measure. [End of table] Second, DOD's department-level performance measures are still a work in progress in that these measures do not provide a well-rounded depiction of DOD's performance. In our previous work, we have found that performance measurement efforts that are not balanced across priorities may skew an agency's performance and keep its senior leadership from seeing the whole picture.[Footnote 15] For example, in developing department-level measures for the risk management framework, DOD appears to have overemphasized its force management priorities at the expense of operational risk. As illustrated in table 2, the operational risk quadrant has no performance measures, while the force management risk quadrant has a total of 36 measures, including 15 activity measures and 21 performance measures. Table 2: The Number of Activity and Performance Measures for Each Quadrant: Activity measures: Operational: 15; Performance measures: Operational: 21; Total measures: Operational: 36[A]. Force Management: Operational; Activity measures: 9; Performance measures: 0; Total measures: 9. Activity measures: 11; Performance measures: 10; Total measures: 21[B]. Force Management; Activity measures: 9; Performance measures: 2; Total measures: 11[C]. Source: GAO analysis of DOD data. [A] We have recoded two performance measures as activity measures as these measures tracked milestones and events, which corresponds with DOD's definition of an activity measure. [B] We have recoded one performance measure as an activity measure as this measure tracked milestones and events, which corresponds with DOD's definition of an activity measure. [C] We have recoded two performance measures as activity measures as these measures tracked milestones and events, which corresponds with DOD's definition of an activity measure. [End of table] In providing technical comments to a draft of this report, DOD objected to our recoding of five department-level performance measures as activity measures. We recoded these measures because they tracked milestones and events, which corresponded to DOD's definition of an activity measure. The measures we recoded addressed the following: * a civilian human resources strategic plan, * a military human resources strategic plan, * monitor the status of defense technology objectives, * strategic transformation appraisal, and: * support acquisition excellence goals. Finally, DOD officials indicated that DOD is systematically using performance measures to monitor progress and improve performance for only one risk quadrant, although individual measures under the other three risk quadrants may be monitored. We have found that leading organizations use performance information to improve organizational performance and identify performance gaps, and to provide incentives that reinforce a results-oriented management approach.[Footnote 16] According to DOD officials, the force management quadrant is the only quadrant that is managed by one individual and one office--the Under Secretary of Defense for Personnel and Readiness and his office. These officials stated that this situation is a critical factor in the progress DOD has made in systematically monitoring performance across the force management quadrant on a routine basis. For example, officials stated that the Under Secretary of Defense personally leads quarterly monitoring sessions on the force management quadrant's performance. DOD officials also told us that the Under Secretary of Defense for Personnel and Readiness has greatly facilitated this monitoring by developing a centralized database to capture the performance data used to track DOD's performance in meeting the quadrant's goals. Unless all of the risk management framework's quadrants are systematically monitored, implementation of the framework may be hindered and the framework risks becoming a paper-driven, compliance exercise. Indeed, one DOD official told us that he views the risk management framework and its measures as a "reporting drill" and, in addition, his office would not change its processes if DOD was to no longer use the framework. Cascading the Risk Management Framework's Goals and Measures Is an Ongoing Effort: DOD is still in the process of cascading the risk management framework's goals and measures to the services. We have found that leading organizations seek to establish clear hierarchies of goals and measures that cascade down so that subordinate units have straightforward roadmaps to demonstrate how their activities contribute to meeting the organization's strategy.[Footnote 17] According to DOD officials, all of the services are attempting to align their existing performance measures with the department-level performance goals and measures. However, service officials said that it is challenging to cascade the department-level activity measures, because these measures represent very broad initiatives that may not be applicable at all DOD levels. Officials from one service said they have had to develop new measures to align with the department-level measures, because they had been assessing performance with fewer measures than the Office of the Secretary of Defense had developed. Developing a Strategic Plan with Clear Linkages between the Risk Management Framework and Strategic Goals Is a Critical Next Step: The risk management framework's performance goals and measures are not clearly linked--a key principle of results-oriented management--to a coherent strategic plan.[Footnote 18] The development of such a strategic plan is a critical next step in using a risk-based and results-oriented approach to making investment decisions. Without these linkages, DOD cannot easily demonstrate how achievement of a performance goal or measure contributes to the achievement of strategic goals and ultimately the organization's mission. Our previous work indicated that DOD's strategic plan, the 2001 QDR, did not provide a sound foundation for the risk management framework.[Footnote 19] We reported that the usefulness of the 2001 QDR was limited by the lack of focus on longer-term threats and requirements for critical support capabilities, and provided few insights into how future threats and planned technical advances could affect future force requirements. In turn, this lack of focus and insight limited the QDR's usefulness as a foundation for fundamentally reassessing U.S. defense plans and programs and for balancing resources across near-and midterm risks. DOD officials indicated that DOD has not yet defined the linkages between the risk management framework's performance goals and the strategic goals in the 2001 QDR. Furthermore, the Defense Business Board's official minutes for its July 28, 2005, meeting contained a recommendation that the Secretary of Defense define department-level objectives, which should then be cascaded down the department.[Footnote 20] In discussing the ongoing 2005 QDR, DOD stated that although the department would continue its efforts to do so, establishing these linkages was very challenging because of the size and scope of DOD's operations. However, as suggested by the Defense Business Board and our previous work, if DOD's strategic plan is to drive the department's operations, a straightforward linkage is needed among strategic goals, annual performance goals, and day-to-day activities.[Footnote 21] The ongoing 2005 QDR offers DOD the opportunity to strengthen its strategic planning. Although Risk Considered, Linkages Between the Risk Management Framework and Budget Are Unclear: According to DOD officials, the department has begun to consider risk in its investment decision making; however, the full extent to which the framework's risk-based and results-oriented approach has been linked to the fiscal year 2006 budget cycle is unclear. Our work indicates that leading organizations link strategy to the budget process through results-oriented management to evaluate potential investments or initiatives.[Footnote 22] DOD sources indicated that the department has begun to consider risk during its usual cycle of investment decision making. For example, according to DOD sources, the Secretary of Defense articulated broad areas for increasing or decreasing risk under each quadrant in the fiscal years 2006-2011 planning guidance, leaving it up to the defense components to decide how to structure their investment decisions within those broad areas consistent with the Secretary's risk guidance. In addition, DOD officials stated that the framework has increased awareness within the department on the need to balance risk over time. For example, when DOD reduced the fiscal years 2006-2011 defense program by $30 billion, DOD officials stated that the department did not take the traditional budgetary approach of cutting each defense component's budget by a certain percentage. Instead, DOD officials stated that the Secretary of Defense used a collaborative approach with service participation to discuss where to take the budget reductions and how these cuts would affect risk, although DOD officials offered various views on how extensively the framework was used to make those decisions. Second, DOD required that the services and other defense components offset any funding increase in one area with a funding decrease in another area for the fiscal years 2006-2007 budget submission. According to DOD officials, risk--whether on the basis of "professional judgment" or analysis--was considered in these deliberations. For example, the Army's plan for fiscal years 2006-2023 articulated areas for increasing risks so that it could decrease risk in the operational risk dimension by investing in current capacity. However, the fiscal year 2006 budget submission does not include any specific information on how DOD systematically identified or assessed departmental risks to establish DOD-wide investment priorities. For example, the military services' share of the Future Years Defense Program (FYDP) remained relatively unchanged from fiscal year 2005 to fiscal year 2006 (see table 3),[Footnote 23] providing one indication that the risk management framework may not yet be a useful tool for balancing departmental risks across the services. Table 3: Military Service and Defense-Wide Percentage of the 2005 and 2006 Future Years Defense Programs: Department of the Army; 2005 Percentage of FYDP: 24.23; 2006 Percentage of FYDP: 24.63; Percentage change by department: 0.40. Department of the Navy; 2005 Percentage of FYDP: 29.75; 2006 Percentage of FYDP: 29.47; Percentage change by department: -0.28. Department of the Air Force; 2005 Percentage of FYDP: 29.80; 2006 Percentage of FYDP: 29.82; Percentage change by department: 0.02. Defense-wide; 2005 Percentage of FYDP: 16.22; 2006 Percentage of FYDP: 16.08; Percentage change by department: -0.14. Total; 2005 Percentage of FYDP: 100.00; 2006 Percentage of FYDP: 100.00. Source: GAO analysis of DOD FYDP data. Note: Totals may not add due to rounding. [End of table] DOD has reported on the risk management framework in the department's GPRA and other reporting requirements. For example, the fiscal year 2004 Performance and Accountability Report describes what DOD is doing, or plans to do, to define, measure, and monitor performance goals in the four risk quadrants but does not discuss the implementation status of the risk management framework. Furthermore, the fiscal year 2004 report, the most recent available, provided insufficient information to assist Congress in overseeing how DOD plans to prioritize investment decisions within or across the risk quadrants. Without more detailed information, Congress may have insufficient transparency into how DOD has identified and assessed risks and made trade-offs in its investment decision making. In addition, we reported in May 2004 that congressional visibility over investment decision making also was limited by the absence of linkages between the risk management framework and military capabilities planning and the FYDP.[Footnote 24] Because the FYDP lacked these linkages, we concluded that decision makers could not use it to determine how a proposed increase in capability would affect the risk management framework. Our work also has shown that the FYDP may understate the costs of weapon system programs; therefore, DOD may be starting more programs than it can afford. For example, our assessment of 54 major programs, representing an investment of over $800 billion, found that the majority of these programs were costing more and taking longer to develop than planned.[Footnote 25] Problems occurred because of DOD's overly optimistic planning assumptions about the long-term costs of weapon system programs and its failure to capture early on the requisite knowledge that is needed to efficiently and effectively manage program risks. When DOD has too many programs competing for funding and approves programs with low levels of knowledge, it is accepting the attendant likely adverse cost and schedule risks. As a result, it will probably get fewer quantities for the same investment or face difficult choices on which investments it cannot afford to pursue. The findings of our work suggest that having a departmentwide investment strategy for weapon systems, to allocate resources across investment priorities, would help reduce these risks. Cultural Resistance, Combined with the Lack of Leadership, Implementation Goals, and Process Integration, Affects DOD's Implementation of the Risk Management Framework: Four key challenges impede DOD's progress toward implementing the risk management framework. The first implementation challenge facing DOD is overcoming cultural resistance to change in a department as massive, complex, and decentralized as DOD. The second challenge is the lack of sustained leadership, and the third challenge is the absence of implementation goals and timelines. These challenges relate to DOD's failure to follow crucial transformational steps. The fourth challenge- -integrating the risk management framework with decision support processes and related reform initiatives, into a coherent, unified management approach for the department--relates to key results-oriented management practices. Unless DOD addresses these challenges and successfully implements the risk management framework, or a similar approach, it may continue to experience (1) a mismatch between programs and budgets, and (2) the proportional, rather than strategic, allocation of resources to the services. Transforming DOD's Organizational Culture Is a Significant Challenge: Transforming DOD's organizational culture--from a focus on inputs and programs to strategically balancing investment risks and monitoring outcomes across the department--through the implementation of the risk management framework is a significant challenge for the department for several reasons. First, as we noted in our 21st Century Challenges report, to successfully transform, DOD needs to overcome the inertia of various organizations, policies, and practices that became rooted in the Cold War era.[Footnote 26] The department's expense, size, and complexity, however, make overcoming this resistance and inertia difficult. In fiscal year 2004, DOD reported that its operations involved $1.2 trillion in assets, $1.7 trillion in liabilities, over $605 billion in net cost of operations, and over 3.3 million military and civilian personnel. For fiscal year 2005, DOD received appropriations of about $417 billion. Moreover, execution of its operations spans a wide range of defense organizations, including the military services and their respective major commands and functional activities, numerous large defense agencies and field activities, and various combatant and joint operation commands, which are responsible for military operations for specific geographic regions or theaters of operations. Second, DOD's highly decentralized management structure is another contributing factor that makes cultural change difficult. Although under the authority, direction, and control of the Secretary of Defense, the military services have the legislative authority to organize, equip, and train the nation's armed forces for combat under Title 10 of the U.S. Code. Furthermore, Congress directly appropriates funds to the services for programs and activities that support these purposes. In the opinion of knowledgeable DOD officials, this legislative authority has resulted in a culture that makes it difficult to develop department-level, or joint, management approaches. For example, the allocation of budgets on a proportional, rather than a strategic basis, among the military services is a long-standing budgetary problem that we have identified as a major management challenge for the department.[Footnote 27] In addition, the Joint Defense Capabilities Study, chartered by the Secretary of Defense in March 2003, made the following observations on how DOD's organizational culture does not reinforce a departmental or joint approach to investment decision making and results management:[Footnote 28] * DOD's bottom-up strategic planning process did not support early senior leadership involvement and did not provide integrated departmentwide objectives, priorities, and roles as a framework for planning joint capabilities. * Service-centric focus on programs and weapons platforms resulted in a process that did not provide an accurate picture of joint needs, nor did it provide a consistent view of priorities and acceptable risks across the department. * The resulting budget did not optimize capabilities at either the department or the service level. * Accountability and feedback focused on monetary input rather than output; therefore, much of the information provided did not support the senior leaders' decision making as it did not tell how well the department was being resourced to meet current and future mission requirements. Lack of Sustained Leadership and Appropriate Accountability Has Challenged DOD's Implementation of the Risk Management Framework: The lack of sustained leadership attention and appropriate accountability has challenged DOD's progress in implementing the risk management framework. Our work has indicated that sustained leadership is a key transformational, or change management, practice.[Footnote 29] However, knowledgeable DOD officials indicated that DOD's senior leadership did not provide sustained attention to the framework's implementation. For example, a DOD official actively involved in the framework's implementation stated that meetings with senior leadership that were to provide oversight of the framework's implementation have not been regularly scheduled. DOD officials indicated that as a result of this lack of sustained leadership, DOD has not placed much emphasis on implementing the risk management framework at the department level. In addition, other DOD officials stated that changes in leadership have made it difficult to implement the risk management framework or develop performance measures. For example, since October 2004, DOD has experienced turnover in the following senior level positions, including the Deputy Secretary of Defense; the Under Secretary of Defense for Acquisition, Technology and Logistics; and the Director of Program Analysis and Evaluation (PA&E). Lacking sustained leadership attention, DOD officials offered conflicting perspectives on the status of the risk management framework with some officials suggesting that the framework had been overtaken by other performance-based or risk-based management initiatives while another suggested that the framework was primarily a compliance exercise. DOD officials also held differing perspectives on the purpose of the framework, including the beliefs that it was developed to monitor the Secretary of Defense's priority areas or that it was a programming and budgeting tool. Implementation of the risk management framework has also been challenged by the lack of clear lines of authority and appropriate accountability. No single individual or organization has been given overarching leadership responsibilities, authority, or the accountability for achieving the framework's implementation. Instead, the responsibility for various tasks and performance measures have been spread among several organizations, including the Director, PA&E; the Under Secretary of Defense for Personnel and Readiness (P&R); and the Under Secretary of Defense, Comptroller/Chief Financial Officer. We testified in April 2005 that as DOD embarks on large-scale change initiatives, the complexity and long-term nature of these initiatives require the development of an executive position capable of providing strong and sustained leadership--over a number of years and various administrations.[Footnote 30] For this reason, we have supported legislation to create a CMO at DOD to provide such sustained leadership.[Footnote 31] A CMO could also provide the leadership needed to successfully develop a risk-based and results-oriented management approach at DOD, such as the risk management framework. Lack of Implementation Goals and Timelines Further Challenges DOD's Implementation of Risk Management Framework: Accountability for implementation of the risk management framework also has been hindered by the absence of implementation goals and timelines with which to gauge progress. As we have previously reported, successful change management efforts use implementation goals and timelines to pinpoint performance shortfalls and gaps, suggest midcourse corrections, and build momentum by demonstrating progress.[Footnote 32] However, DOD's limited guidance on the risk management framework did not establish implementation goals and timelines, nor did it require that implementation goals and timelines be developed. According to knowledgeable DOD officials, DOD did not see the need for implementation goals or timelines because the framework was not meant to change processes or create new ones, but rather was a management tool to improve upon investment decision-making processes. Regardless of how DOD classifies the risk management framework, we have found that implementation goals and timelines are essential to any transformational change, such as that envisioned by the Secretary of Defense with the risk management framework, because of the number of years it can take to complete the change.[Footnote 33] Moreover, the absence of implementation goals and timelines makes it difficult to determine whether progress has been made in implementing the framework over the last 2 ½ years, and whether DOD's revisiting of the framework during the 2005 QDR represents an evolutionary progression or implementation delays. Integrating the Risk Management Framework with Decision Support Processes and Related Reform Initiatives Is a Significant Challenge: DOD faces a significant challenge integrating the risk management framework with decision support processes for planning, programming, and budgeting and with related reform initiatives into a coherent, unified management approach. The goal of both risk management and results-oriented management is to integrate the systematic concern for risk and performance into the usual cycle of agency decision making and implementation. DOD's challenge in meeting these goals is demonstrated by the number of initiatives, as shown in table 4, that DOD has put in place to improve investment decision making and manage performance results. For example, both capabilities planning and the risk management framework are to define risks and develop performance measures but, according to DOD officials, the department is still determining how to align capabilities planning with the risk management framework. Other initiatives, including GPRA and PART, are also to develop performance measures and DOD is still working on integrating these initiatives with the risk management framework and individual performance monitoring approaches of the services and other defense components into a single, integrated system. In December 2002, the Deputy Secretary of Defense issued a memorandum to correct this situation by requiring the alignment of the risk management framework and the President's Management Agenda with DOD's results-oriented management activities, including those associated with GPRA. Table 4: Select Initiatives to Improve Investment Decision Making: Initiative: Two-Year Planning, Programming, Budgeting, and Execution Process (PPBE); Description: In 2003, DOD implemented a 2-year cycle for its strategic planning, program development, and resource determination process. DOD stated that this change was needed to integrate DOD's processes for strategic planning, identification of needs for military capabilities, systems development and acquisition, and program and budget development. During the second year of the biennial budget, DOD is to focus on budget execution and program performance. Initiative: Enhanced Planning Process; Description: In fiscal year 2004, DOD initiated a reform of defense planning to make it more responsive and adaptive to the needs of senior decision makers. The process is to result in fiscally constrained guidance and priorities-- for military forces, modernization, readiness and sustainability, and supporting business processes and infrastructure activities--for program development. The enhanced planning process is to integrate the outcomes of operational, enterprise, and capabilities planning efforts in a document called the Joint Programming Guidance. The Joint Programming Guidance is to provide a link between planning and programming, and it is to provide guidance to the DOD components for the development of their program proposals. Initiative: Capabilities Planning; Description: The 2001 QDR announced a defense strategy built around the concept of shifting to a "capabilities-based" approach to defense. According to the 2001 QDR, while DOD cannot know with confidence what nation, group of nations, or nonstate actor might pose a threat to U.S. vital interests, it is possible to anticipate the capabilities an adversary might employ. Capabilities planning is to provide a top-down, competitive approach to weigh options against resource constraints across a spectrum of challenges and to apportion risk against those challenges. It is also to enable risk assessments and trade-off decisions across DOD organizational stovepipes. The new concept stresses joint solutions to problems, requires the identification of risk trade-offs within and across mission areas, and treats uncertainty explicitly. Initiative: Program/Budget Framework Initiative; Description: As part of the financial management enterprise initiatives of the Business Management Modernization Program, this initiative is to provide a foundation for a new program and budget data structure using a common language that enables senior level DOD decision makers to weigh options versus resource constraints across a spectrum of challenges. The framework is to consist of a number of related data transparency initiatives that span across all portions of the PPBE process, including creating department-level definitions for the four risk quadrants. One of the stated benefits is establishing an ability to view programs and resources based on the risk management framework. Initiative: Joint Capabilities Integration and Development System (JCIDS); Description: A system for the Joint Staff to assess gaps in military joint warfighting capabilities and recommend solutions to resolve those gaps. This system is replacing DOD's requirements- generation process for major acquisitions in an effort to shift the focus to a more capabilities-based approach for determining joint warfighting needs rather than a threat-based approach focused on individual systems and platforms. Under this system, boards comprised of high-level DOD civilians and military officials are to identify future capabilities needed around key functional concepts and areas, such as command and control, force application, and battlespace awareness, and to make trade-offs among air, space, land, and sea platforms in doing so. Initiative: President's Management Agenda; Description: The President's Management Agenda contains five initiatives aimed at improving federal agency management and performance: (1) strategic human capital management, (2) competitive sourcing, (3) improved financial performance, (4) expand electronic government, and (5) budget and performance integration. The President cited our work on high-risk areas and major management challenges in developing his initiatives, and implementation of the agenda has reinforced the need to focus agencies' efforts on achieving key management and performance improvements. Initiative: Budget and Performance Integration; Description: The budget and performance integration initiatives of the President's Management Agenda include elements such as the PART used to review programs, an emphasis on improving outcome measures, and improving monitoring of program performance. PART is the central element in the performance budgeting piece of the President's Management Agenda. PART builds on GPRA by actively promoting the use of results-oriented information to assess programs in the budget. Source: GAO analysis. [End of table] We note that these reform initiatives address key business processes within the department and that we have placed DOD's overall business transformation on our list of federal programs and activities at high risk of waste, fraud, abuse, and mismanagement.[Footnote 34] The Under Secretary of Defense for Acquisition, Technology and Logistics indicated that DOD plans to address the challenge associated with the integration of DOD's planning, resourcing, and execution processes and initiatives, including the risk management framework. The Under Secretary stated that one task of the ongoing 2005 QDR was "strategic process integration." The Under Secretary also stated that the department is planning to provide a roadmap with performance goals and timelines on how it will implement initiatives to improve strategic process integration. This roadmap is to be submitted with the 2005 QDR report to Congress in early 2006 with the fiscal year 2007 budget. Conclusions: DOD has made some progress in implementing the risk management framework, including establishing risk quadrants and performance goals. However, more work will be required for DOD to be able to put in place a management tool, such as the risk management framework, to strategically balance the allocation of resources across the spectrum of its investment priorities against risk over time and to monitor performance. The development of performance measures that clearly demonstrate results and that are cascaded down throughout the department would enable DOD to provide a clear roadmap of how its activities at all levels contribute to meeting its strategic goals and would assist the department in aligning the core processes and resources of its four military services and multiple defense agencies to better support a departmental or joint approach to national security. Furthermore, the risk management framework cannot be fully implemented until its performance goals are clearly linked to DOD's strategic planning goals. Unless a cause and effect relationship can be demonstrated between the department's performance measures and strategic goals, the framework's usefulness as a tool for monitoring DOD's execution of its strategic plan and identifying performance goals will be severely restricted, if not eliminated. Furthermore, the fiscal year 2006 budget submission does not provide sufficient information on how DOD identified or assessed departmental risks to establish DOD-wide investment priorities; thus, the linkages between the framework and the budget are unclear. Without better measures, clear linkages, and greater transparency, DOD will be unable to fully measure progress in achieving strategic goals or demonstrate to Congress and others how it considered risks and made trade-off decisions, balancing needs and costs for weapon programs and other investment priorities. The efforts of DOD's senior leadership to establish a risk-based and results-oriented management approach have been impeded by some key challenges. The lack of sustained leadership and clear lines of accountability has hampered implementation of the risk management framework and the establishment and achievement of implementation goals and timelines. Strong and sustained leadership could enable DOD to overcome resistance to change that exists in a department as massive and complex as DOD. In addition, the establishment of implementation goals and timelines could enable DOD to determine what progress has been made in implementing the risk management framework. Furthermore, the successful integration of the risk management framework into DOD's investment decision-making processes, including recent reform initiatives, could assist DOD in its overall transformation efforts. Until DOD develops a risk-based and results-oriented management approach for making investment decisions, it will likely continue to experience a mismatch between programs and budgets, and the proportional, rather than strategic, allocation of resources to the services. Recommendations for Executive Action: To address the challenges associated with implementing the risk management framework, or a similar risk-based management approach, we recommend that the Secretary of Defense take the following four actions: * develop or refine department-level performance measures so that they clearly demonstrate performance results and cascade those measures down throughout the department, * assign clear leadership with accountability and authority to implement and sustain the risk management framework, * develop implementation goals and timelines, and: * demonstrate the integration of the risk management framework with DOD's decision support processes and related reform initiatives to improve investment decision making and manage performance results. Agency Comments and Our Evaluation: In written comments on a draft of this report, DOD partially concurred with our four recommendations. DOD's written comments are reprinted in their entirety in appendix II. DOD also provided technical comments, which we incorporated as appropriate. DOD partially concurred with our first recommendation. DOD stated that it concurred with our recommendation that the Secretary of Defense refine department-level performance measures so that they clearly demonstrate results, but that it did not concur with the notion that effectively cascading the risk management framework has been inhibited by the current suite of performance measures. DOD noted that that a number of defense components--including the Army, DOD Comptroller, the Defense Logistics Agency, and the Defense Information Systems Agency-- have successfully cascaded departmentwide strategic goals and implemented frameworks to measure their organization's performance. DOD also believes that empowering the leadership at the component level to develop measures, while ensuring strategic alignment, is the most effective way of encouraging performance management and increasing its utility. In our report, we acknowledge that DOD has taken positive steps toward developing a performance monitoring system and cascading the framework's goals and measures to defense components. However, our recommendation addresses limitations in those measures that currently hinder DOD's ability to use the risk management framework as a management tool for aligning the components' performance goals and measures with the risk management framework, or for strategic balancing investment decisions across the risk quadrants. For example, the majority of the risk management framework's measures are activity measures, or initiatives, that do not monitor a specific annual performance target, nor do these measures provide sufficient information to determine whether the activity is on schedule or contributes to enhancing the department's overall performance. Finally, our recommendation is not intended to suggest that DOD not empower the components to develop performance measures, but rather that DOD establish a clear hierarchy of goals and measures that provide straightforward roadmaps to demonstrate how the components' activities contribute to meeting DOD's strategic goals. DOD partially concurred with our second recommendation that the Secretary of Defense assign clear leadership with accountability and authority to implement and sustain the risk management framework. DOD stated that, although it agrees that such leadership is key to any successful performance management system, the department's senior executives provide sufficient leadership and accountability for implementing and sustaining the risk management framework. DOD also stated that it did not agree that a new organization or bureaucratic structure is needed to ensure successful implementation and sustainment of the risk management framework. We agree that DOD has assigned specific roles and responsibilities for goals and measures associated with the risk management framework to various high-level DOD officials. However, we based our recommendation on the fact that no single individual, with appropriate authority, was held responsible for ensuring that the risk management framework was implemented across the department. Further, our recommendation does not propose that DOD set up a new organization or bureaucratic structure, but, as stated in this report, we continue to believe that one way to provide strong and sustained leadership for change initiatives, such as the risk management framework, over a number of years and various administrations is to legislatively establish a CMO. In partially concurring with our third recommendation to develop implementation goals and timelines, DOD agreed that tracking progress in implementing the risk management framework is a good management practice. DOD stated that it has established goals and timelines for the risk management framework that are unique to the individual metrics, or measures, and that because the risk management framework continually evolves over time, new metrics will be developed while others may be retired. As we stated in the report, successful change management efforts use implementation goals--such as, for example, linking the risk management framework to the budget--and timelines for meeting those goals, to pinpoint shortfalls and gaps, suggest midcourse corrections, and build momentum by demonstrating progress. Therefore, while DOD may continually refine the individual goals and measures associated with the framework's risk quadrants, we believe that goals and timelines for the overall implementation of the framework across the department are essential for keeping this reform initiative on track. DOD partially concurred with our fourth recommendation that the Secretary of Defense demonstrate the integration of the risk management framework with DOD's decision support processes and related reform initiatives to improve investment decision making and manage performance results. DOD stated that the department is currently studying ways to further integrate the risk management framework with other decision support processes, but no single framework or decision model can provide all the necessary information or flexibility needed by the Secretary of Defense and his senior leadership team. We recognize that DOD's senior leadership needs reliable information from a variety of sources and flexibility to make decisions among alternative actions or solutions. However, if the risk management framework is to successfully serve as a management tool to assist decision makers in formulating top-down strategy, balancing investment priorities against risk over time, measuring near-and midterm outputs against strategic goals, and focusing on actual performance results--as intended by DOD's senior leadership--it is crucial that it be successfully integrated with DOD's investment decision-making processes, including recent reform initiatives. We are sending copies of this report to interested congressional committees; the Secretaries of Defense, Army, Navy, and Air Force; the Commandant of the Marine Corps; and the Director, Office of Management and Budget. We will also make copies available to others upon request. In addition, the report will be available at no charge on GAO's Web site at http://www/gao.gov. If you or your staff have any questions about this report, please contact me at (202) 512-9619 or pickups@gao.gov. Contact points for our offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix III. Signed by: Sharon L. Pickup: Director, Defense Capabilities and Management: [End of section] Appendix I: Scope and Methodology: To assess to what extent the Department of Defense (DOD) has implemented the risk management framework, we obtained and analyzed DOD directives, briefings, and other documents that described the risk management framework's purpose, implementation status, and performance measures. We also obtained and analyzed DOD's 2001 Quadrennial Defense Review and annual strategic planning and budget documents. Moreover, we interviewed knowledgeable DOD and service officials involved with the implementation of the risk management framework. Specifically, we obtained testimonial evidence from officials representing the Office of the Secretary of Defense (OSD) offices--such as Program Analysis and Evaluation; Comptroller; Policy; Acquisition, Technology and Logistics; and Personnel and Readiness--the Joint Staff, the military services, and the Defense Business Board. To identify key risk-based and results- oriented management principles, we reviewed our prior reports and other relevant literature, including information on the balanced scorecard concept. For example, we identified characteristics of results-oriented performance measures. These characteristics focused on performance measures that are (1) designed to demonstrate results by providing information on how well the organization is achieving its goals; (2) limited to a vital few, and balanced across priorities; and (3) used by management to improve performance. As another example, risk-based and results-oriented management principles indicate that leading organizations seek to establish clear hierarchies of goals and measures that cascade down so that subordinate units have straightforward roadmaps to demonstrate how their activities contribute to meeting the organization's strategy. We systematically analyzed and compared the risk management framework's department-level performance measures with these characteristics. However, we did not validate the procedures that DOD has in place to ascertain the reliability of the data used to support the performance measures. Regarding strategic planning, these principles focused on (1) establishing clear linkages among strategic planning goals, resources, performance goals and measures and (2) integrating the consideration of risk into the usual cycle of agency decision making and implementation. While these principles do not cover all attributes associated with risk-based and results-oriented management approaches, we believe that they are the most important ones for assessing DOD's progress in implementing the risk management framework. To identify the most significant challenges, we reviewed our previous work on change management principles. We then compared DOD's implementation of the risk management framework to sound change management principles and interviewed knowledgeable DOD officials about the challenges that faced the department in implementing the risk management framework. In addition, we reviewed our previous work to determine to what extent deficiencies in DOD's overall business transformation efforts might influence the implementation of the risk management framework. Our work was performed from October 2004 through September 2005 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Comments from the Department of Defense: OFFICE OF THE SECRETARY OF DEFENSE: PROGRAM ANALYSIS AND EVALUATION: 1600 DEFENSE PENTAGON: WASHINGTON, DC 20301-1600: NOV - 2 2005: Ms. Sharon Pickup: Director, Defense Capabilities and Management: U.S. Government Accountability Office: 441 G Street, N.W.: Washington, DC 20548: Dear Ms. Pickup: This is the Department of Defense (DoD) response to the GAO draft report "DEFENSE MANAGEMENT: Additional Actions Needed to Enhance DoD's Risk-Based Approach for Making Resource Decisions," dated October 4, 2005 (GAO Code 350611/GAO-06-13). DoD has reviewed the report for technical accuracy and content and partially concurs with the GAO's recommendations. The Department agrees that it is vitally important to have a coherent management process to set goals and objectives, measure performance, and respond rapidly to changing world events. Furthermore, DoD is committed to continuously refining its risk management framework to improve the linkages between strategy, performance goals, and performance results. While GAO recommends a number of actions to strengthen the risk management framework, the Department believes that its approach to date reflects a deliberate and tailored plan that has proven effective for managing this enterprise. Attached are specific comments on each recommendation, as well as technical comments. We appreciate the opportunity to comment on the draft report. Signed by: Stanley R. Szemborski: VADM, USN: Principal Deputy Director: Enclosures: As Stated: GAO DRAFT REPORT - DATED OCTOBER 4,2005: GAO CODE 350611/GAO-06-13: "DEFENSE MANAGEMENT: Additional Actions Needed to Enhance DoD's Risk- Based Approach for Making Resource Decisions" DEPARTMENT OF DEFENSE COMMENTS TO THE RECOMMENDATIONS: RECOMMENDATION 1: The GAO recommended that the Secretary of Defense develop or refine department-level performance measures so that they clearly demonstrate performance results. The GAO further recommended that the measures be cascaded through the Department. (p. 30/GAO Draft Report): DoD RESPONSE: Partially Concur. The Department concurs with the recommendation to refine department-level performance measures. DoD has worked continuously to refine both its performance measures and risk management framework in order to clearly demonstrate performance results and better link strategy to outcomes. In fact, one of the primary outputs of many activity metrics are new, refined measures that include the data necessary for quantitative evaluation. The Department believes that the process of developing better, more refined performance measures should continue, as no performance management system is ever truly "complete." However, DoD nonconcurs with the notion that effectively cascading the risk framework has been inhibited by the current suite of performance measures. DoD has demonstrated substantial progress in cascading measures throughout the Department. Upon introducing the risk management framework, the Department set out to ensure alignment across components and Defense agencies by requiring that each organization's performance plan or balanced scorecard: (t) reflect the balanced scorecard risk quadrants; (2) reflect the Department's overall performance objectives; and (3) align with and support the outcomes and performance metrics of the next higher organization. A number of Defense components-including the Army, DoD Comptroller, Defense Logistics Agency (DLA), and Defense Information Systems Agency (DISA)- have successfully cascaded Department-wide strategic goals and implemented frameworks to measure their organization's performance. DoD believes that empowering the leadership at the component level to develop measures that are meaningful and relevant to one's own organization, while ensuring strategic alignment, is the most effective way of encouraging performance management and increasing its utility. RECOMMENDATION 2: The GAO recommended that the Secretary of Defense assign clear leadership with accountability and authority to implement and sustain the risk management framework. (p. 30/GAO Draft Report): DOD RESPONSE: Partially Concur. The Department agrees-that clear leadership with accountability and authority are key characteristics of any successful performance management system. However, contrary to the GAO's assessment, the Department has taken a number of deliberate actions to ensure proper accountability and authority. Therefore, DoD does not agree that a new organization or bureaucratic structure is needed to ensure successful implementation and/or sustainment of the risk management framework. DoD's senior executives, including Principal Staff Assistants and their Performance Management Coordinators, provide sufficient leadership and accountability for implementing and sustaining the risk management framework. Specific roles and responsibilities include: (1) the development of annual performance targets to support the risk management framework; (2) data -collection; (3) verification and validation of performance data; and (4) management of activities to improve performance and achieve targets during, and following, the year of execution. By empowering senior leaders throughout the Department to measure organizational performance, and manage accordingly, the Department has made great progress in ensuring accountability. RECOMMENDATION 3: The GAO recommended that the Secretary of Defense develop implementation goals and timelines. (p. 30/GAO Draft Report): DoD RESPONSE: Partially Concur. DoD agrees that tracking progress in implementing the framework is a good management practice. However, DoD has taken the necessary steps to track implementation of the risk management framework. For example, DoD has established goals and timelines for the risk management framework that are unique to the individual metrics. The Department has also established either a performance metric or activity metric for every relevant area. Since the risk management framework continually evolves over time to reflect changes in strategy, priorities, and senior leadership interest, new metrics will be developed while others may retired. Because individual metric development occurs at different points in time, there is not one single milestone or event that will mark completion of the risk management framework as a whole. RECOMMENDATION 4: The GAO recommended that the Secretary of Defense demonstrate the integration of the risk management framework with DoD's decision support processes and related reform initiatives to improve investment decisionmaking and manage performance results. (p. 30/GAO Draft Report): DOD RESPONSE: Partially Concur. The Department agrees that integrating the risk management framework with other decision support processes and related reform initiatives is both a natural evolution of the risk management framework's maturation effort and a beneficial output of the process. As such, the Department is currently studying ways to further integrate the risk management framework with other decision support processes. However, the Secretary of Defense and his senior leadership team must be able to make well-informed decisions in a variety of circumstances. No single framework or decision model can provide all of the necessary information and/or flexibility. Technical Comments Draft GAO Report GAO-06-13, GAO Code 350611: Issue: Page 2, paragraph 2. Sentence reads: "..we conducted interviews with DoD and service officials, members of the Joint Staff, and members of the Defense Business Board." The Defense Business Board does not officially speak on the Department's behalf. Issue: Page 12, paragraph 2. The sentence reads: "44 of the 77 departmental-level measures .. are activity measures." Page 13, Table 1. Footnote describes a recoding of five performance measures to activity measures. DoD objects to recoding these metrics from performance metrics to activity metrics. [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Sharon Pickup, (202) 512-9619 or pickups@gao.gov: Acknowledgments: In addition to the contact named above, David Moser, Assistant Director; Donna Byers; Gina Flacco; and Renee S. Brown made key contributions to this report. FOOTNOTES [1] See GAO, 21st Century Challenges: Reexamining the Base of the Federal Government, GAO-05-325SP (Washington, D.C.: February 2005) for a comprehensive compendium of areas throughout the federal government that could be considered for reexamination and review by Congress. [2] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January 2005). [3] GAO, Highlights of a GAO Forum: Mergers and Transformation: Lessons Learned for a Department of Homeland Security and Other Federal Agencies, GAO-03-293SP (Washington, D.C.: Nov. 14, 2002), and Results- Oriented Cultures: Implementation Steps to Assist Mergers and Organizational Transformations, GAO-03-669 (Washington, D.C.: July 2, 2003). [4] S. 780, 109th Cong. §1 (2005). [5] GAO-05-207. [6] GAO-05-207. [7] The Government Performance and Results Act of 1993 (Pub. L. No. 103- 62). [8] The balanced scorecard approach was advocated by Professor Robert Kaplan and Dr. David Norton in the November/December 1992 Harvard Business Review. [9] GAO-05-325SP. [10] See for example, Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management--Integrated Framework: Executive Summary (New York, N.Y.: September 2004). [11] Pub. L. No. 103-62 (1993). [12] The President's Management Agenda, by focusing on a number of targeted areas, seeks to improve the performance management of the federal government. [13] For further information see: GAO, Performance Budgeting: PART Focuses Attention on Program Performance, but More Can Be Done to Engage Congress, GAO-06-28 (Washington, D.C.: Oct. 28, 2005); Management Reform: Assessing the President's Management Agenda, GAO-05- 574T (Washington, D.C.: Apr. 21, 2005); Results-Oriented Government: GPRA Has Established a Solid Foundation for Achieving Greater Results, GAO-04-38 (Washington, D.C.: Mar. 10, 2004); and Performance Budgeting: Observations on the Use of OMB's Program Assessment Rating Tool for the Fiscal Year 2004 Budget, GAO-04-174 (Washington, D.C.: Jan. 30, 2004). [14] GAO, Executive Guide: Effectively Implementing the Government Performance and Results Act, GAO/GGD-96-118 (Washington, D.C.: June 1996) and Managing for Results: Enhancing Agency Use of Performance Information for Management Decision Making, GAO-05-927 (Washington, D.C.: Sept. 9, 2005). [15] GAO/GGD-96-118. [16] GAO/GGD-96-118 and GAO-05-927. [17] GAO/GGD-96-118. [18] GAO/GGD-96-118. [19] GAO, Quadrennial Defense Review: Future Reviews Can Benefit from Better Analysis and Changes in Timing and Scope, GAO-03-13 (Washington, D.C.: Nov. 4, 2002). [20] The Defense Business Board was established in 2001 by the Secretary of Defense to provide DOD's senior leadership with leading- edge, actionable advice on management improvements. [21] GAO, Managing for Results: Critical Issues for Improving Agencies' Strategic Plans, GAO/GGD-97-180 (Washington, D.C.: Sept. 16, 1997). [22] See GAO/GGD-96-118. [23] The Future Years Defense Program provides information on DOD's current and planned outyear budget requests. [24] GAO, Future Years Defense Program: Actions Needed to Improve Transparency of DOD's Projected Resource Needs, GAO-04-514 (Washington, D.C.: May 7, 2004). [25] GAO, Defense Acquisitions: Assessments of Selected Major Weapon Programs, GAO-05-301 (Washington, D.C.: Mar. 31, 2005). [26] GAO-05-325SP. [27] GAO-05-325SP. [28] Joint Defense Capabilities Study Team, Joint Defense Capabilities Study: Final Report (Washington, D.C.: December 2003). [29] GAO, Management Reform: Elements of Successful Improvement Initiatives, GAO/T-GGD-00-26 (Washington, D.C.: Oct. 15, 1999). [30] GAO-05-520T and GAO-05-629T. [31] S. 780, 109th Cong. §1 (2005). [32] GAO-03-669. [33] GAO-03-669. [34] GAO-05-207. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: