https://pmclass.s3.amazonaws.com/Qi+Gong+-+Main+Video.mp4

This risk story involves a major subcontract that went awry impacting the program and one of my company’s growth goals.  The goal was to become the sole provider to the Navy for a mine killing system comprising two major components. One is an underwater kill vehicle and the second one is a launcher (from a helicopter).

To accomplish this goal, we landed a contract with the Navy to design, build and perform tests of a small quantity of units (called first article units). If the tests were successful, then the Navy would establish my company as the sole supplier of this mine killing system. The foreign subcontractor selected had a kill vehicle under development.

As part of the Navy contract and as a subcontractor to us, they would complete development of the kill vehicle, manufacture the first article units and perform tests.  We would design the launcher and the subcontractor would manufacture the it to our design. My company, as the lead, would conduct system tests for the Navy with the subcontractor in support.  This was my company’s plan to become the sole supplier of the mine killing system to the Navy.  Nice plan but bad decisions were made by management leading to a missed opportunity for the company as discussed below.

Background

Management established a win strategy to become the sole provider to the Navy for a new mine killing system.  They decided to give a major subcontract to a foreign company that was in the process of developing a small light weight underwater mine killing vehicle.  This foreign company could not sell directly to the Navy and needed my company to do so.  Their strategy was to work with my company to sell their kill vehicle to the Navy. So, it was a win-win situation for both companies.

The subcontractor scope comprised: complete development of the kill vehicle; build 2 first article units and perform testing on them; manufacture the launcher to our design and support system qualification tests for the Navy. Our scope included: design the launcher; write the system test procedures; conduct the system acceptance tests for the Navy; and provide the program management effort for the program.

During negotiations of the contract, the subcontractor insisted on using their own funds to perform the development of the kill vehicle because they planned to apply it to other markets beyond the DOD (department of defense).  My company accepted this arrangement which proved to be poor judgment on their part as it  became painfully apparent as the project progressed.  Per the contract, the subcontractor controlled the design requirements and schedule for the kill vehicle which would turn out to adversely impact our contract schedule with the Navy.

Early in the program, and in accordance with the terms and conditions of the contract, the subcontractor put in a claim against my company which delayed the program until it was resolved. The basis of the claim was withheld progress payments that my company felt were justified because of the inability of the subcontractor to maintain their schedule.  After several months of delay, the claim was settled and progress on the project started moving forward.

First Bad Decision

During the long and intense negotiations for the claim resolution, both sides agreed to put the subcontractor schedule on the back burner and come back to it later. As a result, the schedule was not defined as part of the claim resolution.  The program re-started and the subcontractor established a new schedule they could commit to. The problem was, they continued to miss their own schedule each month creating a serious schedule issue with our contract with the Navy. Very quickly management recognized the problem and insisted the subcontract recover their schedule and make it part of the subcontract.  The subcontractor insisted 2 additional months be added to their schedule before they would accept a contract change.  Finally, my company agreed and 2 months were added to their contract.  We ended up updating our contract with the Navy to include the schedule growth after a very painful negotiation. Since our contract with the Navy was firm fixed price, my company incurred significant cost growth (loss).

Second Bad Decision

Basing the success on our contract with the Navy on a subcontractor controlled design for the killer vehicle (the most important component of the system) was a big mistake.  Unknown to us initially, the subcontractor was redesigning part of their vehicle to include new requirements for their other customers resulting in delays to our schedule which in turn were reflected in our schedule with the Navy.  Once this situation became apparent to us, upper management came down on the subcontractor like a ton of bricks but to no avail since they were protected by the subcontract.  Our only recourse was to micro-manage their schedule which we did to moderate success.  Eventually, the development of the vehicle was completed and past al of their tests.

Third Bad Decision

During the course of the contract, my company reached out to the subcontractor for a teaming agreement. This was before the critical Navy qualification tests were performed.  At this point, the subcontractor upper management told our upper management they wanted a teaming agreement and were excited about the prospects of finally selling their product to the US Navy. However, the president of the business unit in our company did not want to risk a teaming agreement because he felt they may fail the Navy qualification tests. He decided to wait until the tests were completed.  Several members on his staff tried to get him to change his decision but failed.  The subcontractor passed the Navy qualification tests. The Navy established their kill vehicle as sole source for the Navy’s air and sea platforms. The subcontractor designed and manufactured their own launcher.  My company was completely left out. In hindsight, it should have been apparent to the president of our business unit that we had zero leverage with zero subcontractor once they passed the qualification tests.

Lesson Learned

1. Do not award a subcontract where the subcontractor has control over the requirements, design and schedule of any component. Maintain control over the entire subcontract.
2. In any negotiation, do not leave the contract schedule to be decided and agreed upon after contract award. If it is not in the contract upon reward, then you do not have a schedule.
3. Establish a teaming agreement with another company before critical deciding events. Failure to do so, runs the risk of succeeding.

Risk Analysis

It seems obvious that a risk analysis was not done in this case.  What would have been the risks?

1. Settling a disputed painful claim with out the schedule definition is a program risk that is high with a high impact if realized.
2. Awarding a subcontract where contractual control of the key component is the responsibility of the subcontractor is another program risk with high schedule and cost probability of occurrence and adverse impact.
3. Awarding a subcontract to a foreign company can be risky to the program because: the geographical distance separation may cause travel costs to grow out of control to monitor the subcontractor especially if they have problems; and more difficult and costly to provide onsite support as required to ensure progress is being made to the schedule. This is a program risk.
4. Teaming agreements can be risky to the program and enterprise if not structured properly and executed in a timely fashion.

This is the time of year when millions of kids are told if they’re getting into their college or university of choice.  It’s a time of huge stress for kids and their parents.

The kids think that their life’s arc is going to be facilitated by a name university. The parents are anxious to see if their 18 years of mentoring and parenting have pointed their kid in the right direction for life and work. And, oh by the way: who’s going to pay for the educational launch pad (i.e. college)?

“employers think most of today’s college graduates do the most important work things abysmally”

THIS IS JUST THE BEGINNING

So, the kid goes to the college or university of choice. That’s great. Hopefully, your kid gets a marketable degree and becomes most importantly employable.

End of problems? End of parenting. Unfortunately, no.

According to the survey below, most college graduates today are not ready for life or work. And, that’s a huge problem.

WHAT EMPLOYER’S EXPECT?

Employers now expect today’s graduates to:

·     Have a professional work ethic.

·     Be able to communicate well.

·     Think critically

·     Manage their career.

Today’s graduates think they do all these things already pretty well. But …

The Problem: Employers think much differently.  Today’s employers think most of today’s college graduates do the most important work things abysmally.

Take a look at the recent numbers below of how graduates think and how employer’s think.  Huge differences.

SO, WHAT DOES THIS ALL MEAN?

Lots!

At a basic level, there is a huge gap between what employers want and today’s graduates think they do. This really impacts their employability and market value.

At a deeper level, it challenges the value of college and even an education.   From the graduate’s point of view will the 4-years of education improve employability or maturity?  From a parent’s point of view or the person who co-signs the college loan, will they be indentured for life.

OUR DAUGHTER’S COLLEGE DECISION

By the way, our daughter decided to get an online mechanical engineering degree from University of Alabama and learn AI/Machine Learning/Robotics online.

Hopefully, these all point to getting a job and being self sustaining.

Periodic News, Announcements, and Information about Risk

As we cruise through post-recession there is one big concern on employer’s minds: retention.

Big companies and small companies are starting to see how the market has turned. Statistically, Monster job boards reported that 82% of surveyed employees have updated their resumes this year and 59% said they are passively looking for another role.

While compensation is always a factor in retention, it isn’t the end all. Most of the people I interview are looking for career advancement and flexible work hours. Sometimes it’s just not practical to throw more money at employees and often that isn’t what’s bugging them anyway.

Some job seekers want more of a challenge and think they are topped out in their current role. Some start looking aggressively if they aren’t connecting with their manager. People leave jobs for a variety of reasons.

Here’s what you can do to make them want to stay:

1.  Get rid of hidden agendas

There is nothing more refreshing than a boss that gives a directive and tells you why. Employees want to understand how their job fit into the bigger picture or they lose motivation.

2.  Formal Mentoring Programs

Many women in today’s workforce long to get into leadership, but need a solid mentor to help them navigate. Junior level employees benefit from having an on staff mentor to show them the ropes. Cost effective, mentors bring maximum ROI to organizations While I know that this sounds like one more thing on the to-do list, it’s worth the effort.

3.  Map Career Path

Many companies say they are growing, but they don’t promote from within. Before taking any new job ask, “When was the last time you promoted someone from within?” Pay attention to the level of position and how often a company promotes. If you want to retain, don’t have your employees guessing what the next step is because it’s likely they will find the next role someplace that recognizes their talent and scoops them up

4.  Internal Recognition

As cheesy as this sounds, there is nothing like the top executives in an organization sending an email to a well-deserved employee in regards to their performance. It allows the person to know their job matters and that what they do each day really does matter.

Curious about how to calculate retention rates in your company and see where you are at? Check out this link https://answers.yahoo.com/question/index?qid=20070723120306AAFz76x

Bio:

Elizabeth Lions
Author, “Recession Proof Yourself!”
and
”I Quit! Working For You Isn’t Working For Me”
www.elizabethlions.com
806 283 8811

Q+E proposes to develop a 5-day CERM Cyber Risk (CERM – CR) Workshop focused on the NIST RMF and NIST 800 guidelines. The workshop will be available for students and graduate students and also for continuing education for IT, engineering, and security professionals. It will be deliverable first in classroom training and then online. It will be based on Q+E’s existing CERM course materials. CERM – CR will utilize NIST RMF and NIST 800’s. Q+E will customize the workshop with recent CIP examples, case studies, and illustrations.  Q+E also will introduce Critical Security Controls, ISACA COBIT 5, ISO 27001, ISA/IEC 62443 (ISA-99), and other cyber risk frameworks.

Certified Enterprise Risk Manager – Cyber Risk Components (CERM – CR)
CERM – CR is composed of three key elements:

• Cyber Enterprise Risk Management (1 day).
• Cyber Risk Management Frameworks (2 days).
• Cyber Risk Assurance (1 day).

CERM – CR will provide a foundation in cybersecurity risk management and will consist of three integrated workshops: 1. Cyber Enterprise Risk Management (see page 6), Cyber Risk Management Frameworks (see page 7), and 3. Cyber Risk Assurance (see page 8).  The Cyber ERM component will look at cybersecurity in the context of the enterprise and how to integrate cyber risk into the enterprise risk management program and provide a solid foundation in cyber governance, risk management principles, and cyber compliance/assurance. The Cyber RMF component will focus on the NIST RMF and how to apply its Core Functions-Identify, Protect, Detect, Respond, Recover, and the Categories and Subcategories to organize and structure a cybersecurity program using Profiles and Tiers. The Cyber Risk Assurance component will focus on practices for ensuring compliance and assuring cybersecurity controls are effective at the enterprise, programmatic/process, and system levels.

Q+E has cybersecurity experience in five Critical Infrastructure Protection (CIP) sectors.  CERM – CR will offer CIP cyber security risk mitigation examples and case studies from chemical sector (CFATS), electric (NERC CIP), and other CIP sectors.

CERM – CYBER RISK LIFECYCLE LEARNING MODEL
The purpose of CERM – CR is to certificate professionals in cybersecurity risk management problem-solving and risk-based decision-making founded upon the CERM Cyber Lifecycle Learning Model shown in the figure below. The model has three :

1. CERM – CR certificate; 2. CERM – CR webinars; and 3. CERM – CR resources.

CERM – CR CERTIFICATE EXAM
At the conclusion of the integrated CERM – CR workshops, participants can apply to take a certificate exam and receive the CERM – CR certificate.  CERM – CR will have a 3 hour certificate exam of 100 questions covering the three integrated cyber workshops below:

CERM – CR will eventually migrate to three certificate levels as well as sub-certificates addressing specific NIST 800 guidelines such as encryption (800 – 21) and industrial control systems (800 – 82).  The CERM – CR certificate levels would indicate:

• Participant has covered a Body of Knowledge and has passed an objective certificate exam attesting to having achieved minimum qualifications.  CERM – CR risk, NIST RMF, and industrial competency knowledge and skills will be covered in the exam.  Q+E plans to develop a question bank of cyber risk questions so CERM – CR certificates can be completed online.
• Specialty credentials and sub-certificates, such as CERM – Industrial Control Systems would affirm advanced cyber knowledge and specific domain expertise.
• CERM – CR Fellows would be nominated by peers in recognition of their contributions in cybersecurity risk management.

Value Added Auditing is a Q+E process and risk based manual for conducting operational, IT, cyber, and supply management assessments.  The objective of the manual is to enhance 1. Risk-based problem solving and 2. Risk-based decision making.  Value Added Auditing can be used as a ‘how to’ primer or reference for the following assessments:

• ISO 9001, ISO 14001, and other ISO management system assessments that focus on continual improvement and achieving business objectives.  The book is harmonized to ISO 19011:2011.
• Critical Infrastructure Protection (CIP) assessments including risk assessments, vulnerability, NERC CIP compliance, cyber security, resilience and CIP assessments addressing Presidential Policy Directive (PPD-21) – Critical Infrastructure Security and Resilience.
• Business assurance assessments including compliance, maturity, capability, and benchmarking.
• Internal auditing (Yellow Book/Red Book/Quality) providing independent and objective assurance that an organization can accomplish its business objectives.
• Supplier auditing that may involve forensics, assurance, and analytics.
• Risk based Information Technology (IT) audits including ISO 27001, COBIT, ITIL, HIPAA, PCI, FISMA, and SOX assessments.
• Assurance and opinion audits based on international standards.
• Risk assurance assessments ensuring an organization can meet its governance, risk, and compliance (GRC) objectives.
• Agreed Upon Procedure (AUP) engagements including reporting findings based on reviewing specific procedures.

Value Added Auditing is the primary text for the Risk Assurance element of the Certified Enterprise Risk Manager® certificate program.  Visit www.CERMAcademy.com.

US Department of Homeland Security (DHS) certified Value Added Auditing as a ‘Qualified Anti-Terrorist Technology’ under the Safety Act as a critical elements of Critical Infrastructure Protection: Forensics, Assurance, Analytics®.