#231 – BLACK SWAN OR JUST WISHFUL THINKING AND MISINTERPRETATION – GEARY SIKICH

Featured

There seem to be a lot of sightings of “Black Swans” lately. Should we be concerned or are we wishfully thinking, caught up in media hype; or are we misinterpreting what a “Black Swan” event really is? The term “Black Swan” has become a popular buzzword for many; including, contingency planners, risk managers and consultants. However, are there really that many occurrences that qualify to meet the requirement of being termed a “Black Swan” or are we just caught up in the popularity of the moment? Continue reading

205 – MAJOR SUBCONTRACT GONE WRONG – JOHN AYERS

Featured

This risk story involves a major subcontract that went awry impacting the program and one of my company’s growth goals.  The goal was to become the sole provider to the Navy for a mine killing system comprising two major components. One is an underwater kill vehicle and the second one is a launcher (from a helicopter).

To accomplish this goal, we landed a contract with the Navy to design, build and perform tests of a small quantity of units (called first article units). If the tests were successful, then the Navy would establish my company as the sole supplier of this mine killing system. The foreign subcontractor selected had a kill vehicle under development.

As part of the Navy contract and as a subcontractor to us, they would complete development of the kill vehicle, manufacture the first article units and perform tests.  We would design the launcher and the subcontractor would manufacture the it to our design. My company, as the lead, would conduct system tests for the Navy with the subcontractor in support.  This was my company’s plan to become the sole supplier of the mine killing system to the Navy.  Nice plan but bad decisions were made by management leading to a missed opportunity for the company as discussed below.

Background

Management established a win strategy to become the sole provider to the Navy for a new mine killing system.  They decided to give a major subcontract to a foreign company that was in the process of developing a small light weight underwater mine killing vehicle.  This foreign company could not sell directly to the Navy and needed my company to do so.  Their strategy was to work with my company to sell their kill vehicle to the Navy. So, it was a win-win situation for both companies.

The subcontractor scope comprised: complete development of the kill vehicle; build 2 first article units and perform testing on them; manufacture the launcher to our design and support system qualification tests for the Navy. Our scope included: design the launcher; write the system test procedures; conduct the system acceptance tests for the Navy; and provide the program management effort for the program.

During negotiations of the contract, the subcontractor insisted on using their own funds to perform the development of the kill vehicle because they planned to apply it to other markets beyond the DOD (department of defense).  My company accepted this arrangement which proved to be poor judgment on their part as it  became painfully apparent as the project progressed.  Per the contract, the subcontractor controlled the design requirements and schedule for the kill vehicle which would turn out to adversely impact our contract schedule with the Navy.

Early in the program, and in accordance with the terms and conditions of the contract, the subcontractor put in a claim against my company which delayed the program until it was resolved. The basis of the claim was withheld progress payments that my company felt were justified because of the inability of the subcontractor to maintain their schedule.  After several months of delay, the claim was settled and progress on the project started moving forward.

First Bad Decision

During the long and intense negotiations for the claim resolution, both sides agreed to put the subcontractor schedule on the back burner and come back to it later. As a result, the schedule was not defined as part of the claim resolution.  The program re-started and the subcontractor established a new schedule they could commit to. The problem was, they continued to miss their own schedule each month creating a serious schedule issue with our contract with the Navy. Very quickly management recognized the problem and insisted the subcontract recover their schedule and make it part of the subcontract.  The subcontractor insisted 2 additional months be added to their schedule before they would accept a contract change.  Finally, my company agreed and 2 months were added to their contract.  We ended up updating our contract with the Navy to include the schedule growth after a very painful negotiation. Since our contract with the Navy was firm fixed price, my company incurred significant cost growth (loss).

Second Bad Decision

Basing the success on our contract with the Navy on a subcontractor controlled design for the killer vehicle (the most important component of the system) was a big mistake.  Unknown to us initially, the subcontractor was redesigning part of their vehicle to include new requirements for their other customers resulting in delays to our schedule which in turn were reflected in our schedule with the Navy.  Once this situation became apparent to us, upper management came down on the subcontractor like a ton of bricks but to no avail since they were protected by the subcontract.  Our only recourse was to micro-manage their schedule which we did to moderate success.  Eventually, the development of the vehicle was completed and past al of their tests.

Third Bad Decision

During the course of the contract, my company reached out to the subcontractor for a teaming agreement. This was before the critical Navy qualification tests were performed.  At this point, the subcontractor upper management told our upper management they wanted a teaming agreement and were excited about the prospects of finally selling their product to the US Navy. However, the president of the business unit in our company did not want to risk a teaming agreement because he felt they may fail the Navy qualification tests. He decided to wait until the tests were completed.  Several members on his staff tried to get him to change his decision but failed.  The subcontractor passed the Navy qualification tests. The Navy established their kill vehicle as sole source for the Navy’s air and sea platforms. The subcontractor designed and manufactured their own launcher.  My company was completely left out. In hindsight, it should have been apparent to the president of our business unit that we had zero leverage with zero subcontractor once they passed the qualification tests.

Lesson Learned

  1. Do not award a subcontract where the subcontractor has control over the requirements, design and schedule of any component. Maintain control over the entire subcontract.
  2. In any negotiation, do not leave the contract schedule to be decided and agreed upon after contract award. If it is not in the contract upon reward, then you do not have a schedule.
  3. Establish a teaming agreement with another company before critical deciding events. Failure to do so, runs the risk of succeeding.

Risk Analysis

It seems obvious that a risk analysis was not done in this case.  What would have been the risks?

  1. Settling a disputed painful claim with out the schedule definition is a program risk that is high with a high impact if realized.
  2. Awarding a subcontract where contractual control of the key component is the responsibility of the subcontractor is another program risk with high schedule and cost probability of occurrence and adverse impact.
  3. Awarding a subcontract to a foreign company can be risky to the program because: the geographical distance separation may cause travel costs to grow out of control to monitor the subcontractor especially if they have problems; and more difficult and costly to provide onsite support as required to ensure progress is being made to the schedule. This is a program risk.
  4. Teaming agreements can be risky to the program and enterprise if not structured properly and executed in a timely fashion.

#203 – IS YOUR GRADUATE WORK OR LIFE READY? – PROBABLY NOT – GREG HUTCHINS

Featured

This is the time of year when millions of kids are told if they’re getting into their college or university of choice.  It’s a time of huge stress for kids and their parents.

The kids think that their life’s arc is going to be facilitated by a name university. The parents are anxious to see if their 18 years of mentoring and parenting have pointed their kid in the right direction for life and work. And, oh by the way: who’s going to pay for the educational launch pad (i.e. college)?

“employers think most of today’s college graduates do the most important work things abysmally”

THIS IS JUST THE BEGINNING

So, the kid goes to the college or university of choice. That’s great. Hopefully, your kid gets a marketable degree and becomes most importantly employable.

End of problems? End of parenting. Unfortunately, no.

According to the survey below, most college graduates today are not ready for life or work. And, that’s a huge problem.

WHAT EMPLOYER’S EXPECT?

Employers now expect today’s graduates to:

·     Have a professional work ethic.

·     Be able to communicate well.

·     Think critically

·     Manage their career.

Today’s graduates think they do all these things already pretty well. But …

The Problem: Employers think much differently.  Today’s employers think most of today’s college graduates do the most important work things abysmally.

Take a look at the recent numbers below of how graduates think and how employer’s think.  Huge differences.

SO, WHAT DOES THIS ALL MEAN?

Lots!

At a basic level, there is a huge gap between what employers want and today’s graduates think they do. This really impacts their employability and market value.

At a deeper level, it challenges the value of college and even an education.   From the graduate’s point of view will the 4-years of education improve employability or maturity?  From a parent’s point of view or the person who co-signs the college loan, will they be indentured for life.

OUR DAUGHTER’S COLLEGE DECISION

By the way, our daughter decided to get an online mechanical engineering degree from University of Alabama and learn AI/Machine Learning/Robotics online.

Hopefully, these all point to getting a job and being self sustaining.

#198 – A FRAMEWORK FOR QUALITY RISK MANAGEMENT OF FACILITIES AND EQUIPMENT – PHIL DESANTIS

Featured

A PIX DESANTISThis two-part article focuses on risk management of facilities and equipment. It describes how a risk-based approach to facilities and equipment management fits into an integrated, effective quality systems structure. The principles discussed are equally applicable to all quality systems. Facilities and equipment represent a broad range of risk to product quality and are one of the key quality systems commonly identified in the pharmaceutical manufacturing industry. Continue reading

Cybersecurity Risk Management Workshop

Did you know that Small & Medium-sized Businesses (SMB) are targets in 75% of cyber attacks? Is your cybersecurity approach based on a set of defensive tools and procedures you have cobbled together over time? Is this approach adequate for dealing with today’s cyber risks? How do you know? Are you finding you are being more reactive than proactive? How can you do something about it?

This 3 hour workshop will address the basic steps to prepare your organization for implementing cybersecurity risk management. It will present a proactive methodology for defining and assessing your cybersecurity risks and then describe a mechanism for developing a plan to deal with them. We will look at the Federal (NIST) Cybersecurity Framework, developed with industry, as it defines a process and procedures for developing a cybersecurity system for an organization.

You will learn how to: 1) describe your current cybersecurity posture; 2) determine your target state for cybersecurity; 3) identify and prioritize opportunities for improvement using a risk management approach; 4) see how to assess progress toward the target state and organizational capability; and 5) how to improve communications among internal and external stakeholders.

  • Analyze your current cybersecurity approach. What are your objectives and critical assets. The five Core cybersecurity functions – Identify, Protect, Detect, Respond, Recover. Identifying the key cybersecurity process activities required to manage your cybersecurity risks. How to perform a cyber risk assessment and select your key risks and controls.
  • Assesse your cyber risk management capabilities. How rigorous and sophisticated your capabilities need to be for your cybersecurity risk management activities.
  • Define your cybersecurity risk Profile. What activities are needed to reach your cybersecurity goal(s). Manage cybersecurity risk in each of the Core cybersecurity Functions and Categories. What Functional Subcategories have you implemented already and what others are needed to be implemented. By documenting your current state and the desired target state of specific cybersecurity activities, you reveal the gaps that need to be addressed to meet your cybersecurity risk management objectives. And to enable assessment of progress against meeting those goals.

Date: Wednesday, June 3, 2015
Location: Room 160, Phoenix Convention Center – South Building Hall G.
Visit us in AmCon at Booth 419 (http://www.amconshows.com/phoenix-az/)
Registration fee: $199 (includes FAQ handout on NIST Cybersecurity Framework)
Register online: www.regonline.com/cermphoenix2015

Speaker: Ed Perkins CIA CERM is the developer of Certified Enterprise Risk Manager® – Cyber Security™ certificate and is an expert on the NIST Risk Management Framework.  Ed consults in enterprise risk management; performance and risk auditing; IT Governance; process automation; project management; and holds a Certified Internal Auditor (CIA) designation. He has over 30 years industry experience, in computer operations, operating systems, embedded systems, software development , chip architecture development, design automation, program and project management, design services management, technical writing, and internal auditing. He has managed high visibility / high risk IT programs, and led cross-functional teams and industry work groups.  He can be contacted at: edp@CERMAcademy.com.

Risk-based Auditing for ISO 9001-2015 Workshop

The forthcoming ISO 9001-2015 revision redefines quality as a risk-based endeavor. This will impact how you define, operate and certify your quality system.

By attending this 3-hour workshop which will cover the implications of ISO 9001-2015 for companies you will:

  • Understand the risk language of ISO 9001-2015 and ISO 31000
  • Know how to plan a Value Added Audit™ (VAA)
  • Know how to conduct the required level of fieldwork to assure your business objectives
  • Know how to write a value added audit report that meets your management’s requirements and the ISO 9001-2015 requirements

The VAA manual is a step by step guide for planning, conducting and reporting risk based, process audits. Each person who registers for the workshop will receive the 400 page Value Added Auditing manual for risk based auditing, an $89 value.

Date: Tuesday, June 2, 2015
Location: Room 160, Phoenix Convention Center – South Building Hall G.
Visit us at AmCon in Booth 419
Registration fee: $199 (includes VAA book)
Register online: www.regonline.com/cermphoenix2015

Speaker:Greg Hutchins PE CERM is the principle engineer with Quality + Engineering (Q+E) – Critical Infrastructure Protection: Forensics, Assurance, Analytics® firm. Q+E provides cyber governance, risk, and compliance services to companies. Q+E is also the developer of Certified Enterprise Risk Manager® certificate and Greg is the author of quality, risk, and supply management books, including Value Added Auditing®. His latest book ISO: Risk Based Thinking – 2015, has just been released. Greg can be contacted at gregh@cermacademy.com.

 

CERM® Academy AmCon Phoenix Workshops

The ISO is on track to release ISO 9001-2015 this Fall which calls for companies to modify their Quality Management Systems for ‘risk based thinking’. Do you understand what this is and what it may mean?

Did you know that Small & Medium-sized Businesses (SMB) are targets in 75% of cyber attacks? Is your cybersecurity approach based on a set of defensive tools and procedures you have cobbled together over time? Is this approach adequate for dealing with today’s cyber risks? How do you know? Are you finding you are being more reactive than proactive? How can you do something about it?

To learn how to answer these questions, come to the AmCon Design & Contract Manufacturing Show in Phoenix June 2-3, and attend the CERM Academy Seminars and Workshops:

Meet face-to-face with some of the finest job shops and contract manufacturers from throughout the U.S. and Canada. See the latest in manufacturing’s cutting-edge technologies. From prototype to production parts – find sources for all your custom manufacturing needs

AmCon Phoenix Design & Contract Manufacturing Show, June 2-3, 2015
Phoenix, AZ Convention Center – South Building Hall G
Details & Registration: http://www.amconshows.com/phoenix-az/

Show Hours:
Tuesday, June 2, 9:30 a.m. – 3:30 p.m.
Wednesday, June 3, 9:30 a.m. – 3:00 p.m.

Free Admission, Free Attendee Parking, Free Seminars
Attend Free Seminars given by industry professionals.

Continue reading

AMCON PHOENIX RISK WORKSHOPS JUNE 2-3

CERMAcademy will be participating on the June 2-3 AmCon Design & Contract Manufacturing Expo show in Phoenix. Visit us in Booth 419.

2:00 – 3:00 PM

Room 160

Preparing for New ISO Risk Based Thinking

Greg Hutchins/Bill Walker/Ed Perkins

www.CERMAcademy.com

ISO is on track to release ISO 9001-2015 this Fall which calls for modifying your Quality Management System for ‘risk based thinking’. Do you understand what this is and what it may mean? Is your organization prepared for an increase in Quality Management System registration and audit costs than what you paid in the past? Why are the costs increasing? Besides yourself does your CEO, CFO, COO and President fully understand the changes coming to AS9100 (AEROSPACE & DEFENSE), ISO 9001 (INTERNATIONAL STANDARD), ISO 31000 (RISK MANAGEMENT), ISO 19011 (AUDITING MANAGEMENT SYSTEMS-LIKE RISK), ISO 27001 (CYBER SECURITY), FAA (New Airline Risk Requirements), requirement that ALL FEDERAL OFFICES have a RISK MANAGEMENT PROGRAM, plus other standards?

Continue reading

AMCON SEATTLE RISK WORKSHOP – MARCH 24, 2015

March 24, 2015

12:00pm – 1:30pm

Room 402

Risk Management, Cyber Security & ISO 9001:2015

Greg Hutchins/Bill Walker/Ed Perkins

Quality Plus Engineering         www.CERMAcademy.com

Is your organization prepared for any increase in registration costs than what you paid in the past? Why are the costs increasing? Besides yourself does your CEO, CFO, COO and President fully understand the changes to AS9100 (AEROSPACE & DEFENSE), ISO 9001 (INTERNATIONAL STANDARD), ISO 13485(MEDICAL), TS16949 (AUTOMOTIVE), TL9000 (TELECOMMUNICATIONS), ISO 31000 (RISK), ISO 19011 (AUDITING MANAGEMENT SYSTEMS-LIKE RISK), ISO 27001(CYBER SECURITY), FAA (New Airline Risk Requirements), requirement that ALL FEDERAL OFFICES have a RISK MANAGEMENT PROGRAM, plus other standards? Is ISO 9001-2015 the driving force behind the changes? Are you using COSO? Do you need to understand and comply with the new Federal Cyber Security Framework? Which is better FMEA or HEAT MAPS? Which of the above RISK MANAGEMENT documents does your organization not know about or understand what these requirements mean and how they will affect the bottom line?

Where do I find the answers to the above questions plus more? Where can I ask questions and learn more about what is happening and going to happen? Can I afford the changes? Can I survive and stay in business because of all the changes and cost increases?

Join Greg Hutchins, Ed Perkins and Bill Walker as we do a panel discussion on RISK MANAGEMENT requirements, CYBER SECURITY and ISO 9001-2015. ISO 9001-2015 is scheduled for release in September 2015. Are you prepared for the impact and costs that this document release will have?

Here is your opportunity to find out what is happening, how it will affect your bottom line and determine what training is recommended. Who needs to be trained first and then next?

At the conclusion of this FREE SEMINAR there will be a drawing for a FREE COPY of VAA (VALUE ADDED AUDITING) Manual which is the Standard Manual of Risk-Based, Process-Auditing.   This manual is 383 pages, written by Greg Hutchins and sells for $89.00 plus $6 plus shipping and handling.

If you plan to attend this FREE SEMINAR on Tuesday March 24, 2015 starting at 12:00 Noon until 1:30 please RSVP Here and email to billwalkerrm@gmail.com to ensure that you will obtain the FREE handouts and have a place to sit.