Skip to main content

DHS Acquisitions: Opportunities Exist to Enhance Risk Management

GAO-23-106249 Published: Aug 24, 2023. Publicly Released: Aug 24, 2023.
Jump To:

Fast Facts

The Department of Homeland Security spends billions of dollars each year on major purchases like new Coast Guard ships and systems for screening travelers. For these programs to succeed, DHS must manage acquisition risks—potential negative effects on program cost, schedule, or performance.

We found that DHS's acquisition risk management guidance generally follows best practices developed by GAO and others, but that there's room for improvement.

DHS is already planning to update this guidance, so we recommended ways the guidance can better reflect best practices—for example, by improving programs' communication with stakeholders.

Rendering of a Polar Security Cutter, one of DHS’s major acquisition programs

A rendering of a polar security cutter traveling through icy waters

Skip to Highlights

Highlights

What GAO Found

Managing acquisition risks—potential negative effects on a program's cost, schedule, and performance—is critical for a program to achieve its objectives. GAO previously found that acquisition programs tend to be overly optimistic when assessing their risks, underestimating the resources or time needed to develop and field capabilities. GAO and others identified six leading principles of acquisition risk management that are applicable to programs and portfolios, which are groups of related programs, such as Coast Guard ships.

Leading Principles for Acquisition Risk Management Applicable to Programs and Portfolios

Leading Principles for Acquisition Risk Management Applicable to Programs and Portfolios

At the program level, the Department of Homeland Security's (DHS) risk management guidance broadly reflects these leading principles. DHS guidance encourages programs to engage with stakeholders and leadership throughout their acquisition life cycles. GAO found examples of this communication in practice, such as when programs prepared for acquisition decision events, a series of critical milestones designed for oversight. However, GAO found gaps in DHS guidance and programs' implementation of the communication leading principle. Specifically, GAO found instances in which selected programs did not consistently track and incorporate stakeholder input or provide current risk data to DHS leadership. Ensuring that DHS guidance conforms with leading principles on documenting stakeholder input and communicating up-to-date information to leadership would improve DHS's ability to manage acquisition risks.

DHS's guidance also falls short in addressing leading principles at the portfolio level, which involves consideration of interdependencies and enterprise-level risks. For example, the guidance does not address how officials should identify portfolio-level risks—one of the six leading principles. Further, officials from two DHS components stated that having portfolio risk management guidance would be helpful to ensure consideration of these risks. Having such guidance would enhance DHS's ability to manage risks across its portfolio of programs and make decisions that optimize the portfolio's resources rather than considering risks solely on a program-by-program basis. DHS plans to update its acquisition risk management guidance by fall of 2023, which presents an opportunity to address these gaps and enhance DHS's risk management process.

DHS and its components acquire systems to help carry out multiple critical missions. In fiscal year 2023, DHS plans to spend over $4 billion on these systems. In May 2019, DHS revised its acquisition policy to better incorporate risk management—a continuous process to systematically track and manage risks.

GAO was asked to review DHS's acquisition risk management process for its major acquisition programs—those with life-cycle cost estimates of $300 million or more. This report assesses, among other issues, the extent to which DHS has addressed risk management at (1) the program-level, including involving stakeholders and leadership, and (2) the portfolio level.

GAO reviewed acquisition risk management policies and guidance from DHS and the eight components that manage major acquisition programs. GAO also reviewed how a nongeneralizable sample of five programs from within these components managed risks. GAO selected the sample based on a representation of components and a mix of IT and non-IT programs, among other criteria.

Recommendations

GAO is making eight recommendations to DHS, including that, as it updates its risk management guidance, it includes steps to enhance programs' communication with stakeholders, improve direction to programs on providing current risk data to leadership, and address portfolio risk management. DHS agreed with the recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security The Secretary of Homeland Security should ensure that when the Office of Program Accountability and Risk Management updates its risk management guidance, that it include methods for improving the objectivity of risk assessments. (Recommendation 1)
Closed – Implemented
DHS agreed with this recommendation. In December 2023, the Office of Program Accountability and Risk Management updated its risk management guidance to include how programs can improve objectivity of risk assessments through consulting stakeholders, applying business rules, acknowledging assumptions, and documenting rationales. Improving the objectivity of risk assessments will help programs better estimate their risks, which allows them to appropriately prioritize and respond to them.
Department of Homeland Security The Secretary of Homeland Security should ensure that when the Office of Program Accountability and Risk Management updates its risk management guidance, that it include additional direction on managing realized risks, such as how to manage the consequences of realized risks and how to identify additional risks that may result from realized risks. (Recommendation 2)
Closed – Implemented
DHS agreed with this recommendation. In December 2023, the Office of Program Accountability and Risk Management updated its risk management guidance to include a section on realized risks. This section provides information to programs on how to manage realized risks, create realized risk response plans, and identify potential associated risks. DHS's additional guidance on realized risks will help ensure programs are better positioned to respond to these risks once they have occurred.
Department of Homeland Security The Secretary of Homeland Security should ensure that when the Office of Program Accountability and Risk Management updates its risk management guidance, that it include leading principles on portfolio-level risk management. (Recommendation 3)
Closed – Implemented
DHS agreed with this recommendation. In May 2024, the Office of Program Accountability and Risk Management updated its risk management guidance to include additional information on portfolio-level risks. This information provides a high-level explanation on planning for portfolio risks, prompts programs to identify portfolio risks in risk registers and includes ways programs can communicate how their risks may affect other programs. DHS's additional guidance on portfolio risk management will improve portfolio managers' ability to effectively manage these risks and make fully informed decision to optimize the portfolio's resources.
Department of Homeland Security The Secretary of Homeland Security should ensure that the Office of Program Accountability and Risk Management (1) assesses the costs and benefits of developing or acquiring the capability to systematically share risk management knowledge, such as data in risk registers and risk management approaches, across the department, and (2) determines whether to implement such a capability. (Recommendation 4)
Open
DHS agreed with this recommendation. As of April 2024, DHS officials from the Office of Program Accountability and Risk Management told us they are planning to use a RAND study to determine the costs and benefits of a shared risk management repository. DHS officials said they plan to address this recommendation later in calendar year 2024. We will continue to follow up with DHS on its efforts to address this recommendation.
Department of Homeland Security The Secretary of Homeland Security should ensure that when the Office of Program Accountability and Risk Management updates its risk management guidance, that it further incorporate leading practices for documenting engagement with stakeholders, such as ways to identify the appropriate stakeholders to involve and what input stakeholders have provided on risks. (Recommendation 5)
Closed – Implemented
DHS agreed with this recommendation. In December 2023, the Office of Program Accountability and Risk Management updated its risk management guidance to include information on how programs should document stakeholder engagement. These updates include listing documentation where stakeholders may identify risks, conducting stakeholder interviews, and engaging with stakeholders to help assess risks. These updates will help programs reduce optimistic biases in their risk management process, reduce underestimation of risks, and improve program outcomes.
Department of Homeland Security The Secretary of Homeland Security should ensure that when the Office of Program Accountability and Risk Management updates its risk management guidance, that it clarifies how programs should include risks raised in required acquisition documents and relevant meetings, such as by providing a more comprehensive list of required acquisition documents and forums where stakeholder risks are identified, to ensure these risks are consistently accounted for in risk registers. (Recommendation 6)
Closed – Implemented
DHS agreed with this recommendation. In December 2023, the Office of Program Accountability and Risk Management updated its risk management guidance to include a comprehensive list of documents and forums where stakeholder risks are identified. This includes identifying and listing typical risk sources, providing a list of acquisition documents and assessments from DHS Instruction 102-01-001, and noting that risks identified in these resources should be documented in the risk register. These updates will ensure that programs consider and incorporate all stakeholder-identified risks which will help improve program outcomes.
Department of Homeland Security The Secretary of Homeland Security should ensure that when the Office of Program Accountability and Risk Management updates its risk management guidance for briefing the Acquisition Review Board on risks, that it (1) include additional direction on including as-of dates for risk information, and (2) clarify how programs should communicate on risks that have arisen or changed since the as-of date. (Recommendation 7)
Closed – Implemented
DHS agreed with this recommendation. In May 2024, the Office of Program Accountability and Risk Management updated its risk management guidance. The update included how programs should communicate their risk status to the Acquisition Review Board if changes occur after they submit a briefing for review. The update also directed programs to include as-of dates for the overall risks. DHS's additional guidance on communicating the currency of risk information will ensure that DHS leadership has the most up-to-date risk information from the programs and will have the information necessary to prompt questions about newly identified risks during Acquisition Review Board briefings.
Department of Homeland Security The Secretary of Homeland Security should ensure that when the Office of Program Accountability and Risk Management updates its risk management guidance, it include additional direction on maintaining up-to-date estimated completion dates for risk mitigation steps. (Recommendation 8)
Closed – Implemented
DHS agreed with this recommendation. In December 2023, the Office of Program Accountability and Risk Management updated its risk management guidance to include how programs should document and update estimated completion dates. This change will help programs provide leadership and stakeholders with timely visibility into their risk management activities.

Full Report

GAO Contacts

Topics

Acquisition managementAcquisition programsBest practicesCritical infrastructure protectionCybersecurityHomeland securityLife cycle costsProject managementRisk managementRisk assessment