The Department of Homeland Security (DHS) spends billions of dollars each year on major purchases like new Coast Guard ships and systems for screening travelers. In fiscal year 2023, DHS plans to spend over $4 billion on these major acquisitions. For the programs to succeed, DHS must manage acquisition risks—potential negative effects on program cost, schedule, or performance.
The Government Accountability Office (GAO) has found that DHS’s acquisition risk management guidance generally follows best practices developed by GAO and others, but that there’s room for improvement.
For example, DHS guidance encourages programs to engage with stakeholders and leadership throughout their acquisition life cycles. GAO found instances of this communication in practice, such as when programs prepared for acquisition decision events, a series of critical milestones designed for oversight. However, GAO also found gaps in DHS guidance and programs’ implementation of the communication leading principle. Specifically, GAO found instances in which selected programs did not consistently track and incorporate stakeholder input or provide current risk data to DHS leadership.
GAO determined that DHS’s guidance also falls short in addressing leading principles at the portfolio level, which involves consideration of interdependencies and enterprise-level risks. For example, the guidance does not address how officials should identify portfolio-level risks. DHS plans to update its acquisition risk management guidance by fall of 2023, which presents an opportunity to address these gaps and enhance DHS’s risk management process.
GAO found that five DHS components, namely U.S. Customs and Border Protection (CBP), U.S. Coast Guard, Countering Weapons of Mass Destruction Office (CWMD), Cybersecurity and Infrastructure Security Agency (CISA), and the Transportation Security Administration (TSA), issued acquisition risk management guidance to supplement the DHS guidance. Components’ guidance covers topics such as managing stakeholders, managing realized risks, and risk tolerance. For example, CBP’s supplemental guidance emphasizes risk tolerance and describes management approaches that reward innovation. CBP’s guidance also describes the role of CBP’s Chief Risk Officer, who is responsible for establishing risk tolerance procedures. CISA meanwhile has supplemental guidance that includes templates for managing stakeholder engagement. These templates encourage programs to track relevant stakeholders in a register, assess stakeholder involvement, and establish preferred communication channels.
As programs track their risks and subsequent responses in risk registers, they generate valuable data for risk management. Officials from TSA’s Credential Authentication Technology (CAT) program track program actions that are historically effective at mitigating a particular risk so that they can use the same ideas to mitigate future risks. For example, TSA program officials stated that based on prior risk mitigation efforts, they now release smaller batches of units at initial deployment to minimize the risk of rework if problems are discovered later. Similarly, officials from CBP’s Non-Intrusive Inspection Integration program reviewed risk responses from another CBP program’s risk register to inform how they responded to similar risks.
Component and program officials told GAO that systematically sharing risk data and approaches, such as through a DHS-wide risk tool, could benefit programs in their day-to-day risk management and facilitate portfolio risk management. CISA officials stated that they are contemplating developing a component-wide risk register that programs could go to for a one-stop shop of risk data. Officials stated that such a tool could potentially inform leadership of risks in a more efficient way, provide better analytics and trends, and thus provide better management oversight and insight across the component.
During the course of GAO’s review, two programs identified examples of stakeholder subject matter expertise helping them to identify risks that they did not originally consider.
In January 2023, a TSA testing official voiced concerns about the TSA CAT program’s testing environment not functioning correctly in preparation for an operational test event. Program officials stated that once the testing office communicated this risk to them, they began tracking it in the risk register. As a result, the CAT program developed plans to mitigate the risk until it discovered and implemented a solution to stabilize the testing environment.
During a pre-Acquisition Review Board meeting in March 2022, a senior Navy official raised concerns about the Coast Guard’s Polar Security Cutter program’s plans for a new control system. After the official raised concerns, the program added this risk to its risk register in April 2022 and chose to mitigate the risk. The program plans to set up a testing facility to ensure that the control system is fully functional.
GAO found that the DHS department-wide risk management guidance does not describe how programs should consistently incorporate and document stakeholder input, nor does it include how to manage stakeholder coordination, such as through a stakeholder engagement plan or stakeholder register. DHS officials stated that they plan to include additional guidance on stakeholder engagement in the fall 2023 update to the risk management guidance. According to these officials, proposed changes may include a recommendation that programs hold stakeholder interviews to help identify areas of concern and consideration for risks.
DHS plans to address GAO’s recommendations resulting from the review as part of its update to its risk management guidance.