Calling the "A-Team" for a Low-Risk Project

Speaking of the IT mercy rule, for the US Department of Homeland Security (DHS) Secure Border Initiative's SBInet Project 28, they now appear to be 8 runs down and its the bottom of the fifth inning.

DHS Secretary Michael Chertoff told the House Committee on Homeland Security that payment to the Boeing Company, the prime contractor, was being suspended until it can prove that the "virtual fence" can be made to work. Seems that there is a "software glitch" and some integration issues that are causing problems.

Chertoff, however, is reportedly confident now that Boeing has "retooled their team on the ground and replaced some of the managers. ... They are now working through the problems of system integration as we speak. I think they put their A-team in place to do it."

Ahem, did this mean that Boeing has been using its B-Team?

Given the supposed importance of the SBInet project to Boeing, a somewhat surprising winner of the SBInet contract, you would have thought that Beoing's A-Team was on the project from the beginning.

But, in looking back to just a few weeks ago, the A-Team was supposedly on the project, and that the change in management was just routine ("The [Boeing] program management change was planned several months ago'). Maybe what Chertoff meant to say that Boeing now has the A-plus team on the project.

Yet... this project was said from its inception to be a technologically-low risk project according to both Boeing ("Boeing's solution concentrated on using proven, low risk, off-the-shelf technology..") and the DHS ("... we believe that the selection of the Boeing proposal validates the approach for acquiring a low-risk technological solution.")

While low-risk doesn't mean no-risk, Project 28 was declared low-risk because it is using common, off-the-shelf system components that has all been used before, albeit not altogether at one time.

Sort of like saying I am going to build a car using a Honda Accord engine, a Ford F-150 chassis, a GM Saturn Vue interior , etc., and then claiming the resulting effort is low-risk. Makes sense to me, although there is this small issue of integration, eh?

Curiously, the SBInet project is on OMB's current high risk list. This must be what OMB means when it says that just because a project is on its high risk list does not mean that it is in reality high risk. But Project 28 is now 20% over schedule, and if it were a defense program, it would be considered a failure in the making. So, is SBInet high risk - or is it low risk? Or do we just split the difference and call it medium risk?

What makes this all a bit more puzzling, of course, is that back in April, the mobile tower (i.e., the integrated, mobile sensor tower that houses cameras, radar, wireless data access points, communications and computer equipment, and a security system) element of Project 28 passed all of its tests with flying colors. Seemed to indicate a low-risk project, right?

But in June, DHS admitted to Congress, after oops forgetting to disclose it during testimony, that the Project 28 go live date had slipped from 13 June to 20 June. Ah, better make that September (maybe). So, what did the April test actually test, and what insight in the level of project risk did it produce?

As time goes on, I assume all this will become clear. And assuming that DHS is a learning organization, I can expect that DHS has at this very moment an on-going learning review of Project 28 to help DHS understand why a supposedly low-risk project has turned out not to be one, and how it can avoid this situation in the future. I am very anxious to read DHS's Project 28's lessons learned report, too, since maybe this high-risk/low-risk thing will become clear to me.

Boeing, an avowed learning organization, must be doing the same thing, especially now that at least two of its recent high-visibility, publicly declared low-risk, commercial off-the-shelf system programs (the other being Wedgetail) have proven anything but. Interestingly, Wedgetail also supposedly passed its early tests with flying colors. A risk pattern, perhaps?


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City