1.FHWA Risk Management Framework – Update 2012
AASHTO Internal Audit Conference 2012 – Phoenix
Daniel Fodera, CMQ/OE
Program Management Improvement Team
Federal Highway Administration
2.Learning Objectives
Identify the components of the ISO risk management structure.
Describe the risk management framework used by the Federal Highway Administration
Recognize the steps in the risk management process
Discuss how FHWA uses risk management in program oversight
3.New Risk Management Framework
Risk Initiatives Affecting FHWA
International Risk Scan
ISO 31000
OST/FMFIA Risk Tools
4.Risk Management - How Did We Get Here?
5.International Risk ScanSummary of Findings
RM supports strategic organizational alignment
Mature organizations have an explicit RM structure
Successful organizations have a culture of RM
A wide range of RM tools are in use
Use of RM tools for programmatic investment decisions
A variety of risk allocation methods are available
Active risk communication strategies improve decision making
RM enhances knowledge management and workforce development
6.ISO 31000
7.ISO Risk Management Structure
Design and Framework for managing risk
Mandate
and Commitment
Continual improvement of the framework
Implementing risk management
Monitoring and review of the framework
Communication and Consultation
Establishing the context
Risk Assessment
Monitoring and Review
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
Principles
Principles
Framework
Process
8.FHWA Risk Management Framework
Design and Framework for managing risk
Mandate
and Commitment
Continual improvement of the framework
Implementing risk management
Monitoring and review of the framework
1 - FHWA Risk Directive
2 - Risk Management Timeline
3 - Risk Management Process User Manual
4 - Risk Management Q &A
5 – “Risk Tracker”
6 - Leadership Dashboard Measure
9.FHWA Risk Management Directive
Provides the foundation for Risk Management at FHWA
Defines what “risk” means to FHWA
Outlines FHWA’s Risk Management Process
Applies to all organizational units of FHWA.
10.Risk Management Timeline
Annual Risk Call aligned with release of Final SIP (3/15)
Risk Due Date aligned with Unit Plan Due Date (5/31)
Quarterly Updates of Status in Risk Tracker
OST/FMFIA Unit Risk Profile annual update to be aligned with Risk/Unit Plan (hopefully)
OST FMFIA Inherent Risk Assessment annual update to be done at Component Level and aligned with Risk/Unit Plan (hopefully)
11.FHWA Risk Management Process
12.Step 1: What is the Context?
Identify the Context
Identify Risks
Prioritize Risks
Plan and Execute Response Strategies
Monitor, Evaluate, and Adjust
Communication and Consultation occur at each step
Analyze the Risks
Assess Impact
Assess Likelihood
Risk Assessment
Internal – anything within the organization that can influence the way in which FHWA will manage risk – mission, objectives, controls, resources, etc.
External – key drivers & trends having impact on objectives of the organization, relationships with, perceptions & values of external stakeholders.
Risk Management - Are you reassessing previously identified risks or identifying emergent risks? Who will assess what Program Areas? Will it be done individually, in teams or as an office? With input from your partners?
13.Required by and Reported to OST as part of the FMFIA Assurance. Document the Unit’s Internal Controls
Completed by all “Assessable Units”, including the Division Offices
Integrated into our annual Risk Management Cycle
A Key Part of Step 1: Setting the Context
Now Managed by the OCFO in Coordination with the PMI Team
OST/FMFIA Risk Profile(Part of Your “Context”)
14.OST/FMFIA Inherent Risk Assessment (Part of Your “Context”)
Required by and Reported to OST as part of the FMFIA Assurance. Assess the high-level “inherent” risk of the Component or Unit
Completed at the “Component” level for FHWA. DA Council to Complete One on Behalf of the Division Offices
Integrated into our annual Risk Management Cycle
A Key Part of Step 1: Setting the Context
Managed by the OCFO in Coordination with the PMI Team
15.Step 2: Identify the Risks
When identifying risks consider your key objectives:
Organizational Objectives in the SIP that affect your Unit
Local Unit Objectives
Program Objectives (Planning, Environment , ROW etc.)
Project Objectives
Ask – What Are the Risks to Meeting My Objectives?
Brainstorm with the “Right” Folks
Identify the Context
Identify Risks
Prioritize Risks
Plan and Execute Response Strategies
Monitor, Evaluate, and Adjust
Communication and Consultation occur at each step
Analyze the Risks
Assess Impact
Assess Likelihood
Risk Assessment
16.Step 3: Analyze the Risks (Impact)
Scale
4 - Catastrophic
3 - Major
2 - Moderate
1 - Minor
0 - Insignificant
Criteria
Financial
Reputation
Business Operations
Legal & Compliance
Infrastructure Assets
Resources & Efforts Req.
Environment & Culture
Safety
Identify the Context
Identify Risks
Prioritize Risks
Plan and Execute Response Strategies
Monitor, Evaluate, and Adjust
Communication and Consultation occur at each step
Analyze the Risks
Assess Impact
Assess Likelihood
Risk Assessment
17.
18.Step 3: Analyze the Risks (Likelihood)
Scale
4 - Almost Certain
3 - Likely
2 - Possible
1 - Unlikely
Criteria
Outside Control/Influence
Fraud, Waste, Abuse
Workforce Development/Training
FHWA Involvement
Consultant Use
Identify the Context
Identify Risks
Prioritize Risks
Plan and Execute Response Strategies
Monitor, Evaluate, and Adjust
Communication and Consultation occur at each step
Analyze the Risks
Assess Impact
Assess Likelihood
Risk Assessment
Criteria
Staffing
Operational Procedures
Guidance
Problem History
New Program
Complexity
19.
20.Step 4: Prioritize the Risks
Start with an “Expected Value” calculation (Impact Rating X Likelihood Rating)
Locate the Risks on the Heat Map - a graphical plot to represent the relative placement of risks
Adjust Risk Ratings (Top, High, Medium, Low) based on LEADERSHIP VALIDATION
Identify the Context
Identify Risks
Prioritize Risks
Plan and Execute Response Strategies
Monitor, Evaluate, and Adjust
Communication and Consultation occur at each step
Analyze the Risks
Assess Impact
Assess Likelihood
Risk Assessment
21.
22.Step 5: Execute Response Strategies
Your Approach to Treating the Risks
Response Strategy Type:
Avoid
Enhance
Mitigate
Transfer
Accept
Identify the Context
Identify Risks
Prioritize Risks
Plan and Execute Response Strategies
Monitor, Evaluate, and Adjust
Communication and Consultation occur at each step
Analyze the Risks
Assess Impact
Assess Likelihood
Risk Assessment
23.Step 6: Monitor Evaluate and Adjust (Risk Tracker)
Identify the Context
Identify Risks
Prioritize Risks
Plan and Execute Response Strategies
Monitor, Evaluate, and Adjust
Communication and Consultation occur at each step
Analyze the Risks
Assess Impact
Assess Likelihood
Risk Assessment
24.Step 6: Monitor Evaluate and Adjust (Leadership Dashboard)
Identify the Context
Identify Risks
Prioritize Risks
Plan and Execute Response Strategies
Monitor, Evaluate, and Adjust
Communication and Consultation occur at each step
Analyze the Risks
Assess Impact
Assess Likelihood
Risk Assessment
25.
Questions?
Mike Graf
michael.graf@fhwa.dot.gov
404-562-3578
Daniel Fodera
daniel.fodera@fhwa.dot.gov
404-562-3672