Project No. 08-93 COPY NO. Managing Risk across the Enterprise: FINAL A Guide for State Departments of Transportation Prepared for The National Cooperative Highway Research Program Of The National Academies Gordon Proctor Gordon Proctor & Associates Dublin, Ohio Shobna Varma The StarIsis Corporation Lewis Center, Ohio Jeff Roorda Jeff Roorda and Associates, Inc. Springwood, Australia June, 2016 TRANSPORTATION RESEARCH BOARD OF THE NATIONAL ACADEMIES PRIVILEGED DOCUMENT This document, not released for publication, is furnished only for review to members of or par- ticipants in the work of the CRP. This document is to be regarded as fully privileged, and dissem- ination of the information herein must be approved by the CRP. ACKNOWLEDGEMENT OF AUTHORSHIP This work was sponsored by the American Association of State Highway and Transportation Officials in cooperation with the Federal Highway Administration, and was conducted by the National Cooperative Highway Research Program. DISCLAIMER This is an uncorrected draft as submitted by the Contractor. The opinions and conclusions expressed or implied herein are those of the Contractor. They are not necessarily those of the Transportation Re- search Board, the National Academies, or program sponsors. NATIONAL COOPERATIVE HIGHWAY RESEARCH PROGRAM NCHRP REPORT 08-93 Managing Risk across the Enterprise: FINAL A Guide for State Departments of Transportation Gordon Proctor Gordon Proctor & Associates Dublin, Ohio Shobna Varma The StarIsis Corporation Lewis Center, Ohio Jeff Roorda Jeff Roorda and Associates, Inc. Springwood, Australia June 2016 Research sponsored by the American Association of State Highway and Transportation Officials In cooperation with the Federal Highway Administration TRANSPORTATION RESEARCH BOARD Table of Contents Introduction—About this Guide ............................................................................................... 1 How to Use this Guide .......................................................................................................... 2 Chapter 1: Defining Risk Management .................................................................................... 3 Summary............................................................................................................................... 3 Clarifying Risk and Risk Management ............................................................................... 5 Managing Risks Complements Performance .................................................................... 5 Enhancing Decision Making by Evaluating Risks ............................................................... 7 Allocating Scarce Resources ............................................................................................. 9 Identifying and Mitigating Threats .................................................................................. 10 The Levels of Risk Management ..................................................................................... 11 The Risk Management Process ........................................................................................... 13 The ISO Concepts ............................................................................................................ 13 Establishing the Context ................................................................................................. 14 Risk Identification ........................................................................................................... 15 Risk Analysis .................................................................................................................... 15 Risk Evaluation ................................................................................................................ 16 Risk Management ........................................................................................................... 16 Communication and Monitoring .................................................................................... 17 Level of Effort for Enterprise Risk Management ................................................................ 18 Relying on Risk Management to Improve Performance ................................................. 19 Chapter 2: Establishing the Risk Process ................................................................................ 22 Summary............................................................................................................................. 22 Essentials for ERM: Policies, Tools, and Processes .............................................................. 22 Step 1: Adopt a Risk Management Policy .......................................................................... 23 A Sample Risk Management Policy ................................................................................. 31 Step 2: Provide the Tools for Managing Risks .................................................................... 32 Step 3: Integrate Risks into Key Agency Processes ............................................................ 34 Summarizing the Tasks and Responsibilities ................................................................... 38 Chapter 3: Establishing the Risk Context ............................................................................... 41 Summary ............................................................................................................................ 41 Identifying Risk Focus Areas and Risk Owners ................................................................... 41 Assigning Risks and Forming Teams to Assess Them ...................................................... 41 i Clarifying the Objectives and Their Environment ........................................................... 42 Setting the Context around the Objective ...................................................................... 42 Examples of Applying the Risk Management Process .................................................... 44 Tools for the Context-Setting Exercise ........................................................................... 45 Basis for Further Decision Making ..................................................................................... 46 Chapter 4: Identifying Risks ................................................................................................... 52 Summary ............................................................................................................................ 52 Risk Identification: First Step of Risk Assessment ................................................................ 52 Beginning the Risk Identification Process ....................................................................... 53 Techniques for the Risk Identification Workshop ........................................................... 53 Chapter 5: Analyzing Risks ...................................................................................................... 60 Summary ........................................................................................................................ 60 Understanding the Causes and Effects of Risks .................................................................. 60 Cause-and-Effect Analysis .............................................................................................. 64 Risk Analysis Tools .......................................................................................................... 65 Strengths, Weaknesses of Qualitative and Quantitative Scales ..................................... 66 Consequence Categories ................................................................................................ 71 Likelihood Table or Scale ................................................................................................ 75 Rating Opportunities ...................................................................................................... 78 Chapter 6: Evaluating Risks .................................................................................................... 81 Summary ............................................................................................................................ 81 The Risk Appetite ............................................................................................................... 81 Dynamic and Continuous Evaluation of the Risk Appetite ............................................. 85 Risk Prioritization ............................................................................................................... 85 Chapter 7: Managing Risks..................................................................................................... 86 Summary ............................................................................................................................ 86 The Five Ts ......................................................................................................................... 88 Chapter 8: Communicate, Consult, Monitor .......................................................................... 97 Summary ................................................................................................................................ 97 Using the Agency’s Risk Process ........................................................................................ 97 Populating the Risk Register ........................................................................................... 98 The Risk Map ................................................................................................................ 100 Key Risk Indicators as Leading Metrics ......................................................................... 102 Communicating with and Monitoring the External Environment ................................. 103 Consulting with Stakeholders ....................................................................................... 103 Measuring Risk Management Maturity ........................................................................... 104 Chapter 9: Managing Risks to Key Programs ........................................................................ 107 Managing Risks to Transportation Assets ............................................................................. 108 Examples of Risk in Asset Management Manuals ......................................................... 108 Asset Management Manuals ........................................................................................ 108 U.S. Asset Management Plans ...................................................................................... 113 New York State Department of Transportation Risk Assessment ................................. 113 Colorado Department of Transportation Asset Management Plan .............................. 114 Minnesota Department of Transportation ................................................................... 115 Georgia Department of Transportation ........................................................................ 116 Case Study of Asset Management Liability in Australia ................................................ 116 A Case Study of U.S. Transit Agency Risk Management ................................................ 118 Managing Risks to Highway Safety ....................................................................................... 120 Australian, Canadian, and British Frameworks ............................................................. 120 U.S. Risk-Based Highway Safety Examples .................................................................... 123 Managing Risk from External Threats ................................................................................... 128 General Risk or Threat Assessments ............................................................................. 128 Climate Change Risks .................................................................................................... 129 Rock fall Hazard Programs ............................................................................................ 132 Seismic Risk Assessment Approaches ........................................................................... 133 Bridge Scour Risks ......................................................................................................... 135 A Case Study of Balancing Investments in Assets and Preparing for External Threats . 135 Managing Risks to Financial Resources................................................................................. 137 Managing Information and Decision Risks ............................................................................ 140 General Information System Risks ................................................................................ 140 Managing Risks to Models ............................................................................................ 144 Managing Risks to Business Operations ............................................................................... 146 Traditional Risk Management ....................................................................................... 146 Risks from Theft, Fraud, and Malfeasance .................................................................... 146 Controlling Risks to Inventory ....................................................................................... 149 Managing Employee Safety and Workers’ Compensation ............................................ 150 Managing Risks to Programs and Projects ............................................................................ 152 Guidebook on Risk Analysis and Management Practices to Control Project Costs ....... 152 Caltrans Project Risk Management Handbook ............................................................. 152 Project Risk Management Guidance for WSDOT Projects ............................................ 153 iii Guide for Managing Risk on Rapid Renewal Projects ................................................... 154 Managing Risks on Complex Projects ........................................................................... 154 Chapter 10: Critical Review of the State of the Practice and Case Studies ......................... 155 Summary .......................................................................................................................... 155 State of the Practice ......................................................................................................... 155 Corporate Sector Summary ............................................................................................. 156 From Financial to Enterprise Risk Management ........................................................... 156 Risk Management Embedded in Corporate Practice .................................................... 158 Corporate Summary ..................................................................................................... 163 NCHRP Studies Summary ................................................................................................. 164 Case Studies of U.S. Practice ............................................................................................ 165 Australian Risk Management Summary ........................................................................... 173 Chapter 11 Advanced Risk Tools .......................................................................................... 179 Summary .......................................................................................................................... 179 Risk Registers ................................................................................................................... 179 Vermont Risk Register .................................................................................................. 180 NCDOT Risk Register ..................................................................................................... 184 Washington DOT Risk Register ..................................................................................... 187 Funding Risks ................................................................................................................... 191 Financial Risk Tools .......................................................................................................... 195 Basic Spreadsheet Tools .................................................................................................. 197 Incorporating Elements of the Delphi Technique ............................................................ 199 Deterministic Computations Incorporating Variability .................................................... 200 Incorporating Randomness in Uncertain Variables ......................................................... 202 Stochastic Methods – Monte Carlo Simulations .............................................................. 205 Illustrative Example ...................................................................................................... 206 Results from a Customized Simulator .......................................................................... 207 Commercially Available Software ................................................................................. 211 Other Tools to Facilitate Decision Making ....................................................................... 218 Conclusions .......................................................................................................................... 220 Glossary ................................................................................................................................ 223 References ........................................................................................................................... 226 List of Figures Figure 1. This figure illustrates the concept that risk management and performance management operate as parallel, complementary disciplines. ............................................... 6 Figure 2. Risk management can be an enabler that supports asset and performance management. ........................................................................................................................... 9 Figure 3. The levels at which risk management is practiced. ................................................. 11 Figure 4 The ISO process ........................................................................................................ 14 Figure 5. Drivers of risk management are its policy, tools, and integration into agency processes. ............................................................................................................................... 22 Figure 6 An example of a risk map. ........................................................................................ 26 Figure 7. A risk map color coded by importance of risks. ...................................................... 33 Figure 8. A sample risk update report. ................................................................................... 36 Figure 9. Risk management flows through the organization, cascading from strategic risks to programs, projects, and activities. The risk manager, manual, training, tools, and website are key enablers in the process. ............................................................................................. 37 Figure 10 Internal and external factors can create risks. ....................................................... 44 Figure 11 Internal and external factors greatly influence the risks and opportunities public agencies face. ......................................................................................................................... 46 Figure 12. The three elements of risk assessment. ................................................................ 53 Figure 13 Categorized risks to the pavement program.......................................................... 59 Figure 14 A bowtie diagram. .................................................................................................. 63 Figure 15. A cause-and-effect diagram. ................................................................................. 64 Figure 16 Consequence and likelihood scale. ........................................................................ 66 Figure 17 Types of pavement risks and their consequences. ................................................ 75 Figure 18. Pavement program risk map. ................................................................................ 78 Figure 19. Risk treatment threshold graphic. ........................................................................ 83 Figure 20. A complete risk register. ....................................................................................... 99 Figure 21. A simplified risk register. ..................................................................................... 100 Figure 22 A risk reduction map. ........................................................................................... 101 Figure 23. A scorecard of risk management activity. ........................................................... 101 Figure 24. National highway construction price trends. ...................................................... 102 Figure 25. A risk maturity matrix. ......................................................................................... 106 Figure 26. An example risk register from the CDOT asset management plan. .................... 115 Figure 27 Vermont DOT Risk Matrix; Source: Vermont Agency of Transportation ............. 180 Figure 28 Critical enterprise risks from pavements. Source: VTrans ................................... 181 Figure 29 Critical enterprise risks from bridges. Source: VTrans ......................................... 181 Figure 30 Critical enterprise risks from budget, planning and programming. Source: VTrans .............................................................................................................................................. 182 Figure 31 Critical enterprise risks from data management and systems. Source: VTrans .. 182 Figure 32 NCDOT Risk Matrix; Source NCDOT ..................................................................... 185 Figure 33 Snapshot from NCDOT’s Risk Register for Pavements; Source: NCDOT .............. 186 Figure 34 Snapshot from NCDOT’s Risk Register for Pavements; Source: NCDOT .............. 187 Figure 35 WSDOT Risk Likelihood and Severity Rating; Source: WSDOT ............................. 189 Figure 36 Example of Scores for Information Technology Risks in WSDOT. Source: WSDOT .............................................................................................................................................. 190 Figure 37 Variability of projected State Funds during plan period. ..................................... 198 v Figure 38 Variability in Projected Bridge Costs due to Inflation during plan period. .......... 198 Figure 39 Projected uses at different inflation rates. .......................................................... 200 Figure 40 Variability in Projected Sources at different rates. ............................................. 201 Figure 41 Chart showing the results of one iteration of Projected Sources and Uses using randomly generated values of the uncertain variables within the ranges recommended by the Expert Panel during the TAMP Period. .......................................................................... 203 Figure 42 Comparison of the results of one iteration of Projected Sources using random annual variability with the projections using Base Case variation as recommended by the Expert Panel. ........................................................................................................................ 204 Figure 43 Comparison of the results of one iteration of Projected Uses using random annual changes in inflation with the projections using Base Case inflation as recommended by the Expert Panel. ............................................................................................................. 205 Figure 44 Histogram of projected funding gaps using Monte Carlo simulation. ................. 211 Figure 45 Sample output chart format with summary statistics for NPV of future pavement costs. .................................................................................................................................... 217 Figure 46 Tornado chart showing the relative impact of various uncertain inputs on the simulation results. ................................................................................................................ 217 Figure 47 Decision Tree showing options and potential outcomes with associated probabilities and costs of a decision involving the completion of a geotechnical study. ... 220 List of Tables Table 1 Risk types and their owners. ..................................................................................... 29 Table 2 A matrix of responsibility, accountability, consultation, and who is informed of the steps needed to implement an enterprise risk management program. ............................... 38 Table 3 Issues surrounding the context of asset management risks. .................................... 47 Table 4. Sample highway safety objective and risk context. ................................................. 48 Table 5. Sample project oversight objective and risk context. .............................................. 50 Table 6. Sample ITS objective and risk context. ..................................................................... 51 Table 7 Risks to a theoretical pavement program ................................................................. 58 Table 8 Consequence table .................................................................................................... 67 Table 9 Consequence descriptions for the enterprise level. ................................................. 68 Table 10 Consequence levels for program risks. ................................................................... 68 Table 11 Consequence levels for project or activity risks. ..................................................... 68 Table 12 Application of consequence levels to the pavement program risks. ...................... 70 Table 13. A consequence table for program risks. ................................................................ 72 Table 14 A likelihood scale. .................................................................................................... 75 Table 15. Risk matrix values table. ......................................................................................... 76 Table 16 Likelihood and consequences of risks to the pavement program. ......................... 77 Table 17. A threat and opportunity table. ............................................................................. 79 Table 18. Residual risk after treatment. ................................................................................ 92 Table 19. Documentation of the team’s recommendations for managing pavement program risks. ....................................................................................................................................... 93 Table 20 Caltrans retrofit criteria. ....................................................................................... 134 Table 21 The number of risks associated with VTrans’ strategic goals and objective. Source: VTrans .................................................................................................................................. 183
Description: