FHWA Risk Management Framework – Update 2012 AASHTO Internal Audit Conference 2012 – Phoenix Denise Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration
Learning Objectives Identify the components of the ISO risk management structure. Describe the risk management framework used by the Federal Highway Administration Recognize the steps in the risk management process Discuss how FHWA uses risk management in program oversight
New Risk Management Framework Risk Initiatives Affecting FHWA International Risk Scan ISO 31000 OST/FMFIA Risk Tools
Risk Management - How Did We Get Here? 2001 Policy Memo Released 2004 Risk Best Practices Review 2006 1st Agency-wide Corporate Risk Management Initiative 2007 Risk Mgmt Planning 2007 User Manual Released 2009/2010 FHWA HQ's Offices conducted risk assessment for the 1st time 2009 Corporate Risk Team formed & a corporate risk approach was developed 2011 Int’l Risk Scan. ISO 31000. FMFIA Risk Tools. We are ahead of the game on this. Enterprise Risk Management is all the rage now. Change has been part of the journey for us. 2001 FHWA Policy memo 2004 Risk Best Practices Review 2006 1st Agency-wide Corporate Risk Mgmt Initiative 2007 Risk Mgmt Planning 2007 User Manual Released 2009 Corporate Risk Team formed & a corporate risk approach was developed. 2009-2010 FHWA HQ's Offices conducted risk assessment for the 1st time. 2011 All units completed FMFIA profile, Risk Tracker V1.0 Rolls out, International Scan on risk mgmt 2011 Team formed to update FHWA's Risk Manual & Tools 2012 Updated Framework delivered and deployed
International Risk Scan Summary of Findings RM supports strategic organizational alignment Mature organizations have an explicit RM structure Successful organizations have a culture of RM A wide range of RM tools are in use Use of RM tools for programmatic investment decisions A variety of risk allocation methods are available Active risk communication strategies improve decision making RM enhances knowledge management and workforce development
ISO 31000
ISO Risk Management Structure Design and Framework for managing risk Mandate and Commitment Continual improvement of the framework Implementing risk management Monitoring and review of the framework Communication and Consultation Establishing the context Risk Assessment Monitoring and Review Risk Identification Risk Analysis Risk Evaluation Risk Treatment Principles Framework Process
FHWA Risk Management Framework 1 - FHWA Risk Directive Design and Framework for managing risk Mandate and Commitment Continual improvement of the framework Implementing risk management Monitoring and review of the framework 2 - Risk Management Timeline 3 - Risk Management Process User Manual 4 - Risk Management Q &A 5 – “Risk Tracker” 6 - Leadership Dashboard Measure
FHWA Risk Management Directive Provides the foundation for Risk Management at FHWA Defines what “risk” means to FHWA Outlines FHWA’s Risk Management Process Applies to all organizational units of FHWA.
Risk Management Timeline Annual Risk Call aligned with release of Final SIP (3/15) Risk Due Date aligned with Unit Plan Due Date (5/31) Quarterly Updates of Status in Risk Tracker OST/FMFIA Unit Risk Profile annual update to be aligned with Risk/Unit Plan (hopefully) OST FMFIA Inherent Risk Assessment annual update to be done at Component Level and aligned with Risk/Unit Plan (hopefully)
FHWA Risk Management Process Each of these steps answers key questions in the risk management process.
Step 1: What is the Context? Internal – anything within the organization that can influence the way in which FHWA will manage risk – mission, objectives, controls, resources, etc. External – key drivers & trends having impact on objectives of the organization, relationships with, perceptions & values of external stakeholders. Risk Management - Are you reassessing previously identified risks or identifying emergent risks? Who will assess what Program Areas? Will it be done individually, in teams or as an office? With input from your partners? Context Slide. Indentify the Context. This is the step in the Risk Management Process during which you plan the process, determine what program areas, National Performance Objectives and Initiatives will be considered, gather supporting documents, understand the assessment criteria, and determine the approach that you will use. This step was previously called “Gather information about your Risks” Another way of thinking about Context is asking what is the scope, selecting the Program Areas and/or Core Elements within those areas, determining what NPO and Initiatives will be assessed, take into account the Internal and External factors that should be considered. Internal context is the internal environment in which FHWA seeks to achieve its objectives. Examples include office structure; policies, programs & organization goals & objectives, organizational capacity, Information systems etc. External context is the external environment in which FHWA seeks to achieve its objectives. Examples include political, legal, regulatory, financial etc. Gather supporting documents, this includes past risk management plans and risk assessment, the SIP, office or Division specific business plan, SWOTS or Program Assessments. Also the Federal Manager Financial Integrity Act (FMFIA) Unit Risk Profile FHWA has adopted updated Impact and Likelihood Criteria that are discussed later and are included in both the manual and RM Tools Workbook that is available at the RM SharePoint site. Risk Management –In this step, also determine if this will be a new Risk Assessment or a reassessment, Are you reassessing previously identified risks or identifying emergent risks? decide who will assess what Program Areas and what SIP NPOs, will it be done individually or as teams or as an office, will there be input from your partners, such as the DOT. Plan how the follow steps will be followed; what tools from the Tool Workbook will you use. It is understood that the plan may be modified as you move through it, but it is very help to begin the process knowing the context and parameters of the assessment. Context answers the key questions… (use key questions from user manual) Identify the Context Identify Risks Prioritize Risks Plan and Execute Response Strategies Monitor, Evaluate, and Adjust Communication and Consultation occur at each step Analyze the Risks Assess Impact Assess Likelihood Risk Assessment
OST/FMFIA Risk Profile (Part of Your “Context”) Required by and Reported to OST as part of the FMFIA Assurance. Document the Unit’s Internal Controls Completed by all “Assessable Units”, including the Division Offices Integrated into our annual Risk Management Cycle A Key Part of Step 1: Setting the Context Now Managed by the OCFO in Coordination with the PMI Team
OST/FMFIA Inherent Risk Assessment (Part of Your “Context”) Required by and Reported to OST as part of the FMFIA Assurance. Assess the high-level “inherent” risk of the Component or Unit Completed at the “Component” level for FHWA. DA Council to Complete One on Behalf of the Division Offices Integrated into our annual Risk Management Cycle A Key Part of Step 1: Setting the Context Managed by the OCFO in Coordination with the PMI Team
Step 2: Identify the Risks When identifying risks consider your key objectives: Organizational Objectives in the SIP that affect your Unit Local Unit Objectives Program Objectives (Planning, Environment , ROW etc.) Project Objectives Ask – What Are the Risks to Meeting My Objectives? Brainstorm with the “Right” Folks answers the key questions…(use key questions from user manual) In the appendix of the 2012 User Manual a Crosswalk for Program Areas, Core Elements, and national performance objectives and national initiatives has been included for your use. Please note that the national objectives and initiatives are updated annually. Identify the Context Identify Risks Prioritize Risks Plan and Execute Response Strategies Monitor, Evaluate, and Adjust Communication and Consultation occur at each step Analyze the Risks Assess Impact Assess Likelihood Risk Assessment
Step 3: Analyze the Risks (Impact) Scale 4 - Catastrophic 3 - Major 2 - Moderate 1 - Minor 0 - Insignificant Criteria Financial Reputation Business Operations Legal & Compliance Infrastructure Assets Resources & Efforts Req. Environment & Culture Safety Impact Matrix is included in the appendix of the 2012 User Manual The scale is that used by OST. Criteria come from the impacts seen, the OST definitions, the Corporate risk assessment, and what has been seen internationally. FHWA plans to do some leadership validation of these criteria. Identify the Context Identify Risks Prioritize Risks Plan and Execute Response Strategies Monitor, Evaluate, and Adjust Communication and Consultation occur at each step Analyze the Risks Assess Impact Assess Likelihood Risk Assessment
Step 3: Analyze the Risks (Likelihood) Scale 4 - Almost Certain 3 - Likely 2 - Possible 1 - Unlikely Criteria Staffing Operational Procedures Guidance Problem History New Program Complexity Criteria Outside Control/Influence Fraud, Waste, Abuse Workforce Development/Training FHWA Involvement Consultant Use Scale is that used by OST. Criteria are those we have always been using. Identify the Context Identify Risks Prioritize Risks Plan and Execute Response Strategies Monitor, Evaluate, and Adjust Communication and Consultation occur at each step Analyze the Risks Assess Impact Assess Likelihood Risk Assessment
Step 4: Prioritize the Risks Start with an “Expected Value” calculation (Impact Rating X Likelihood Rating) Locate the Risks on the Heat Map - a graphical plot to represent the relative placement of risks Adjust Risk Ratings (Top, High, Medium, Low) based on LEADERSHIP VALIDATION Heat Map Tool Slide 1 A graphical plot or visual tool used to represent the relative placement of risks. The expected value of the risk determines its location. For example, on a grid, a catastrophic impact and almost certain likelihood risk would be in the upper right quadrant. The heat map can also be used to indicate risk tolerance or residual risk. Where leadership deviates from the calculated ratings, this should be documented. Identify the Context Identify Risks Prioritize Risks Plan and Execute Response Strategies Monitor, Evaluate, and Adjust Communication and Consultation occur at each step Analyze the Risks Assess Impact Assess Likelihood Risk Assessment
Heat Map Too slide 2 Describe the tool, Y axis is Impact and the Scale 1-4 and X axis along the top row is Likelihood scale. This Heat Map is an available tool and not required. It is included in the Manual and in the RM Tools Workbook. Placing an office or Divisions EVs on the Heat Map will show a number of things, that could include, clustering of risks in one area, risks of one program to another, bias in scorers. This tool is most helpful to provide a visual summary of some of the key elements of the Risk Register. Created to improve communication and understanding of the relationship between Assessed Risks. How to use this Tool: Multiply the values from the risk impact and likelihood assessments. Using the values from the impact and likelihood matrices will give a maximum value of 16 and a minimum value of one. This is your risk "expected value." Use the expected value to sort your risks and help with risk prioritization. Use your expected values and prioritization to decide which risks require response strategies.
Step 5: Execute Response Strategies Your Approach to Treating the Risks Response Strategy Type: Avoid Enhance Mitigate Transfer Accept Identify the Context Identify Risks Prioritize Risks Plan and Execute Response Strategies Monitor, Evaluate, and Adjust Communication and Consultation occur at each step Analyze the Risks Assess Impact Assess Likelihood Risk Assessment
Step 6: Monitor Evaluate and Adjust (Risk Tracker) Identify the Context Identify Risks Prioritize Risks Plan and Execute Response Strategies Monitor, Evaluate, and Adjust Communication and Consultation occur at each step Analyze the Risks Assess Impact Assess Likelihood Risk Assessment
Step 6: Monitor Evaluate and Adjust (Leadership Dashboard) DF Identify the Context Identify Risks Prioritize Risks Plan and Execute Response Strategies Monitor, Evaluate, and Adjust Communication and Consultation occur at each step Analyze the Risks Assess Impact Assess Likelihood Risk Assessment
Questions? Mike Graf michael.graf@fhwa.dot.gov 404-562-3578 Daniel Fodera daniel.fodera@fhwa.dot.gov 404-562-3672