FHWA RISK MANAGEMENT FRAMEWORK UPDATE 2012 AASHTO Internal

FHWA RISK MANAGEMENT FRAMEWORK – UPDATE 2012 AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration

Learning Objectives Identify the components of the ISO risk management structure. Describe the risk management framework used by the Federal Highway Administration Recognize the steps in the risk management process Discuss how FHWA uses risk management in program oversight

New Risk Management Framework Risk Initiatives Affecting FHWA International Risk Scan ISO 31000 OST/FMFIA Risk Tools

Risk Management - How Did We Get Here? 2001 Policy Memo Released 2004 Risk Best Practices Review 2006 1 st Agencywide Corporate Risk Management Initiative 2009/2010 2007 Corporate FHWA HQ's Risk Team Risk Mgmt Offices Planning 2007 formed & a conducted risk User Manual corporate risk assessment for approach was Released the 1 st time developed 2011 Int’l Risk Scan. ISO 31000. FMFIA Risk Tools.

International Risk Scan Summary of Findings 1. RM supports strategic organizational alignment 2. Mature organizations have an explicit RM structure 3. Successful organizations have a culture of RM 4. A wide range of RM tools are in use 5. Use of RM tools for programmatic investment decisions 6. A variety of risk allocation methods are available 7. Active risk communication strategies improve decision making 8. RM enhances knowledge management and workforce development

ISO 31000

ISO Risk Management Structure Principles Continual improvement of the framework Implementing risk management Monitoring and review of the framework Risk Identification Risk Analysis Risk Evaluation Risk Treatment Principles Framework Process Monitoring and Review Design and Framework for managing risk Risk Assessment Mandate and Commitment Communication and Consultation Establishing the context

FHWA Risk Management Framework 1 - FHWA Risk Directive Mandate and Commitment Design and Framework for managing risk Continual improvement of the framework 2 - Risk Management Timeline Implementing risk management Monitoring and review of the framework 3 - Risk Management Process User Manual 4 - Risk Management Q &A 5 – “Risk Tracker” 6 - Leadership Dashboard Measure

FHWA Risk Management Directive Provides the foundation for Risk Management at FHWA Defines what “risk” means to FHWA Outlines FHWA’s Risk Management Process Applies to all organizational units of FHWA.

Risk Management Timeline Annual Risk Call aligned with release of Final SIP (3/15) Risk Due Date aligned with Unit Plan Due Date (5/31) Quarterly Updates of Status in Risk Tracker OST/FMFIA Unit Risk Profile annual update to be aligned with Risk/Unit Plan (hopefully) OST FMFIA Inherent Risk Assessment annual update to be done at Component Level and aligned with Risk/Unit Plan (hopefully)

FHWA Risk Management Process

Step 1: What is the Context? � Internal – anything within the organization that can influence the way in which FHWA will manage risk – mission, objectives, controls, resources, etc. � External – key drivers & trends having impact on objectives of the organization, relationships with, perceptions & values of external stakeholders. � Risk Management - Are you reassessing previously identified risks or identifying emergent risks? Who will assess what Program Areas? Will it be done individually, in teams or as an office? With input from your partners? Identify the Context Identify Risks Analyze the Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust

OST/FMFIA Risk Profile (Part of Your “Context”) � Required by and Reported to OST as part of the FMFIA Assurance. Document the Unit’s Internal Controls � Completed by all “Assessable Units”, including the Division Offices � Integrated into our annual Risk Management Cycle � A Key Part of Step 1: Setting the Context � Now Managed by the OCFO in Coordination with the PMI Team

OST/FMFIA Inherent Risk Assessment (Part of Your “Context”) � Required by and Reported to OST as part of the FMFIA Assurance. Assess the high-level “inherent” risk of the Component or Unit � Completed at the “Component” level for FHWA. DA Council to Complete One on Behalf of the Division Offices � Integrated into our annual Risk Management Cycle � A Key Part of Step 1: Setting the Context � Managed by the OCFO in Coordination with the PMI Team

Step 2: Identify the Risks � When identifying risks consider your key objectives: �Organizational Objectives in the SIP that affect your Unit �Local Unit Objectives �Program Objectives (Planning, Environment , ROW etc. ) �Project Objectives � Ask – What Are the Risks to Meeting My Objectives? � Brainstorm with the “Right” Folks Identify the Context Identify Risks Analyze the Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust

Step 3: Analyze the Risks (Impact) � Scale � � 4 - Catastrophic � 3 - Major � 2 - Moderate � 1 - Minor � 0 - Insignificant Identify the Context Identify Risks Criteria �Financial �Reputation �Business Operations �Legal & Compliance �Infrastructure Assets �Resources & Efforts Req. �Environment & Culture �Safety Analyze the Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust

Step 3: Analyze the Risks (Likelihood) � Scale �Criteria � 4 - Almost Certain Staffing �Outside Operational Control/Influence � 3 - Likely Procedures �Fraud, Waste, Abuse � 2 - Possible Guidance �Workforce � 1 - Unlikely Problem History Development/Training New Program �FHWA Involvement Complexity �Consultant Use Identify the Context Identify Risks Analyze the Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust

Step 4: Prioritize the Risks Start with an “Expected Value” calculation (Impact Rating X Likelihood Rating) Locate the Risks on the Heat Map - a graphical plot to represent the relative placement of risks Adjust Risk Ratings (Top, High, Medium, Low) based on LEADERSHIP VALIDATION Identify the Context Identify Risks Analyze the Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust

Step 5: Execute Response Strategies Your Approach to Treating the Risks Response Strategy Type: Avoid Enhance Mitigate Transfer Accept Identify the Context Identify Risks Analyze the Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust

Step 6: Monitor Evaluate and Adjust (Risk Tracker) Identify the Context Identify Risks Analyze the Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust

Step 6: Monitor Evaluate and Adjust (Leadership Dashboard) Identify the Context Identify Risks Analyze the Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust

Questions? Mike Graf michael. graf@fhwa. dot. gov 404 -562 -3578 Daniel Fodera daniel. fodera@fhwa. dot. gov 404 -562 -3672