U.S. Department of Transportation/Federal Highway Administration

Office of International Programs

FHWA > Programs > Office of Policy > Office of International Programs  > International Highway Technology Scanning Program > Getting Started in Agency Risk Management

Getting Started in Agency Risk Management

Full Brochure (.pdf, 353 kb)

Managing transportation networks—including agency management, program development, and project delivery—is complex and fraught with uncertainty. Administrators, planners, and engineers coordinate a multitude of organizational and technical resources to manage transportation network performance. While most transportation agency personnel would say they inherently identify and manage risk in their day-to-day activities, a recent study found that only 13 State transportation agencies have formal enterprise risk management programs and even fewer have a comprehensive approach to risk management at the agency, program, and project levels.

What is Risk Management?

International standard ISO 31000 defines risk as "the effects of uncertainty on objectives." In its broadest terms, risk is anything that could be an obstacle to achieving goals and objectives. Risk management is a process of analytical and management activities that focus on identifying and responding to the inherent uncertainties of managing a complex organization and its assets.

Risk can be managed at multiple levels. Enterprise risk management involves three levels—agency, program, and project. Agency risk management is the responsibility of highway agency executives. Executives benefit from the process, but they are also responsible for defining and championing the process. Agency risks are the uncertainties that can affect the achievement of the agency’s strategic objectives, such as agency reputation, data integrity, funding, safety, and leadership. Program risk management involves managing risk across a network or multiple projects, such as risks inherent in city or regional transport planning, material price escalation, design standard changes, environment, and structures. Finally, risks may be unique to a specific project. Staff familiar with the specifics of a project and other technical experts and stakeholders manage project risks, which can include utility relocation coordination, right-of-way purchase delays, geotechnical issues, and community issues.

This illustration shows a yellow sign reading "Risk Ahead." This chart shows the levels of enterprise risk management. At the agency level at the top, executives have responsibility. The type of risks are those that impact achievement of agency goals and objectives and involve multiple functions. The strategy is to manage risks in a way that optimizes the success of the organization rather than a single business unit or project. At the program level at the next level down, program managers have responsibility. Type of risks are those that are common to clusters of projects, programs, or entire business units. Strategies include setting program contingency funds and allocating resources to projects consistently to optimize the outcomes of the program rather than solely projects. At the project level on the bottom, project managers have responsibility. The type of risks are those that are specific to individual projects. Strategies include advanced analysis techniques, contingency planning, and consistent risk mitigation strategies with the perspective that risks are managed in projects.

The Business Case for Risk Management

As the growth in demand for transportation system improvements continues to outpace revenue, the need for agency leaders to identify and manage the resulting risks has become urgent. By 2015, all State transportation agencies must respond to requirements in the Moving Ahead for Progress in the 21st Century Act for risk-based asset management plans. Effective risk management cannot be accomplished with a silo approach. It needs to be applied systematically across the agency.

Getting started in enterprise risk management requires an investment. Developing an organizational structure, methods, and tools are not trivial tasks. Understanding the benefits and challenges is helpful in building an enterprise risk management program.

Agency Risk Management Challenges

  • Developing risk management leadership
  • Gaining organizational support for risk management
  • Evolving an organizational culture that may be averse to risk
  • Developing and funding organizational expertise for risk management
  • Implementing and embedding a new process for risk management
  • Difficulty in applying risk allocation alternatives within organizational constraints
  • Lack of willingness to accept and address issues that risk management will identify

Agency Risk Management Benefits

  • Builds public trust
  • Demonstrates the importance of transportation programs
  • Recognizes risks in multiple investment options
  • Provides a broader set of viable solution options
  • Communicates uncertainty on key strategic issues
  • Improves organizational alignment to achieve goals
  • Allocates risks to the party best able to manage them
  • Promotes an understanding of the repercussions of failure
  • Avoids managing-by-crisis
  • Facilitates good decisionmaking and accountability at all levels
  • Improves resource allocation decisions

Risk Management Recommendations

The Federal Highway Administration and the American Association of State Highway and Transportation Officials conducted a scan of international transportation agencies with the greatest maturity in risk management. The study provided a fresh perspective on how the U.S. transportation industry can use risk management practices to better meet its strategic objectives, improve performance, and manage assets. The following research recommendations offer a path forward for the transportation community as it develops a culture of risk awareness and management in the United States.

Develop Executive Support for Risk Management

A mature risk management organization employs risk management at the agency, program, and project levels. A risk management culture must include strong leadership. Lack of management support is perhaps the most frequently cited barrier by transportation agencies embarking on risk management implementation. Efforts of project and program risk managers can be lost without strong executive-level support of and participation in the risk management process.

Define Risk Management Leadership and Organization

Although everyone in a transportation agency should have a role in risk management, agencies should define clear risk management structures and give leadership the authority to make risk management decisions. No two agencies studied on this scan had identical risk management organizational structures, but the mature organizations had clear structures and committed leadership.

Formalize Risk Management Approaches

Transportation agencies should strive to formalize risk management approaches, using a holistic approach to support decisionmaking and improve success in achieving strategic goals and objectives. The most mature international organizations had clear policies that describe their risk management approach and risk tolerance. These agencies also had concise guidance on their risk management process with templates for risk identification, analysis, treatment, monitoring, and updating.

Use Risk Management to Examine Policies, Processes, and Standards

The use of risk analysis techniques can help agencies reexamine policies, processes, and standards. A transparent understanding of risk likelihood and consequence can reveal policies, processes, and standards that have become too conservative or outdated. An examination of risk treatment options can provide for alternative methods to mitigate and manage risks.

Implementing Agency Risk Management

  • Develop executive support for risk management.
  • Define risk management leadership and organization.
  • Formalize risk management approaches.
  • Use risk management to examine policies, processes, and standards.
  • Embed risk management in business practices.
  • Identify risk owners and levels.
  • Allocate risks appropriately.
  • Use risk management to make the business case for transportation.
  • Employ sophisticated risk tools, but communicate results simply.

Embed Risk Management in Business Practices

The risk management process should enhance, not supplant, existing business practices. Combining risk management with asset management and performance management will provide for successful decisionmaking to achieve agency goals and objectives. An awareness of what can go wrong and the likelihood of it happening causes business managers to treat risks rather than ignore them. The scan provided sound examples of how business practices were made more efficient through a lens of risk management.

Identify Risk Owners and Levels

Risk identification and treatment planning will not make a difference if treatment options are not implemented. Agency personnel or agency partners must become owners of risks. Most risk registers viewed on the scan documented risk ownership directly on the register. The owners are responsible for implementing risk treatments and assisting with monitoring and updating. If risk treatment is not achievable with the assigned owner, risks should be escalated to the level in the agency at which they can be managed. As England's Highways Agency states in its risk management policy document, "No one need fear the consequences for failure if the risks that caused the failure were anticipated, appropriately managed and, where required, escalated to senior management."

Allocate Risks Appropriately

The fundamental tenet of risk management is to allocate risks to the party that can best manage them. The international agencies on this scan had a variety of tools to allocate risk, from insurance to concessions, design-build project delivery, and lump-sum contracting. Clarity on who is responsible for managing which risks is essential. Open-book and joint risk register arrangements can also ensure transparency in judging financial risks.

Use Risk Management to Make the Business Case for Transportation

Communication with stakeholders about risks to transportation assets and performance can help make the business case for transportation investment. International transportation organizations have found the public to be good consumers of risk information. Using risk analysis to convey possible disruption to network performance can highlight the need for investments that mitigate risk and improve performance.

Employ Sophisticated Risk Tools but Communicate Results Simply

Quantitative risk management is based on statistical methods, and the models of cost and time impacts can be quite complex. However, these analyses are meaningless if decisionmakers and stakeholders cannot understand the results. Agencies should use sophisticated risk analysis tools to provide the most accurate predictions, but they must communicate results simply to obtain the most value from the process.

Highway Risk Management Resources

Committee of Sponsoring Organizations of the Treadway Commission (2004). Enterprise Risk Management—Integrated Framework. Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org.

Federal Highway Administration (2006). Guide to Risk Assessment for Highway Construction Management. Report FHWA-PL-06-032, U.S. Department of Transportation, Washington, DC.

Federal Highway Administration (2012). Risk-Based Transportation Asset Management: Evaluating Threats, Capitalizing on Opportunities. Report FHWA-HIF-12-035, U.S. Department of Transportation, Washington, DC, www.fhwa.dot.gov/asset/pubs/hif12035.pdf.

Federal Highway Administration (2012). "Risk Management." National Highway Institute Training Course FHWA-NHI-134065, National Highway Institute, Arlington, VA.

Federal Highway Administration (2012). Transportation Risk Management: International Practices for Program Development and Project Delivery. Report FHWA-PL-12-029, U.S. Department of Transportation, Washington, DC, www.international.fhwa.dot.gov.

International Organization for Standardization (2009). ISO 31000 Risk Management—Principles and Guidelines. International Organization for Standardization, Geneva, Switzerland.

National Cooperative Highway Research Program (2010). Guidebook on Risk Analysis Tools and Management Practices to Control Transportation Project Costs. NCHRP Report 658, ISBN 978-0-309-15476-5, National Cooperative Highway Research Program, Transportation Research Board of the National Academies, Washington, DC.

National Cooperative Highway Research Program (2011). Executive Strategies for Risk Management by State Departments of Transportation. NCHRP Project 20‐24(74), National Cooperative Highway Research Program, Transportation Research Board of the National Academies, Washington, DC.

National Cooperative Highway Research Program (2011). Guide for Managing NEPA-Related and Other Risks in Project Delivery. NCHRP Web-Only Document 183, National Cooperative Highway Research Program, Transportation Research Board of the National Academies, Washington, DC.

Project Management Institute (2004). A Guide to Project Management Body of Knowledge (PMBOK Guide). Project Management Institute, Newton Square, PA.

Project Management Institute (2006). Standard for Program Management. Project Management Institute, Newton Square, PA.