U.S. Department of Transportation
Federal Highway Administration
1200 New Jersey Avenue, SE
Washington, DC 20590
Full Report (.pdf, 1.60 kb)
U.S. Department of Transportation
Federal Highway Administration
In cooperation with
American Association of State Highway and Transportation
National Cooperative Highway Research Board
The Federal Highway Administration provides highquality information to serve Government, industry, and the public in a manner that promotes public understanding. Standards and policies are used to ensure and maximize the quality, objectivity, utility, and integrity of its information. FHWA periodically reviews quality issues and adjusts its programs and processes to ensure continuous quality improvement.
Managing transportation networks, including agency management, program development, and project delivery, is extremely complex and fraught with uncertainty. Administrators, planners, and engineers coordinate a multitude of organizational and technical resources to manage transportation network performance. While most transportation agency personnel would say that they inherently identify and manage risk in their day-to-day activities, a recent study found that only 13 departments of transportation (DOT) have formal enterprise risk management programs and even fewer have a comprehensive approach to risk management at the corporate, program, and project levels.
Figure 1. Relationship of risk management to transportation business objectives.
Risk management is implicit in transportation business practices (see figure 1). Transportation agencies set strategic goals and objectives (e.g., the reliable and efficient movement of people and goods), but success is uncertain. Internal and external risk events can impact the achievement of these objectives. Likewise, agencies set performance measures and develop asset management systems to optimize investment decisions. Again, risks can impact the achievement of performance and assets. Risk is pervasive in transportation. It is incumbent on transportation agencies to develop explicit enterprise risk management strategies, methods, and tools.
The leading international transportation agencies have mature risk management practices and have developed policies and procedures to identify, assess, manage, and monitor risks. From May 29 to June 11, 2011, a team of Federal, State, and public sector professionals visited Australia, England, Germany, the Netherlands, and Scotland to explore risk management practices. A brief summary of the team's observations include the following:
Figure 2. Aligned risk management approach (Transport Main Roads, Australia).
The international standard ISO 31000 defines risk as "the effects of uncertainty on objectives." In its broadest terms, risk is anything that could be an obstacle to achieving goals and objectives. Risk management is a process of analytical and management activities that focus on identifying and responding to the inherent uncertainties of managing a complex organization and its assets.
Risk can be managed at multiple levels (see figure 2). Enterprise risk management is a term often used when discussing risk. For this purpose, enterprise risk involves three levels—agency, program, and project risk management. Agency risks are the uncertainties that can affect the achievement of the DOT's strategic objectives (e.g., agency reputation, data integrity, funding, safety, leadership). Agency risk management is the consistent application of techniques to manage the uncertainties in achieving DOT strategic objectives. Therefore, agency risk management is not a task to complete or a box to check, but a process to consistently apply and improve. As we move down a layer, risk management at the program level involves managing risk across a network or multiple projects (e.g., risk of material price escalation, design standard changes, environment, structures, etc.). Finally, risks may be unique to a specific project. Project risk management occurs with staff familiar with the specifics of that project and other technical experts (e.g., utility relocation coordination, right-of-way purchase delays, geotechnical issues, etc.). Figure 3 summarizes the responsibility, type of risk, and risk management strategies at these three levels.
Figure 3. Levels of enterprise risk management (agency, program, and project).
Transportation agencies manage some of the largest and highest valued public assets and budgets in Federal, State, and local governments. These agencies are spending the public's money. It is their corporate responsibility to set clear strategic goals and objectives to manage these assets in a manner that improves the economic growth and livability of their regions and gives the public the best value for its dollar. Risks can affect an agency's ability to meet its goals and objectives. It is incumbent on these agencies, as network and delivery managers, to identify risks, assess the possible impacts, develop plans to manage the risks, and monitor the effectiveness of their actions. The following is a synthesis of common strategic objectives and related risks found on the scan:
Common Agency Strategic Objectives
Common Agency Risks
These objectives and risks provide agency-level examples. Similar objectives and risks were found at the program and project levels. Mature agencies align their objectives and risks at all three levels and maintain a culture of risk management in their decisionmaking.
The scan team found a variety of strategies, methods, and tools transportation agencies around the world use to manage risks. Many of these findings are directly applicable to agencies in the United States.
International organizations use risk management to align the strategic objectives within their organizations. The scan team found that organizations use consistent risk assessment rating scales at the agency, program, and project levels. They also align their risk registers to include the agency business objectives at the program and project levels. While program and project managers can assess risks against their own program or project objectives, they must also include an assessment against the corporate risks.
Figure 4. M80 risk management approach (VicRoads, Melbourne, Australia).
Figure 4 depicts the risk management approach for the M80 expansion in Melbourne, Australia. The project delivery team organized its project-specific risks in categories that aligned with the agency risks (financial, health and safety, environment, security of assets, management effort, reputation, and legal and compliance) and then added project-specific risk categories (traffic management, stakeholder management, and quality) to complete the risk register. The team developed risk management actions and tracked these with the risk register. The result was a project risk management plan that aligned with the corporate risk management plan.
Similar examples were found throughout Australia and in the United Kingdom. All of these agencies have specific risk management policies. These policies are formed at the agency level. Many of the policies are in direct alignment with the ISO risk management standard.
Figure 5. Risk management framework (Transport Main Roads, Queensland, Australia).
While agencies were found to have different risk management organizational structures, mature risk management organizations define their structures explicitly. In Melbourne, Australia; London, England; and Glasgow, Scotland, risk management organizational structures were tied to corporate audit functions. In Brisbane and Sydney, Australia, there was an explicit risk manager position (director, risk management) that was tied to the highest levels of corporate governance. Transport Main Roads in Queensland, Australia, provided the structure depicted in figure 5. The agency clearly defined a corporate risk management organizational policy and the role of a corporate risk manager who reports directly to the board. The agency's risk management guidelines include some of the following key contents:
Australian agencies actively participated in the development of the ISO 31000 risk management standard and apply it to their agency, program, and project risk structures. England applied the ISO process to the major programs. These agencies were also found to follow the processes defined by their government audit functions where applicable.
Mature organizations were found to have achieved a clear culture of risk management. A risk management culture is defined by shared norms, values, and actions relating to risk management from the leadership throughout all levels of staff in the agency. Staff members talk about risk with a common vocabulary and understanding. When a culture of risk management has been achieved, risk is considered throughout decisionmaking and asset management activities as just part of the process, not an additional level of management.
Figure 6. Risk management maturity model (VicRoads, Melbourne, Australia).
Figure 7. Program risk analysis for Dutch waterways (Rijkswaterstaat, Netherlands).
Both VicRoads in Melbourne, Australia, and Transport Main Roads in Queensland, Australia, use a risk management maturity model. The maturity model for VicRoads is shown in figure 6. The agency uses this tool to identify places where it needs to invest in and improve its risk management processes. It uses it for internal benchmarking, not for audit purposes. In addition, the agency audits its risk management functions when it audits other business processes.
The international scan found a wide range of tools to identify, assess, manage, and monitor risks. There was no one-size-fits-all tool. Tools were selected based on the objectives of the decisions and management actions being taken. There was commonly an effort to keep the tools as simple as possible for the decisions being made.
Figure 8. Asset management guidance standard (Highways Agency, England).
Risk registers were common in all agencies and heat maps were used to communicate frequency and severity of risks. All agencies used spreadsheets for risk registers. Some used online proprietary systems, but for the most part spreadsheets were the norm. Risk managers frequently stated that the tools should be simple. A few commented that they made a conscious decision to use only spreadsheets rather than invest in a database system that could distract them from managing the risks simply. Figure 7 shows a heat map for a risk-based waterway network management tool in the Netherlands. It communicates the potential for the waterways to be out of service.
The standard risk management process of risk identification, assessment, management, and monitoring is being used for making many risk-based decisions. Some of these decisions include the following:
International transportation agencies use risk analyses to make programmatic investment decisions. Risk analysts communicate the results of analyses to decisionmakers. They often communicate results visually. Their analyses can take the form of complex Monte Carlo simulations to calculate the expected value of life-cycle cost; failure mode, effects, and criticality analyses to identify failure mechanisms for networks; or maintenance of historic risks lists for application of risk-based bridge inspections and investment decisions.
Figure 9. Geotechnical asset risk profile. (Highways Agency, England)
The risk-based analyses can show decisionmakers how the agency risk profiles will change based on different programmatic investment packages. The Highways Agency in England has a programmatic approach to asset management defined in its asset management guidelines (see figure 8). The Highways Agency specifies risk levels and tolerances in its standards. The Highways Agency provided examples of how it makes risk-based investment decisions for structural and geotechnical assets. Figure 9 shows a geotechnical risk profile of a roadway. The profile can be changed to show decisionmakers how different investment decisions can help mitigate risks.
The identification and assessment of risks provide transparency in risk allocation. When risks are managed within the agency, allocation can be made to an individual risk owner (i.e., a top-level agency executive, program manager, or project manager). The risk can also be assigned to a risk manager who acts on behalf of the risk owner to manage the risk at a level in accordance with the agency's risk tolerance.
Figure 10. Risk allocation and project delivery selection (Transport Main Roads, Queensland, Australia).
Project delivery methods and contracts are the vehicles used to transfer risks from an agency to its industry partners. Figure 10 shows how Transport Main Roads in Queensland, Australia, applies risk assessment in the selection of project delivery methods. It has a variety of project delivery methods, as shown in figure 10. These delivery methods include traditional (design-bid-build), design-construct (D&C, equivalent to U.S. design-build), design-construct-maintain (DCM), early contractor involvement (ECI, a form of design-build with a target price as opposed to a lump sum price in U.S. design-build), and two forms of alliancing (a relational contracting method not yet used in U.S. transportation construction).
Figure 10 shows traditional project delivery on the left side of the horizontal axis and relational contracting on the right. Traditional delivery transfers the majority of risk to the general contractor after the agency completes an independent design. Traditional delivery is used on routine projects where multiple lump-sum offers can be tendered on a fixed scope. Relational delivery methods establish a cooperative strategy for both design and construction in which the contractor is involved very early in delivery. As described in figure 10, relational delivery embraces this cooperative strategy to manage risk. It involves open-book contracting with pain-share and gain-share clauses around a target price. It helps deal with complex projects that have fast-track design and construction, many unknowns, and complex approval processes.
Figure 11. Risk management output(Performance Audit Group, Transport, Scotland).
One of the greatest benefits of the risk management process is the ability to communicate information simply to decisionmakers throughout the organization and externally to stakeholders. While the analysis may be supported by a complex, rigorous, and probabilistically sophisticated model, it is of little value if its outputs are obscured in jargon or overly complicated in their representation. A theme at the agencies was to keep it simple. Enterprise risk matrices are discussed at executive or board meetings as a standard agenda item. Risk communication improves alignment within the organization to achieve its strategic goals and objectives.
Figure 11 shows an output of the Performance Audit Group at Transport Scotland. The Performance Audit Group uses a rigorous risk-based analysis for its performance reviews. However, its output uses a simple color-coding scheme. The use of red, amber, and green to show the status of risks was common throughout the agencies visited.
For agencies that do not conduct enterprise risk management, there is an investment to begin. Developing an organizational structure and investing in the development of methods and tools are not trivial tasks. An understanding of the benefits and challenges is helpful in developing an enterprise risk management program.
The risk management scan team included Federal, State, and private sector members with well over 100 years of combined experience in the operation, design, and construction of U.S. transportation systems. Through this focused research study, the team gained a fresh perspective on how the U.S. transportation industry can use risk management practices to better meet its strategic objectives, improve performance, and manage its assets. The following scan team recommendations offer a path forward for the transportation community and will help develop a culture of risk awareness and management in the United States.
The risk management scan findings confirm that an efficient and effective enterprise risk management program is a powerful tool for the international transportation agencies visited. The demonstrated benefits of the programs scanned are both quantitative, such as better controls over costs and delivery schedules, and qualitative, such as less likelihood of negative public relations issues. Risk management provides information that allows agencies to improve decisionmaking and efficiency on their programs and projects. While today each U.S. State DOT differs in its level of risk management maturity, it seems reasonable that the implementation activities associated with this scan be those that evolve and advance enterprise risk management in State agencies throughout the country. That is, agencies need to do risk management at the agency, program, and project levels to be fully successful.
The scan findings confirm the need for additional implementation activities to develop a culture of risk management in the U.S. transportation sector. The implementation activities fall into the categories of communications and outreach, research, training, and governance. The following are some preliminary short- and long-term activities the scan team will pursue to evolve and advance agency risk management in the U.S. highway agencies:
 National Cooperative Highway Research Program (2011). Executive Strategies for Risk Management by State Departments of Transportation, NCHRP Project 20‐24(74), National Cooperative Research Program, Transportation Research Board of the National Academies, Washington, DC, May 2011.
 International Organization for Standardization (ISO) (2009). ISO 31000 Risk Management—Principles and Guidelines, Geneva, Switzerland.