U.S. Department of Transportation
Federal Highway Administration
1200 New Jersey Avenue, SE
Washington, DC 20590

Skip to content
Facebook iconYouTube iconTwitter iconFlickr iconLinkedInInstagram

Office of International Programs

FHWA Home / Office of International Programs

Transportation Risk Management: International Practices for Program Development and Project Delivery - Executive Summary

Full Report (.pdf, 1.60 kb)

July 2012

Sponsored by

U.S. Department of Transportation

Federal Highway Administration

In cooperation with

American Association of State Highway and Transportation Officials
National Cooperative Highway Research Board



The Federal Highway Administration provides highquality information to serve Government, industry, and the public in a manner that promotes public understanding. Standards and policies are used to ensure and maximize the quality, objectivity, utility, and integrity of its information. FHWA periodically reviews quality issues and adjusts its programs and processes to ensure continuous quality improvement.


Managing transportation networks, including agency management, program development, and project delivery, is extremely complex and fraught with uncertainty. Administrators, planners, and engineers coordinate a multitude of organizational and technical resources to manage transportation network performance. While most transportation agency personnel would say that they inherently identify and manage risk in their day-to-day activities, a recent study found that only 13 departments of transportation (DOT) have formal enterprise risk management programs and even fewer have a comprehensive approach to risk management at the corporate, program, and project levels.[1]

Figure 1. This pyramid-shaped diagram shows the relationship of risk management to transportation business objectives. At the top of the pyramid are strategic goals and objectives. In the middle is risk management. At the base are asset management and performance management.

Figure 1. Relationship of risk management to transportation business objectives.

Risk management is implicit in transportation business practices (see figure 1). Transportation agencies set strategic goals and objectives (e.g., the reliable and efficient movement of people and goods), but success is uncertain. Internal and external risk events can impact the achievement of these objectives. Likewise, agencies set performance measures and develop asset management systems to optimize investment decisions. Again, risks can impact the achievement of performance and assets. Risk is pervasive in transportation. It is incumbent on transportation agencies to develop explicit enterprise risk management strategies, methods, and tools.

The leading international transportation agencies have mature risk management practices and have developed policies and procedures to identify, assess, manage, and monitor risks. From May 29 to June 11, 2011, a team of Federal, State, and public sector professionals visited Australia, England, Germany, the Netherlands, and Scotland to explore risk management practices. A brief summary of the team's observations include the following:

Figure 2. This graphic illustrates the aligned risk management approach used by Transport Main Roads in Australia. At the top is the agency, or strategic, level. In the middle is the program level, including portfolio and major programs and divisional programs. At the bottom is the project level, including projects and operational products and specialists.

Figure 2. Aligned risk management approach (Transport Main Roads, Australia).

What Is Risk Management?

The international standard ISO 31000 defines risk as "the effects of uncertainty on objectives."[2] In its broadest terms, risk is anything that could be an obstacle to achieving goals and objectives. Risk management is a process of analytical and management activities that focus on identifying and responding to the inherent uncertainties of managing a complex organization and its assets.

Risk can be managed at multiple levels (see figure 2). Enterprise risk management is a term often used when discussing risk. For this purpose, enterprise risk involves three levels—agency, program, and project risk management. Agency risks are the uncertainties that can affect the achievement of the DOT's strategic objectives (e.g., agency reputation, data integrity, funding, safety, leadership). Agency risk management is the consistent application of techniques to manage the uncertainties in achieving DOT strategic objectives. Therefore, agency risk management is not a task to complete or a box to check, but a process to consistently apply and improve. As we move down a layer, risk management at the program level involves managing risk across a network or multiple projects (e.g., risk of material price escalation, design standard changes, environment, structures, etc.). Finally, risks may be unique to a specific project. Project risk management occurs with staff familiar with the specifics of that project and other technical experts (e.g., utility relocation coordination, right-of-way purchase delays, geotechnical issues, etc.). Figure 3 summarizes the responsibility, type of risk, and risk management strategies at these three levels.

Click for description

Figure 3. Levels of enterprise risk management (agency, program, and project).

Why Should Agencies Explicitly Manage Risks?

Transportation agencies manage some of the largest and highest valued public assets and budgets in Federal, State, and local governments. These agencies are spending the public's money. It is their corporate responsibility to set clear strategic goals and objectives to manage these assets in a manner that improves the economic growth and livability of their regions and gives the public the best value for its dollar. Risks can affect an agency's ability to meet its goals and objectives. It is incumbent on these agencies, as network and delivery managers, to identify risks, assess the possible impacts, develop plans to manage the risks, and monitor the effectiveness of their actions. The following is a synthesis of common strategic objectives and related risks found on the scan:

Common Agency Strategic Objectives

Common Agency Risks

These objectives and risks provide agency-level examples. Similar objectives and risks were found at the program and project levels. Mature agencies align their objectives and risks at all three levels and maintain a culture of risk management in their decisionmaking.

What Strategies, Methods, and Tools Are Available to Manage Risk?

The scan team found a variety of strategies, methods, and tools transportation agencies around the world use to manage risks. Many of these findings are directly applicable to agencies in the United States.

Use of Risk Management to Align Strategic Objectives

International organizations use risk management to align the strategic objectives within their organizations. The scan team found that organizations use consistent risk assessment rating scales at the agency, program, and project levels. They also align their risk registers to include the agency business objectives at the program and project levels. While program and project managers can assess risks against their own program or project objectives, they must also include an assessment against the corporate risks.

Click for description.

Figure 4. M80 risk management approach (VicRoads, Melbourne, Australia).

Figure 4 depicts the risk management approach for the M80 expansion in Melbourne, Australia. The project delivery team organized its project-specific risks in categories that aligned with the agency risks (financial, health and safety, environment, security of assets, management effort, reputation, and legal and compliance) and then added project-specific risk categories (traffic management, stakeholder management, and quality) to complete the risk register. The team developed risk management actions and tracked these with the risk register. The result was a project risk management plan that aligned with the corporate risk management plan.

Similar examples were found throughout Australia and in the United Kingdom. All of these agencies have specific risk management policies. These policies are formed at the agency level. Many of the policies are in direct alignment with the ISO risk management standard.

Figure 5. This circular illustration shows the risk management framework used by Transport Main Roads in Queensland, Australia. In the center of the circle are strategic risks and portfolio and divisional risks at the top, program risks and operational risks including product risk and specialist areas in the middle, and project risks at the bottom. In the first ring around the circle are future disasters and failures, global forces of change, funding pressures, regulatory risk, workforce challenges, strategic positioning, adaptive capability, whole-of-government systems and decisionmaking, and application of information and communications technology. In the second, outer ring are government objectives, corporate objectives, corporate strategies, vision, purpose, values, strategic challenges, strategic opportunities, and priorities.

Figure 5. Risk management framework (Transport Main Roads, Queensland, Australia).

Development of an Explicit Risk Management Structure

While agencies were found to have different risk management organizational structures, mature risk management organizations define their structures explicitly. In Melbourne, Australia; London, England; and Glasgow, Scotland, risk management organizational structures were tied to corporate audit functions. In Brisbane and Sydney, Australia, there was an explicit risk manager position (director, risk management) that was tied to the highest levels of corporate governance. Transport Main Roads in Queensland, Australia, provided the structure depicted in figure 5. The agency clearly defined a corporate risk management organizational policy and the role of a corporate risk manager who reports directly to the board. The agency's risk management guidelines include some of the following key contents:

Australian agencies actively participated in the development of the ISO 31000 risk management standard and apply it to their agency, program, and project risk structures. England applied the ISO process to the major programs. These agencies were also found to follow the processes defined by their government audit functions where applicable.

Achievement of a Risk Management Culture

Mature organizations were found to have achieved a clear culture of risk management. A risk management culture is defined by shared norms, values, and actions relating to risk management from the leadership throughout all levels of staff in the agency. Staff members talk about risk with a common vocabulary and understanding. When a culture of risk management has been achieved, risk is considered throughout decisionmaking and asset management activities as just part of the process, not an additional level of management.

Figure 6. This illustration shows two screenshots of the risk management maturity model used by VicRoads in Melbourne, Australia.

Figure 6. Risk management maturity model (VicRoads, Melbourne, Australia).

Figure 7. This heat map used by Rijkswaterstaat in the Netherlands shows the potential for waterways to be out of service. Frequency is on the x-axis and effect is on the y-axis. The colors red, amber, and green indicate the status of risks.

Figure 7. Program risk analysis for Dutch waterways (Rijkswaterstaat, Netherlands).


Both VicRoads in Melbourne, Australia, and Transport Main Roads in Queensland, Australia, use a risk management maturity model. The maturity model for VicRoads is shown in figure 6. The agency uses this tool to identify places where it needs to invest in and improve its risk management processes. It uses it for internal benchmarking, not for audit purposes. In addition, the agency audits its risk management functions when it audits other business processes.

Application of a Wide Range of Risk Management Tools

The international scan found a wide range of tools to identify, assess, manage, and monitor risks. There was no one-size-fits-all tool. Tools were selected based on the objectives of the decisions and management actions being taken. There was commonly an effort to keep the tools as simple as possible for the decisions being made.

Figure 8. This illustration shows the cover of the asset management guidance standard used by the Highways Agency in England.

Figure 8. Asset management guidance standard (Highways Agency, England).

Risk registers were common in all agencies and heat maps were used to communicate frequency and severity of risks. All agencies used spreadsheets for risk registers. Some used online proprietary systems, but for the most part spreadsheets were the norm. Risk managers frequently stated that the tools should be simple. A few commented that they made a conscious decision to use only spreadsheets rather than invest in a database system that could distract them from managing the risks simply. Figure 7 shows a heat map for a risk-based waterway network management tool in the Netherlands. It communicates the potential for the waterways to be out of service.

The standard risk management process of risk identification, assessment, management, and monitoring is being used for making many risk-based decisions. Some of these decisions include the following:

Risk-Based Asset Management Improves Investment Decisions

International transportation agencies use risk analyses to make programmatic investment decisions. Risk analysts communicate the results of analyses to decisionmakers. They often communicate results visually. Their analyses can take the form of complex Monte Carlo simulations to calculate the expected value of life-cycle cost; failure mode, effects, and criticality analyses to identify failure mechanisms for networks; or maintenance of historic risks lists for application of risk-based bridge inspections and investment decisions.

Figure 9. This illustration shows a geotechnical risk profile of a roadway used by the Highways Agency in England. The profile matrix indicates risk level for observations of class and location index. Levels are negligible, low, medium, high, and severe.

Figure 9. Geotechnical asset risk profile. (Highways Agency, England)

The risk-based analyses can show decisionmakers how the agency risk profiles will change based on different programmatic investment packages. The Highways Agency in England has a programmatic approach to asset management defined in its asset management guidelines (see figure 8). The Highways Agency specifies risk levels and tolerances in its standards. The Highways Agency provided examples of how it makes risk-based investment decisions for structural and geotechnical assets. Figure 9 shows a geotechnical risk profile of a roadway. The profile can be changed to show decisionmakers how different investment decisions can help mitigate risks.

Selection of Appropriate Risk Allocation Methods

The identification and assessment of risks provide transparency in risk allocation. When risks are managed within the agency, allocation can be made to an individual risk owner (i.e., a top-level agency executive, program manager, or project manager). The risk can also be assigned to a risk manager who acts on behalf of the risk owner to manage the risk at a level in accordance with the agency's risk tolerance.

Figure 10. This graph shows risk allocation and project delivery selection at Transport Main Roads in Queensland, Australia. Circumstances are on the x-axis, with a line showing risk transfer, hard dollars, and traditional strategy ranging from high on the left side to low on the right side and a line showing risk embrace and cooperative strategy ranging from low on the left to high on the right. Suitability, from not suitable to very suitable, is on the y-axis. On the left side of the y-axis are traditional project delivery, including fixed scope, fully documented, routine, few stakeholders, multiple offerors, politically routine, and straightforward project approvals. On the right side are relational contracting, including fast track, many unknowns, complex, multiple stakeholders, few offerors, politically very sensitive, and complex and interdependent project approval. From left to right on the graph are traditional, D-and-C, D-C-and-M, competitive alliance, E-C-I, and pure alliance.

Figure 10. Risk allocation and project delivery selection (Transport Main Roads, Queensland, Australia).

Project delivery methods and contracts are the vehicles used to transfer risks from an agency to its industry partners. Figure 10 shows how Transport Main Roads in Queensland, Australia, applies risk assessment in the selection of project delivery methods. It has a variety of project delivery methods, as shown in figure 10. These delivery methods include traditional (design-bid-build), design-construct (D&C, equivalent to U.S. design-build), design-construct-maintain (DCM), early contractor involvement (ECI, a form of design-build with a target price as opposed to a lump sum price in U.S. design-build), and two forms of alliancing (a relational contracting method not yet used in U.S. transportation construction).

Figure 10 shows traditional project delivery on the left side of the horizontal axis and relational contracting on the right. Traditional delivery transfers the majority of risk to the general contractor after the agency completes an independent design. Traditional delivery is used on routine projects where multiple lump-sum offers can be tendered on a fixed scope. Relational delivery methods establish a cooperative strategy for both design and construction in which the contractor is involved very early in delivery. As described in figure 10, relational delivery embraces this cooperative strategy to manage risk. It involves open-book contracting with pain-share and gain-share clauses around a target price. It helps deal with complex projects that have fast-track design and construction, many unknowns, and complex approval processes.

Use of Risk Communication Strategies Improves Decisionmaking

Figure 11. This illustration shows a performance summary page from the quarterly performance review of the Performance Audit Group at Transport Scotland.

Figure 11. Risk management output(Performance Audit Group, Transport, Scotland).

One of the greatest benefits of the risk management process is the ability to communicate information simply to decisionmakers throughout the organization and externally to stakeholders. While the analysis may be supported by a complex, rigorous, and probabilistically sophisticated model, it is of little value if its outputs are obscured in jargon or overly complicated in their representation. A theme at the agencies was to keep it simple. Enterprise risk matrices are discussed at executive or board meetings as a standard agenda item. Risk communication improves alignment within the organization to achieve its strategic goals and objectives.

Figure 11 shows an output of the Performance Audit Group at Transport Scotland. The Performance Audit Group uses a rigorous risk-based analysis for its performance reviews. However, its output uses a simple color-coding scheme. The use of red, amber, and green to show the status of risks was common throughout the agencies visited.

What Are the Benefits and Challenges of Formal Risk Management?

For agencies that do not conduct enterprise risk management, there is an investment to begin. Developing an organizational structure and investing in the development of methods and tools are not trivial tasks. An understanding of the benefits and challenges is helpful in developing an enterprise risk management program.




The risk management scan team included Federal, State, and private sector members with well over 100 years of combined experience in the operation, design, and construction of U.S. transportation systems. Through this focused research study, the team gained a fresh perspective on how the U.S. transportation industry can use risk management practices to better meet its strategic objectives, improve performance, and manage its assets. The following scan team recommendations offer a path forward for the transportation community and will help develop a culture of risk awareness and management in the United States.

  1. Formalize enterprise risk management approaches using a holistic approach to support decisionmaking and improve successful achievement of strategic goals and objectives.
  2. Embed risk management in existing business processes so that when asset, performance, and risk management are combined, successful decisionmaking ensues.
  3. Use risk management to make the business case for transportation and build trust with transportation stakeholders.
  4. Define leadership and organizational responsibilities for risk management.
  5. Develop executive support for risk management.
  6. Identify risk owners and manage risks at the appropriate level.
  7. Use the risk management process to support risk allocation in agency, program, and project delivery decisions.
  8. Use risk management to reexamine existing policies, processes, and standards.
  9. Employ sophisticated risk analysis tools, but communicate results in a simple fashion.

Implementation and Future Research

The risk management scan findings confirm that an efficient and effective enterprise risk management program is a powerful tool for the international transportation agencies visited. The demonstrated benefits of the programs scanned are both quantitative, such as better controls over costs and delivery schedules, and qualitative, such as less likelihood of negative public relations issues. Risk management provides information that allows agencies to improve decisionmaking and efficiency on their programs and projects. While today each U.S. State DOT differs in its level of risk management maturity, it seems reasonable that the implementation activities associated with this scan be those that evolve and advance enterprise risk management in State agencies throughout the country. That is, agencies need to do risk management at the agency, program, and project levels to be fully successful.

The scan findings confirm the need for additional implementation activities to develop a culture of risk management in the U.S. transportation sector. The implementation activities fall into the categories of communications and outreach, research, training, and governance. The following are some preliminary short- and long-term activities the scan team will pursue to evolve and advance agency risk management in the U.S. highway agencies:

[1] National Cooperative Highway Research Program (2011). Executive Strategies for Risk Management by State Departments of Transportation, NCHRP Project 20‐24(74), National Cooperative Research Program, Transportation Research Board of the National Academies, Washington, DC, May 2011.

[2] International Organization for Standardization (ISO) (2009). ISO 31000 Risk Management—Principles and Guidelines, Geneva, Switzerland.

Page last modified on November 7, 2014
Federal Highway Administration | 1200 New Jersey Avenue, SE | Washington, DC 20590 | 202-366-4000