Implementation of the AASHTO Guide for Enterprise Risk Management (2022)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

13   The Pilot Risk Implementation Process The project team provided technical support to the three pilot agencies based on the AASHTO Guide for Enterprise Risk Management, a product of NCHRP Project 08-93. The risk manage- ment process discussed in the Guide (shown in Figure 3.1) is a refinement of one developed by the International Organization of Standardization (ISO). ISO is a Switzerland-based federation of agencies that establish international standards. The risk management process includes five steps and two ongoing processes to identify and manage risks to objectives. The steps are to establish the context surrounding the risks to the objectives, identify risks, analyze the risks, evaluate and prioritize risks, and if the risks can be managed, identify steps to manage the risks. The two ongoing processes are continuous communication and consultation with internal and external stake- holders, and monitoring and review of the risks. The risk process is intended to be ongoing and continuous to support agency performance efforts. The two ongoing processes help identify new risks, changes in risk levels, and priorities. In addition, monitoring ensures that the success of risk mitigation efforts is assessed and that efforts are updated if they are not adequately mitigat- ing the risks. The process is aligned with the agency’s objectives and risk environment and is repeated when either changes. 3.1 Risk Management Supports Performance A key premise of the AASHTO guide that was emphasized in the pilot support was that risk management should complement performance and not replace it. Figure 3.2 shows this relationship between performance and risk management. If performance management drives strategic objectives, then risk management is like a navigation system. It helps leaders at all levels scan the horizon and identify risks that could impede their objectives. Without controlling risks, performance is difficult to guarantee. The two disciplines are highly effective when operated in parallel, with performance management setting objectives and risk management identifying potential obstacles to achieving them. At its most basic, ERM requires agencies to ask themselves these questions: • What objectives really matter? • What uncertainties and variability surround those objectives? • Which uncertainties and variabilities have an impact on achieving those objectives? • What can we do about those uncertainties and variabilities? • Are we managing them effectively? • Are we communicating them to decision makers and stakeholders? • Do any of these uncertainties create an opportunity? These questions were emphasized throughout this pilot implementation project. C H A P T E R 3

14 Implementation of the AASHTO Guide for Enterprise Risk Management Source: Proctor et al. 2016. Figure 3.1. The risk management process. Source: AASHTO and FHWA 2016. Figure 3.2. The relationship of risk management and performance. 3.2 Project Kickoff Workshop The implementation efforts for all three pilot agencies began with interviews of agency subject-matter experts. These interviews provided an opportunity for the project team to have closer discussions with each DOT’s subject-matter experts and have a better understanding of the challenges they faced that led them to apply for pilot implementation. The meetings were followed by a day-long kickoff workshop where the agency leadership provided opening com- ments and communicated expectations. The workshop was facilitated by the project team. At the workshop, the project team provided an overview of how to implement risk management based on the framework detailed in the Guide. The workshop provided the opportunity to help each

The Pilot Risk Implementation Process 15   pilot agency to formalize its risk management effort if it had not already done so. The workshop included elements such as: • The definition of risk and risk management, which emphasizes the managing of uncertainty, variability, opportunities, and threats. The workshop emphasized that managing risk is more than managing threats. Risk management is about reducing variability and uncertainty that can impede achievement of objectives. • The important connection between managing risk and managing performance was empha- sized. Risk management was explained as a complementary process that supports other efforts, such as performance management or asset management. • The workshop emphasized the need to base risk management in policy, to provide staff tools to practice risk management, and incorporate risk management into core business processes. • When risks and mitigation strategies are reviewed at each performance update, the assess- ment of risk mitigation strategies becomes a continuous and iterative effort. • Incorporating risk updates with performance updates provides leaders with feedback loops about changes in the risk profiles and about the success of mitigation strategies. If the risk priorities change or mitigation strategies are not successful, they can be revised. • It was emphasized that managing risks reduces crisis management. Risk management recog- nizes the prevalence of uncertainty and the need to plan for it and respond to it. • Although agency staff almost universally said they manage risks, it was emphasized that, in most cases, management is not formal, documented, or repeatable. It is often ad hoc and performed without documentation of how it could be repeated or standardized. • Key elements of the Guide were explained, such as: – The ability to manage risks at the enterprise, program, project, and activity levels. – The steps and processes in the ISO/AASHTO ERM framework. – Tips for brainstorming and identifying risks. – How to analyze risk and use a risk matrix. – How to prioritize risks. – How to identify the key stakeholders who can help manage risks. – The importance of engaging influencers from the early stages of the risk management process. – Whether to tolerate, treat, terminate, transfer, or take advantage of the risk. • Participants engaged in breakout groups by topics and followed the five steps of the risk man- agement process to identify objectives and establish context, identify risks to the objectives, analyze the risks, evaluate and prioritize the risks, and then identify strategies to manage the risk. • In worksheets that were provided for each exercise, participants documented the objectives, their risks, and the likelihood, impact, and consequence of each risk. The worksheets became the basis for efforts that began at the initial workshop to prioritize the risks and identify miti- gation strategies for high-priority risks. It was recognized early on that, for the pilot effort to succeed, there needed to be high-level support from agency leadership. At the same time, it was essential for DOTs to identify person- nel who would take ownership for the overall effort as well as for each initiative pursued. It was important in the pilot implementation of ERM to have staff fully committed to the successes of the pilot activities assigned to these roles. Thus, each state DOT assigned an “overall pilot lead” to champion the agency’s pilot imple- mentation. These overall pilot leads helped coordinate with the project team. They often made presentations at the COP meetings about the DOT’s pilot initiatives and served as spokespersons for the DOT’s pilot activities. They also coordinated with the pilot DOT’s leadership as needed. In addition, each pilot initiative had an “initiative lead” who coordinated internally within the agency. They were the lead subject-matter experts on the specific pilot initiative and played a critical role in advancing the implementation of the pilot’s activities in the agency.

16 Implementation of the AASHTO Guide for Enterprise Risk Management 3.3 Key Pilot Implementation Objectives Risk management can be applied at the enterprise, program, project, and activity levels. How- ever, the pilot implementations were focused on enterprise risks. The project team emphasized to the pilot agencies that to be meaningful, ERM should address strategic agency objectives. The pilot agencies embraced the integration of risk management with agency performance. At the opening workshop, participants brainstormed in breakout groups and identified stra- tegic agency objectives for consideration in the pilot implementation. These were then priori- tized and narrowed for pilot implementation. The embrace of managing performance risks to strategic objectives was evident in the mission-critical risks pilot participants chose to mitigate. The objectives selected for risk management were: • Recruiting, orientating, and training employees, • Managing agency knowledge, • Managing risks to corridors, • Managing risks to bid letting, • Promoting workplace equity, and • Reducing risks to workers and public when clearing crashes and other highway incidents. The project team emphasized that for successful adoption of ERM, it should be integrated into agency activities and not treated as a stand-alone activity. 3.4 Setting the Context The project team emphasized that it is critical to keep the risk effort focused on achieving the performance of the selected objective. The workshop participants examined the identified stra- tegic objectives and deliberated about internal organizational issues and external environmen- tal factors that could create risks or opportunities affecting the objectives. These deliberations allowed participants to view the various risks in the appropriate context. 3.5 Identifying Risks – Casting a Wide Net After documenting the objectives and their context, the workshop participants identified the threats, opportunities, and uncertainties that surrounded the agency’s objectives. Risks that are not identified cannot be managed. The importance of casting a wide net at this stage of the risk management process was emphasized so that no risks would be missed. This step in the risk workshop was facilitated with exercises such as brainstorming, review of scenarios, and devel- oping checklists to prompt the identification of risk. Initially, some of the pilots identified many more risks than they could manage in the pilot project. Also, as is common, it became apparent that some risks could be combined when they were driven by the same underlying causes. The process of identifying risks extended beyond the initial workshop. After the initial workshop, numerous virtual meetings were held with the project team to refine and consolidate the risks. 3.6 Risk Analysis In the risk analysis phase, workshop participants refined the organization’s understanding of the risks. They used the following four steps: 1. Identify the causes and effects of risks, usually based on their expert judgment. 2. Estimate the likelihood of the risk occurring. Likelihood can range from very high (certain to occur every year), to very low (uncertain and may occur once in a century). 3. Estimate the consequences. This can range from very low (negligible) to very high (catastrophic). 4. Compute the risk rating. The risk rating (R) was computed by multiplying the likelihood (L) and the consequence (C): R = L × C.

The Pilot Risk Implementation Process 17   After the causes and effects of risk were documented, the workshop participants brainstormed and estimated the consequence and likelihood of each risk. A risk matrix such as the one in Figure 3.3 was provided for rating and prioritizing the risks. Consistent with the “keep it simple” advice, this stage relied on the expert opinion of participants as opposed to a complex quantitative analysis. The workshop participants used scales provided by the project team to ensure consistency in what was meant by terms such as “medium low,” “medium,” “high,” “extreme,” and “catastrophic.” 3.7 Risk Evaluation and Prioritization In this step, the teams compared the threats, opportunities, variability, and uncertainties with the agency’s level of risk tolerance and the agency’s ability to manage the risk. The risk matrix was also used to prioritize the risks. Some risks were not selected because they were beyond the agency’s ability to influence. The risks that were within the agency’s control and were rated cata- strophic, extreme, and high were selected for consideration. These risks were prioritized based on criticality and the agency’s ability to mitigate the risks through its own efforts. Several risks from this prioritized list were selected by the workshop participants for pilot implementation. 3.8 Risk Response Five common options to mitigate risks are to tolerate, treat, transfer, terminate, or take advantage of the risk. Because this project addressed implementation, the “treat” option was selected as the risk response to be implemented. Teams then populated a risk register to allow them to sum- marize the risks and how they would manage them. Figure 3.4 shows a blank risk register that was used in the workshops. For each risk identified, workshop participants identified multiple risk mitigating strategies. Through facilitated discussions and brainstorming, up to three risk mitigation strategies were identified for consideration for each selected risk. VH Medium Low Medium Medium Low Medium Low Medium Low Medium Medium Medium Medium Medium Extreme Extreme Catastrophic H M L Low Low Low Low Low VL Very Low Risk Matrix Im pa ct Likelihood VL L M H VH High High High Medium High Medium High Medium High Figure 3.3. A risk matrix presented to the pilots. Risk Statement Risk ID Treatment Type Mitigation Responsible Person Risk Response Status Risk Register Objective Figure 3.4. A sample risk register.

18 Implementation of the AASHTO Guide for Enterprise Risk Management 3.9 Mitigation Implementation and Monitoring The teams then brainstormed on these top risk mitigation strategies and selected one or two for pilot implementation. For each selected mitigation, an implementation champion, owners, leads, and team members were identified. During the early stages of the pilot project, mitigation strategies as well as roles and responsibilities were refined, and resource gaps were bridged. For each pilot implementation initiative, teams developed practices, tools, and training. Prog- ress of each pilot implementation was monitored and discussed with the project team in regular update meetings. In some cases, resource changes occurred, and new agency staff were added to support the pilot implementations. As necessary, additional training related to this project, ERM, and the pilot initiative was provided to new team members. The pilot states’ experience illustrated the need for providing training and resources to staff, as well as coordinating across agency divisions to successfully implement mitigation strate- gies. For example, UDOT developed new training for frontline hiring managers so they could understand how to use the recruiting and on-boarding resources developed during the pilot implementation. UDOT also developed an extensive guidebook to inform its regional planners on how to use the agency’s new corridor risk management process. TDOT developed classroom training and hands-on quick-clearance training. It conducted hands-on training on a simulated roadway in which wrecked cars were positioned to simulate a crash scene. TDOT also produced an extensive risk register for each major project, with instructions on how to use it to identify threats to a project’s schedule or budget. The TDOT pilot team coordinated with regional and headquarter directors and staff from project development, design, construction, and environmental and regional operations. At WSDOT, when subject-matter experts who were participating in the pilot retired, the agency added/reassigned staff to support the pilot initiative. The pilot agencies had leadership support. The implementation teams’ experience reflected the importance of policies, tools, and processes supported by agency leadership in the successful implementation of risk management (see Figure 3.5). The pilot state DOTs adopted all three compo- nents for their successful implementation efforts. To be successful, staff need risk management tools to assess and manage risks. For risk management to be most effective, it needs to be integrated into the day-to-day processes that drive an agency’s objectives. Source: AASHTO and FHWA 2016. Figure 3.5. Risk management is most successful when based in policy, supported by tools, and integrated into agency processes.