AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration Identify the components of the ISO risk management structure. Describe the risk management framework used by the Federal Highway Administration Recognize the steps in the risk management process Discuss how FHWA uses risk management in program oversight Risk Initiatives Affecting FHWA International Risk Scan ISO 31000 OST/FMFIA Risk Tools 2006 2001 2004 Policy Memo Risk Best Practices Review Released 1st Agencywide Corporate Risk Managemen t Initiative 2007 Risk Mgmt Planning 2007 User Manual Released 2009 Corporate Risk Team formed & a corporate risk approach was developed 2009/2010 2011 FHWA HQ's Offices conducted risk assessment for the 1st time Int’l Risk Scan. ISO 31000. FMFIA Risk Tools. 1. RM supports strategic organizational alignment 2. Mature organizations have an explicit RM structure 3. Successful organizations have a culture of RM 4. A wide range of RM tools are in use 5. Use of RM tools for programmatic investment decisions 6. A variety of risk allocation methods are available 7. Active risk communication strategies improve decision making 8. RM enhances knowledge management and workforce development ISO 31000 ISO Risk Management Structure Principles Continual improvement of the framework Implementing risk management Monitoring and review of the framework Risk Identification Risk Analysis Risk Evaluation Risk Treatment Monitoring and Review Design and Framework for managing risk Risk Assessment Mandate and Commitment Communication and Consultation Establishing the context 1 - FHWA Risk Directive Mandate and Commitment Design and Framework for managing risk Continual improvement of the framework 2 - Risk Management Timeline Implementing risk management Monitoring and review of the framework 3 - Risk Management Process User Manual 4 - Risk Management Q &A 5 – “Risk Tracker” 6 - Leadership Dashboard Measure Provides the foundation for Risk Management at FHWA Defines what “risk” means to FHWA Outlines FHWA’s Risk Management Process Applies to all organizational units of FHWA. Annual Risk Call aligned with release of Final SIP (3/15) Risk Due Date aligned with Unit Plan Due Date (5/31) Quarterly Updates of Status in Risk Tracker OST/FMFIA Unit Risk Profile annual update to be aligned with Risk/Unit Plan (hopefully) OST FMFIA Inherent Risk Assessment annual update to be done at Component Level and aligned with Risk/Unit Plan (hopefully) Internal – anything within the organization that can influence the way in which FHWA will manage risk – mission, objectives, controls, resources, etc. External – key drivers & trends having impact on objectives of the organization, relationships with, perceptions & values of external stakeholders. Risk Management - Are you reassessing previously identified risks or identifying emergent risks? Who will assess what Program Areas? Will it be done individually, in teams or as an office? With input from your partners? Identify the Context Analyze the Risks Identify Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust Required by and Reported to OST as part of the FMFIA Assurance. Document the Unit’s Internal Controls Completed by all “Assessable Units”, including the Division Offices Integrated into our annual Risk Management Cycle A Key Part of Step 1: Setting the Context Now Managed by the OCFO in Coordination with the PMI Team Required by and Reported to OST as part of the FMFIA Assurance. Assess the high-level “inherent” risk of the Component or Unit Completed at the “Component” level for FHWA. DA Council to Complete One on Behalf of the Division Offices Integrated into our annual Risk Management Cycle A Key Part of Step 1: Setting the Context Managed by the OCFO in Coordination with the PMI Team When identifying risks consider your key objectives: Organizational Objectives in the SIP that affect your Unit Local Unit Objectives Program Objectives (Planning, Environment , ROW etc.) Project Objectives Ask – What Are the Risks to Meeting My Objectives? Brainstorm with the “Right” Folks Identify the Context Analyze the Risks Identify Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust Scale 4 - Catastrophic 3 - Major 2 - Moderate 1 - Minor 0 - Insignificant Identify the Context Criteria Financial Reputation Business Operations Legal & Compliance Infrastructure Assets Resources & Efforts Req. Environment & Culture Safety Analyze the Risks Identify Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust Criteria Criteria 4 - Almost Certain Staffing Outside Operational Control/Influence 3 - Likely Procedures Fraud, Waste, Abuse 2 - Possible Guidance Workforce 1 - Unlikely Problem History Development/Training New Program FHWA Involvement Complexity Scale Consultant Use Identify the Context Analyze the Risks Identify Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust Start with an “Expected Value” calculation (Impact Rating X Likelihood Rating) Locate the Risks on the Heat Map - a graphical plot to represent the relative placement of risks Adjust Risk Ratings (Top, High, Medium, Low) based on LEADERSHIP VALIDATION Identify the Context Analyze the Risks Identify Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust Your Approach to Treating the Risks Response Strategy Type: Identify the Context Avoid Enhance Mitigate Transfer Accept Analyze the Risks Identify Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust Identify the Context Analyze the Risks Identify Risks Assess Impact Assess Likelihood Prioritize Risks Plan and Execute Response Strategies Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust Dashboard Measures Worksheet Dashboard Measure: Percent of Key Risk Response Strategies Completed Strategic Goal: Program Delivery Description: Percent of Key Risk Response Strategies Completed. The FY2012 target is 70% complete. Unit of Measure (e.g., Percent): Percent Additional Information (Including Methodology): Each unit is required to submit its top risks and corresponding response strategies for the Performance Year into the risk tracker. Each response strategy has a target completion date and a status. The measure is calculated as a percentage, using the total count of response strategies as the denominator and the total count of completed strategies as the numerator. Data Source: Assessable Units submit status reports via the FHWA Risk Tracker at the end of each Performance Year quarter. The PMI Team consolidates the reporting. Identify Data Owner Contact:Identify the Michael Graf Risks Context Dashboard Coordinator: Analyze the Risks Data Owner Telephone Number: 404-562-3578 Assess Assess Dashboard Coordinator Telephone Number: Impact Likelihood Plan and Office Code (e.g. HOP): Prioritize Execute DFS-PMIT Risks Response Strategies Website (For Additional Information): Risk Assessment Communication and Consultation occur at each step Monitor, Evaluate, and Adjust Questions? Mike Graf michael.graf@fhwa.dot.gov 404-562-3578 Daniel Fodera daniel.fodera@fhwa.dot.gov 404-562-3672