Managing Risk Across the Enterprise: FINAL a Guide for State
Total Page:16
File Type:pdf, Size:1020Kb
Project No. 08-93 COPY NO. Managing Risk across the Enterprise: FINAL A Guide for State Departments of Transportation Prepared for The National Cooperative Highway Research Program Of The National Academies Gordon Proctor Gordon Proctor & Associates Dublin, Ohio Shobna Varma The StarIsis Corporation Lewis Center, Ohio Jeff Roorda Jeff Roorda and Associates, Inc. Springwood, Australia June, 2016 TRANSPORTATION RESEARCH BOARD OF THE NATIONAL ACADEMIES PRIVILEGED DOCUMENT This document, not released for publication, is furnished only for review to members of or par- ticipants in the work of the CRP. This document is to be regarded as fully privileged, and dissem- ination of the information herein must be approved by the CRP. ACKNOWLEDGEMENT OF AUTHORSHIP This work was sponsored by the American Association of State Highway and Transportation Officials in cooperation with the Federal Highway Administration, and was conducted by the National Cooperative Highway Research Program. DISCLAIMER This is an uncorrected draft as submitted by the Contractor. The opinions and conclusions expressed or implied herein are those of the Contractor. They are not necessarily those of the Transportation Re- search Board, the National Academies, or program sponsors. NATIONAL COOPERATIVE HIGHWAY RESEARCH PROGRAM NCHRP REPORT 08-93 Managing Risk across the Enterprise: FINAL A Guide for State Departments of Transportation Gordon Proctor Gordon Proctor & Associates Dublin, Ohio Shobna Varma The StarIsis Corporation Lewis Center, Ohio Jeff Roorda Jeff Roorda and Associates, Inc. Springwood, Australia June 2016 Research sponsored by the American Association of State Highway and Transportation Officials In cooperation with the Federal Highway Administration TRANSPORTATION RESEARCH BOARD Table of Contents Introduction—About this Guide ............................................................................................... 1 How to Use this Guide .......................................................................................................... 2 Chapter 1: Defining Risk Management .................................................................................... 3 Summary............................................................................................................................... 3 Clarifying Risk and Risk Management ............................................................................... 5 Managing Risks Complements Performance .................................................................... 5 Enhancing Decision Making by Evaluating Risks ............................................................... 7 Allocating Scarce Resources ............................................................................................. 9 Identifying and Mitigating Threats .................................................................................. 10 The Levels of Risk Management ..................................................................................... 11 The Risk Management Process ........................................................................................... 13 The ISO Concepts ............................................................................................................ 13 Establishing the Context ................................................................................................. 14 Risk Identification ........................................................................................................... 15 Risk Analysis .................................................................................................................... 15 Risk Evaluation ................................................................................................................ 16 Risk Management ........................................................................................................... 16 Communication and Monitoring .................................................................................... 17 Level of Effort for Enterprise Risk Management ................................................................ 18 Relying on Risk Management to Improve Performance ................................................. 19 Chapter 2: Establishing the Risk Process ................................................................................ 22 Summary............................................................................................................................. 22 Essentials for ERM: Policies, Tools, and Processes .............................................................. 22 Step 1: Adopt a Risk Management Policy .......................................................................... 23 A Sample Risk Management Policy ................................................................................. 31 Step 2: Provide the Tools for Managing Risks .................................................................... 32 Step 3: Integrate Risks into Key Agency Processes ............................................................ 34 Summarizing the Tasks and Responsibilities ................................................................... 38 Chapter 3: Establishing the Risk Context ............................................................................... 41 Summary ............................................................................................................................ 41 Identifying Risk Focus Areas and Risk Owners ................................................................... 41 Assigning Risks and Forming Teams to Assess Them ...................................................... 41 i Clarifying the Objectives and Their Environment ........................................................... 42 Setting the Context around the Objective ...................................................................... 42 Examples of Applying the Risk Management Process .................................................... 44 Tools for the Context-Setting Exercise ........................................................................... 45 Basis for Further Decision Making ..................................................................................... 46 Chapter 4: Identifying Risks ................................................................................................... 52 Summary ............................................................................................................................ 52 Risk Identification: First Step of Risk Assessment ................................................................ 52 Beginning the Risk Identification Process ....................................................................... 53 Techniques for the Risk Identification Workshop ........................................................... 53 Chapter 5: Analyzing Risks ...................................................................................................... 60 Summary ........................................................................................................................ 60 Understanding the Causes and Effects of Risks .................................................................. 60 Cause-and-Effect Analysis .............................................................................................. 64 Risk Analysis Tools .......................................................................................................... 65 Strengths, Weaknesses of Qualitative and Quantitative Scales ..................................... 66 Consequence Categories ................................................................................................ 71 Likelihood Table or Scale ................................................................................................ 75 Rating Opportunities ...................................................................................................... 78 Chapter 6: Evaluating Risks .................................................................................................... 81 Summary ............................................................................................................................ 81 The Risk Appetite ............................................................................................................... 81 Dynamic and Continuous Evaluation of the Risk Appetite ............................................. 85 Risk Prioritization ............................................................................................................... 85 Chapter 7: Managing Risks..................................................................................................... 86 Summary ............................................................................................................................ 86 The Five Ts ......................................................................................................................... 88 Chapter 8: Communicate, Consult, Monitor .......................................................................... 97 Summary ................................................................................................................................ 97 Using the Agency’s Risk Process ........................................................................................ 97 Populating the Risk Register ........................................................................................... 98 The Risk Map ...............................................................................................................