AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE

AASHTO Internal Audit
Conference 2012 – Phoenix
Daniel Fodera, CMQ/OE
Program Management Improvement Team
Federal Highway Administration




Identify the components of the ISO risk
management structure.
Describe the risk management framework used
by the Federal Highway Administration
Recognize the steps in the risk management
process
Discuss how FHWA uses risk management in
program oversight

Risk Initiatives Affecting FHWA
 International Risk Scan
 ISO 31000
 OST/FMFIA Risk Tools
2006
2001
2004
Policy Memo
Risk Best
Practices
Review
Released
1st Agencywide
Corporate
Risk
Managemen
t Initiative
2007
Risk Mgmt
Planning
2007 User
Manual
Released
2009
Corporate
Risk Team
formed & a
corporate
risk
approach
was
developed
2009/2010
2011
FHWA HQ's
Offices
conducted risk
assessment for
the 1st time
Int’l Risk Scan.
ISO 31000.
FMFIA Risk
Tools.
1.
RM supports strategic organizational alignment
2.
Mature organizations have an explicit RM structure
3.
Successful organizations have a culture of RM
4.
A wide range of RM tools are in use
5.
Use of RM tools for programmatic investment decisions
6.
A variety of risk allocation methods are available
7.
Active risk communication strategies improve decision making
8.
RM enhances knowledge management and workforce development
ISO 31000
ISO Risk Management Structure
Principles
Continual
improvement
of the
framework
Implementing
risk
management
Monitoring
and review of
the
framework
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
Monitoring and Review
Design and
Framework
for managing
risk
Risk Assessment
Mandate
and
Commitment
Communication and Consultation
Establishing the
context
1 - FHWA Risk Directive
Mandate
and
Commitment
Design and
Framework
for managing
risk
Continual
improvement
of the
framework
2 - Risk Management Timeline
Implementing
risk
management
Monitoring
and review of
the
framework
3 - Risk Management Process
User Manual
4 - Risk Management Q &A
5 – “Risk Tracker”
6 - Leadership Dashboard Measure

Provides the foundation for Risk
Management at FHWA

Defines what “risk” means to FHWA

Outlines FHWA’s Risk Management
Process

Applies to all organizational units of FHWA.

Annual Risk Call aligned with release of Final SIP (3/15)

Risk Due Date aligned with Unit Plan Due Date (5/31)

Quarterly Updates of Status in Risk Tracker

OST/FMFIA Unit Risk Profile annual update to be
aligned with Risk/Unit Plan (hopefully)

OST FMFIA Inherent Risk Assessment annual update to
be done at Component Level and aligned with Risk/Unit
Plan (hopefully)

Internal – anything within the organization that can influence
the way in which FHWA will manage risk – mission, objectives,
controls, resources, etc.

External – key drivers & trends having impact on objectives of
the organization, relationships with, perceptions & values of
external stakeholders.

Risk Management - Are you reassessing previously identified
risks or identifying emergent risks? Who will assess what
Program Areas? Will it be done individually, in teams or as an
office? With input from your partners?
Identify
the
Context
Analyze the Risks
Identify
Risks
Assess
Impact
Assess
Likelihood
Prioritize
Risks
Plan and
Execute
Response
Strategies
Risk Assessment
Communication and Consultation occur at each step
Monitor,
Evaluate,
and
Adjust

Required by and Reported to OST as part of the
FMFIA Assurance. Document the Unit’s Internal
Controls

Completed by all “Assessable Units”, including the
Division Offices

Integrated into our annual Risk Management Cycle

A Key Part of Step 1: Setting the Context

Now Managed by the OCFO in Coordination with
the PMI Team

Required by and Reported to OST as part of the FMFIA
Assurance. Assess the high-level “inherent” risk of the
Component or Unit

Completed at the “Component” level for FHWA. DA
Council to Complete One on Behalf of the Division
Offices

Integrated into our annual Risk Management Cycle

A Key Part of Step 1: Setting the Context

Managed by the OCFO in Coordination with the PMI
Team

When identifying risks consider your key objectives:






Organizational Objectives in the SIP that affect your Unit
Local Unit Objectives
Program Objectives (Planning, Environment , ROW etc.)
Project Objectives
Ask – What Are the Risks to Meeting My Objectives?
Brainstorm with the “Right” Folks
Identify
the
Context
Analyze the Risks
Identify
Risks
Assess
Impact
Assess
Likelihood
Prioritize
Risks
Plan and
Execute
Response
Strategies
Risk Assessment
Communication and Consultation occur at each step
Monitor,
Evaluate,
and
Adjust

Scale














4 - Catastrophic
3 - Major
2 - Moderate
1 - Minor
0 - Insignificant
Identify
the
Context
Criteria
Financial
Reputation
Business Operations
Legal & Compliance
Infrastructure Assets
Resources & Efforts Req.
Environment & Culture
Safety
Analyze the Risks
Identify
Risks
Assess
Impact
Assess
Likelihood
Prioritize
Risks
Plan and
Execute
Response
Strategies
Risk Assessment
Communication and Consultation occur at each step
Monitor,
Evaluate,
and
Adjust

 Criteria
 Criteria
4 - Almost Certain Staffing
 Outside
 Operational
Control/Influence
3 - Likely
Procedures
 Fraud, Waste, Abuse
2 - Possible
 Guidance
 Workforce
1 - Unlikely
 Problem History
Development/Training
 New Program
 FHWA Involvement
 Complexity
Scale




 Consultant Use
Identify
the
Context
Analyze the Risks
Identify
Risks
Assess
Impact
Assess
Likelihood
Prioritize
Risks
Plan and
Execute
Response
Strategies
Risk Assessment
Communication and Consultation occur at each step
Monitor,
Evaluate,
and
Adjust

Start with an “Expected Value” calculation
(Impact Rating X Likelihood Rating)

Locate the Risks on the Heat Map - a graphical
plot to represent the relative placement of risks

Adjust Risk Ratings (Top, High, Medium, Low)
based on LEADERSHIP VALIDATION
Identify
the
Context
Analyze the Risks
Identify
Risks
Assess
Impact
Assess
Likelihood
Prioritize
Risks
Plan and
Execute
Response
Strategies
Risk Assessment
Communication and Consultation occur at each step
Monitor,
Evaluate,
and
Adjust


Your Approach to Treating
the Risks
Response Strategy Type:





Identify
the
Context
Avoid
Enhance
Mitigate
Transfer
Accept
Analyze the Risks
Identify
Risks
Assess
Impact
Assess
Likelihood
Prioritize
Risks
Plan and
Execute
Response
Strategies
Risk Assessment
Communication and Consultation occur at each step
Monitor,
Evaluate,
and
Adjust
Identify
the
Context
Analyze the Risks
Identify
Risks
Assess
Impact
Assess
Likelihood
Prioritize
Risks
Plan and
Execute
Response
Strategies
Risk Assessment
Communication and Consultation occur at each step
Monitor,
Evaluate,
and
Adjust
Dashboard Measures Worksheet
Dashboard Measure:
Percent of Key Risk Response Strategies Completed
Strategic Goal:
Program Delivery
Description:
Percent of Key Risk Response Strategies Completed.
The FY2012 target is 70% complete.
Unit of Measure (e.g., Percent):
Percent
Additional Information (Including Methodology):
Each unit is required to submit its top risks and
corresponding response strategies for the Performance
Year into the risk tracker. Each response strategy has a
target completion date and a status. The measure is
calculated as a percentage, using the total count of
response strategies as the denominator and the total
count of completed strategies as the numerator.
Data Source:
Assessable Units submit status
reports via the FHWA Risk Tracker
at the end of each Performance Year
quarter. The PMI Team consolidates
the reporting.
Identify
Data Owner Contact:Identify
the
Michael Graf
Risks
Context
Dashboard Coordinator:
Analyze the Risks
Data Owner Telephone Number:
404-562-3578
Assess
Assess
Dashboard
Coordinator
Telephone Number:
Impact
Likelihood
Plan and
Office Code (e.g. HOP):
Prioritize
Execute
DFS-PMIT
Risks
Response
Strategies
Website (For Additional
Information):
Risk Assessment
Communication and Consultation occur at each step
Monitor,
Evaluate,
and
Adjust
Questions?
Mike Graf
[email protected]
404-562-3578
Daniel Fodera
[email protected]
404-562-3672