By John Brown Miller, Ph.D.
Over the last decade, Enterprise Risk Management (ERM) has emerged as an impressive, $22 billion market segment, along with a more descriptive name — “the eGRC Market.” (July 20, 2017 release by TheStreet on PR Newswire) The “Enterprise Governance Risk Compliance” market (ERM for simplicity here) is expected to grow to $44 billion by 2022 (at a compound annual growth rate of nearly 15 percent). Eighty percent of global Fortune 1000 companies use ERM logic, software, and services to analyze the effect of uncertainty on objectives — i.e. “risk.” Expertise services and software have followed closely behind the adoption and use of ISO Standard 31000:2009(En) in 2009. Software developers in the ERM space include Microsoft, BWise, SAS, IBM, FIS, Thomson Reuters, Wolters Kluwer, MetricStream, EMC, Oracle, and SAP.
Not surprisingly, infrastructure owners have the same or similar “risk management” interests as private manufacturers and service providers across the world:
- to assure safety of personnel and the public;
- to meet level of service commitments;
- to comply with laws and regulations;
- to prevent disruption in the usefulness and availability of assets;
- to earn and maintain public trust;
- to protect financial health; and
- to improve system performance and capability.
ERM systems are in widespread use in manufacturing, medical devices, fleet maintenance, and aviation. ERM has also been adopted and deployed as an organizational principle for public entities that manage public infrastructure networks. Much of the experience with ERM in the public infrastructure space is outside the United States — Australia, Canada, England, Scotland, Holland are examples.
As a participant in a 2011 Scanning Tour organized by the FHWA (Report No FHWA-PL-12-029, August 2012, Transportation Risk Management: International Practices for Program Development and Project Delivery (84 pp)), I had the opportunity to see how Enterprise Risk Management was being used in other parts of the world. This article (Part 1) presents some of the core logic behind ERM systems in public infrastructure. ERM systems create very substantial opportunities to sustain core infrastructure from savings in Avoidable Costs while preserving, or upgrading, levels of service (LOS). Avoidable Costs in the range of 30 to 40 percent of life cycle costs to sustain core infrastructure represents real value for money (VforM).
ISO 31000:2009(En) is the English version of the International Standard. It is an outline standard – containing the broad outlines out what an Enterprise Risk Management system should contain, while leaving the development of the specifics for adaptation to the context in which it is to be used. ISO 31000 has been applied broadly and effectively by Transport & Main Roads, Queensland, Australia (Brisbane). Figure 1 shows that TMR adopted the identical Risk Management Process recommended in ISO31000. The ISO standard establishes an iterative (never-ending) process for Risk Management contained in Section 5 of the Standard.
Figure 1: ISO 31000:2009(En) adopted by Queensland (Aus): Transport & Main Roads
Queensland TMR created the Risk Assessment and Ratings Matrix by following the processes in §§ 5.2 and 5.3 of ISO 31000. These processes will be addressed in Part II, specifically, Communication and consultation (§5.2), Establishing the context (§5.3), and Monitoring and Review (§5.6).
Risk assessment is the process of identifying, analysis, and evaluating risk. The word “risk” is used in a different way than normal usage in English. In this context, risk is related to uncertainty. All organizations operate in the face of internal and external factors and influences that create uncertainty as to whether the organization will achieve its goals and objectives. It is in this context that the word “risk” is used. “Risk” is the effect of uncertainty on objectives.
“Risk assessment” begins with the identification of sources of risk, areas of impact, events that may create risk, along with their causes and potential consequences. Sources of risk may be within the control of the organization, but they may also be outside of its control. “Risk analysis” involves developing sufficient understanding of identified risk to support downstream decision-making as to risk evaluation, the consequences of the risk, its likelihood, and sufficient information to understand how identified risks might be treated in order to remove, lessen, or manage their effect on organizational objectives. The purpose of “risk evaluation” is to provide a framework for making decisions based on the outcomes of risk analysis as to which risks need treatment, as well as the priority and nature of that treatment.
Figure 2 shows the heat map portions of a hypothetical risk assessment matrix — in two different stages. Across the top of Figure 3, are six boxes illustrating “likelihood” that a particular “risk” will occur: from Very Unlikely to Very Frequently, Daily. From top to bottom along the left of Figure 2 are six boxes illustrating consequence levels for a particular risk: from Very Low to Very Big. The numbers in each box is a numerical indication of the relative significance of the risk: 1,000,000 is of catastrophic impact, while 0.0001 is of no impact to the objectives of the organization. The headings, and the numerical entries, are examples for illustration only, and differ for every organization that uses them, because they depend on the objectives of each organization, and the context used.
On the left side of Figure 2, just one “risk” has been identified and placed, based on the organization’s core mission criteria (not shown in Figure 3). TMR’s criteria are shown in Figure 2, as an example. For now, we are focused on the heat map. The right side of Figure 2 is later in the risk identification, analysis, and evaluation process. Seven different specific risks have been identified, and placed on the heat map. Also shown in Figure 2, as part of the evaluation of each risk shown, is the expected placement of the risk in the succeeding year, if it is not “treated” in some fashion in the current planning year.
Figure 2: Hypothetical Risk Matrices (with one Risk and 7 Risks identified, analyzed, and placed.)
Risk identification, analysis, and evaluation is an on-going process – especially in complex infrastructure networks like a transit system, a highway network, or water and wastewater systems. In large deployments of ERM systems, risk matrices are usually created locally, at the divisional level, before being aggregated into a network-wide analysis. Or, alternatively, risk matrices can be created by function within a large network. For example, a transit system might create separate matrices for rolling stock; rail/track structures; stairs/elevators, escalators; signage; platform structures; and stations. Risk matrices are constructed to fit well into each organization.
“Risk treatment” is the selection among options for modifying risks, followed by implementation. “Treatment” includes the following options (from ISO 31000):
- avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
- taking or increasing the risk in order to pursue an opportunity;
- removing the risk source;
- changing the likelihood;
- changing the consequences;
- sharing the risk with another party or parties (including contracts and risk financing); and
- retaining the risk by informed decision.
Figure 3 shows some of these options, each of which would be priced as part of the risk evaluation process. Option 1C would change the likelihood of the risk. Option 1B would change the consequences of the risk. Options 1D and 1E would change the likelihood and the consequences. Operational changes (not shown) could avoid the risk, take increased risk, remove the risk source, or share the risk with another party (perhaps by contract). These options might be capital expenses, or a series of interim OM&R actions that manage the likelihood and consequence of identified risks. Similar options are developed for each risk in the Risk Matrix
Figure 3: Hypothetical Risk Matrix with Different Risk Treatment Options
The advantages of ERM systems in capturing Avoidable Costs for immediate re-use within an infrastructure network are apparent. Long-term budgeting decisions for capital, as well as OM&R, items are greatly enhanced. Decisions are based on a known combination of specific risk treatments applied to particular risks. If coupled with an open, competitive procurement system, ERM systems allow public infrastructure owners to identify the actions that management will take to manage identified risks — at the right place, with skilled people, at the right time, and with value for money.
Capturing Avoidable Costs and for immediate reapplication within the network is a substantial infrastructure opportunity — to be further explored in Part 2 of this article.
John B. Miller, Ph.D., is a global expert on infrastructure with an eye on efficiency and value. He has a 35-year focus on bringing practical business, legislative, and contractual solutions to the world’s burgeoning public infrastructure needs. He was a reporter on the American Bar Association’s 2007 Model Code for Public Infrastructure Procurement project (MCPIP), which provides “best practices” in procurement to America’s 90,000 state and local governments. He was professor of construction management and civil and environmental engineering at MIT, writing two textbooks in the field of infrastructure delivery and finance. He and his clients have been involved in some of the largest public infrastructure projects/networks in the world. He is an elected fellow of the American Bar Association, its Section of Public Contract Law, and the American College of Construction Lawyers, in which he has served in leadership positions.