Enterprise Risk Management in Infrastructure – Part 2

    Figure 3: Hypothetical Risk Matrix with Different Risk Treatment Options
    By John Brown Miller, Ph.D.

    This is Part 2 in a three-part series on the emergence of Enterprise Risk Management (ERM) in Infrastructure. To quickly recap Part 1 (http://tinyurl.com/erm-oct17), ERM has emerged as a $22 billion market segment, with a more descriptive name — “the eGRC Market.” The Enterprise Governance Risk Compliance market (ERM for simplicity) is expected to grow to $44 billion by 2022 (at a compound annual growth rate of nearly 15 percent). Eighty percent of global Fortune 1000 companies use ERM logic, software, and services to analyze the effect of uncertainty on objectives — i.e., risk.

    Expert services and software have closely followed the adoption and use of ISO Standard 31000:2009(En) in 2009. Software developers in the ERM space include Microsoft, BWise, SAS, IBM, FIS, Thomson Reuters, Wolters Kluwer, MetricStream, EMC, Oracle, and SAP. Infrastructure owners and operators have the same or similar risk management interests across the world: Ensure safety, meet level of service commitments, comply with laws and regulation, avoid disruption, earn public trust, protect financial health, and improve system performance.

    ERM has also been adopted and deployed as an organizational principle for public infrastructure networks in Australia, Canada, England, Scotland, and Holland. ERM systems generate important opportunities to sustain infrastructure through substantial savings in Avoidable Costs over the life cycle of core infrastructure assets. These savings are immediately available to preserve (or upgrade) levels of service. Capturing Avoidable Costs of 30 to 40 percent over the life cycle of core infrastructure assets offers real value for money.

    Part 1 introduced International Standard 31000:2009(En), used across the world for ERM. Transport & Main Roads, Queensland, Australia created the Risk Assessment and Ratings Matrix in Figure 1 using ISO 31000. The right side of Figure 1 — called a “heat map” — was the focus of Part 1. This is the place in the Matrix where Risk assessment (§5.4) and Risk treatment (§5.5) are managed.

    Figure 1: Queensland (Australia) Transport and Main Roads Risk Assessment and Ratings Matrix

    The focus of Part 2 is the left side of Figure 1. This is the place in the Risk Assessment and Ratings Matrix where the context for using the Heat Map is represented. Two other ISO31000 sections — Communication and consultation (§5.2) and Establishing the context (§5.3) — provide guidance. The first of these, Communications and consultation (§5.2) with external and internal stakeholders, is a prerequisite of the entire ERM process. Open, truthful, relevant, and accurate communications and consultation are needed to clearly identify and manage risks, their causes, their consequences, and their treatment.

    External stakeholders — the public, taxpayers, users — are anxious to see objective fairness in how public infrastructure is operated and maintained. They want to understand the basis of decisions and for actions taken. Effective communications and consultation are more important than space allows here, but all ERM systems rely on timely, open, and trustworthy communication of information.

    The left side of Figure 1 is a context-specific summary of an organization’s risk-management “mission,” framed to be used with the heat map to analyze each risk against mission and consequence. ISO31000 describes this exercise as “Establishing the context (§5.3).” We are going to build the left side of Figure 1 in a few paragraphs for the Highway Department of the hypothetical State of Madison. In the real world, the left side of Figure 1 would take much more time, and much more consultation and communication among stakeholders, both internal and external to the State of Madison Highway Department.

    Figure 2 is a hypothetical first pass at six Mission Targets for the state highway network in the State of Madison. These missions will be the subject headings across the top left side of Figure 1.

    • A – Meet Level of Service Commitments
    • B – Comply with Laws and Regulations
    • C – (Avoid) Disruption in the Availability of Assets
    • D – Earn and Maintain Public Trust (Reputation)
    • E – Attain and Maintain Financial Health
    • F – System Performance and Capability
    Figure 2 – Draft “Mission Target” headings for left side of Risk Assessment and Ratings Matrix

    Consolidating the interests of the Madison Highway Department into five or six core objectives (Mission Targets) is context specific. The objectives must be broad enough to cover the entire organization, yet specific enough to fit specific internal and external obligations within them. The six objectives shown in Figure 2 are a solid first cut at such objectives.

    In actual practice, most organizations will have several practice rounds before settling on core objectives that work well for them. Regular, full, and accurate information exchanges among employees, managers, and stakeholders speed this process along.

    The benefits from identifying a handful of core Mission Targets come from clear articulation of what’s important to the Madison Highway Department — for universal use both inside and outside the organization. The core objectives provide a headline summary of Madison’s Mission — understood inside and outside the organization.

    With core objectives identified, the context for conducting risk management is established by filling in the rest of the grid on the left side of the matrix with objective descriptions of factual circumstances in which the risk of not meeting those objectives are assigned to consequence levels. Figures 3 and 4 illustrate how the Madison Highway Department might choose to define its context for Risk Management.

    Figure 3 shows the most significant consequence row — “Very Big” — across each of the six Mission Targets. Input from across the Highway Department’s employees, managers, and external stakeholders is necessary to identify what makes practical sense to include in the matrix to measure the risk of not meeting objectives against consequences.

    Figure 3: Draft Risk Assessment and Ratings Matrix — “Very Big” Consequences

    Figure 4 shows the full range of consequences under one of the Mission Targets: A – Meet Level of Service Commitments. Figure 4 shows that the Highway Department has chosen to focus on three level of service commitments: one around pavement condition, a second around bridge condition, and the third around protection structures (barriers, guard rails, and crash cushions). (To keep things simple, items like signage, signals, marking, drainage, slope stability, and snow clearance are omitted.)

    Figure 4 – Draft Mission Target A Consequence Levels


    The level of service standards that distinguish “Very Big” from “Very Low” are hypothetical, for illustration only. Before adopting any level of service commitments, careful internal and external analysis must confirm that these commitments are not only reasonable, but can be met. More than technical issues are involved, requiring administrative, legislative, and constituent analysis as well. Other factors, like resource limitations, procurement laws and regulations, project delivery models, and long-term commitments, all play a role in finalizing the context side of the Risk Matrix. The result must be workable for the Madison Highway Department. In practice, several rounds are necessary to properly assemble the context side of the Risk Matrix.

    Assume for now that our Risk Assessment and Ratings Matrix is complete. We’ve filled in the context side of the matrix after extensive discussions among employees, managers, legislators, administrative officials, and external stakeholders. The Highway Department knows that the commitments it has made in the matrix are workable and fairly represent Madison’s core objectives.

    How might it be used by the Madison Highway Department? Typically, responsibility for identifying risks under specific portions of the matrix is allocated to specific people at the home office or district level, as appropriate. Each district might be assigned to keep an updated version of the matrix for items in Mission A – Pavement, Bridges, and Protection. The Risk Matrix also allows every employee, as well as police and emergency personnel, to keep data related to protection structures up to date. District reports are simply aggregated into a system-wide assessment of Mission A.

    Figure 5 is a draft of the entire left side of the Risk Assessment and Ratings Matrix for the hypothetical State of Madison’s Highway Department.

    Figure 5 – Context For Conducting Risk Management – State of Madison Highway Department

    Figure 6 shows the full, hypothetical Madison Risk Management and Rating Matrix.

    Figure 6 – Risk Management and Rating Matrix for State of Madison Highway Department

    Part 1 of this series (http://tinyurl.com/erm-oct17) focused on the right side of the Risk Management and Ratings Matrix — the Heat Map portion of the matrix that is used to provide a practical visual representation of enterprise-wide risks across an infrastructure network.

    In this Part 2, the focus was on the left side of the Risk Management and Ratings Matrix — the context-specific portion of the matrix that identifies the enterprise’s core objectives and maps the risk of not meeting these objectives to specific consequence levels — the same consequence levels used throughout the matrix.

    Part 3 will explore using the full matrix, with scenario analysis, to attack Avoidable Costs. Achieving a substantial (30 to 40 percent) reduction in life cycle cost while meeting enterprise objectives is the purpose of Enterprise Risk Management.

    John B. Miller, Ph.D., is a global expert on infrastructure with an eye on efficiency and value. He has a 35-year focus on bringing practical business, legislative, and contractual solutions to the world’s burgeoning public infrastructure needs. He was a reporter on the American Bar Association’s 2007 Model Code for Public Infrastructure Procurement project (MCPIP), which provides “best practices” in procurement to America’s 90,000 state and local governments. He was professor of construction management and civil and environmental engineering at MIT, writing two textbooks in the field of infrastructure delivery and finance.  He and his clients have been involved in some of the largest public infrastructure projects/networks in the world.  He is an elected fellow of the American Bar Association, its Section of Public Contract Law, and the American College of Construction Lawyers, in which he has served in leadership positions.