Enterprise Risk Management in Infrastructure – Part 2

By:  Dr. John Brown Miller

[Originally published by civil + structural Engineer on December 1 2017.]

This is Part 2 in a three-part series on the emergence of Enterprise Risk Management (ERM) in Infrastructure.  To quickly recap Part 1, ERM has emerged as a $22 Billion market segment, with a more descriptive name – “the eGRC Market.”  The “Enterprise Governance Risk Compliance” market (“ERM” for simplicity) is expected to grow to $44 Billion by 2022 (at a compound annual growth rate of nearly 15%).  Eighty percent (80%) of global Fortune 1000 companies use ERM logic, software, and services to analyze the effect of uncertainty on objectives – i.e. “risk”.  Expert services and software have closely followed the adoption and use of ISO Standard 31000:2009(En) in 2009.  Software developers in the ERM space include Microsoft, BWise, SAS, IBM, FIS, Thomson Reuters, Wolters Kluwer, MetricStream, EMC, Oracle, and SAP.  Infrastructure owners and operators have the same or similar “risk management” interests across the world:  ensure safety, meet level of service commitments, comply with laws and regulation, avoid disruption, earn public trust, protect financial health, and improve system performance.

ERM has also been adopted and deployed as an organizational principle for public infrastructure networks in Australia, Canada, England, Scotland, and Holland.  ERM systems generate important opportunities to sustain infrastructure through substantial savings in Avoidable Costs over the life cycle of core infrastructure assets.  These savings are immediately available to preserve (or upgrade) levels of service (LOS).  Capturing Avoidable Costs of 30-40% over the life cycle of core infrastructure assets offers real value for money (VforM).

Part 1 introduced International Standard 31000:2009(En), used across the world for ERM.  Transport & Main Roads (TMR), Queensland, Australia created the Risk Assessment and Ratings Matrix in Figure 1, using ISO 31000.  The right side of Figure 1 – called a “heat map” – was the focus of Part 1.  This is the place in the Matrix where “Risk assessment” (§5.4) and “Risk treatment” (§5.5) are managed.

Figure 1 – Queensland (Australia) Transport and Main Roads Risk Assessment and Ratings Matrix

The focus of Part 2 is left side of Figure 1.  This is the place in the Risk Assessment and Ratings Matrix where the context for using the Heat Map is represented.  Two other ISO31000 sections – “Communication and consultation” (§5.2) and “Establishing the context” (§5.3) provide guidance.  The first of these, Communications and consultation (§5.2) with external and internal stakeholders, is a pre-requisite of the entire ERM process.  Open, truthful, relevant, and accurate communications and consultation are needed to clearly identify and manage risks, their causes, their consequences, and their treatment.  External stakeholders – the public, taxpayers, users – are anxious to see objective fairness in how public infrastructure is operated and maintained.  They want to understand the basis of decisions and for actions taken.  Effective “communications and consultation” are more important than space allows here, but all ERM systems rely on timely, open and trustworthy communication of information.

The left side of Figure 1 is a context-specific summary of an organization’s risk-management “mission,” framed to be used with the heat map to analyze each “risk” against mission and consequence.  ISO31000 describes this exercise as “Establishing the context (§5.3).”  We are going to build the left side of Figure 1 in a few paragraphs, for the Highway Department of the hypothetical State of Madison.  In the real world, the left side of Figure 1 would take much more time, and much more consultation and communication among stakeholders, both internal and external to the State of Madison Highway Department.

Figure 2 is a hypothetical “first pass” at six (6) Mission Targets for the state highway network in the State of Madison.  These “missions” will be the subject headings across the top left side of Figure 1.

  • A – Meet Level of Service Commitments
  • B – Comply with Laws and Regulations
  • C – (Avoid) Disruption in the Availability of Assets
  • D – Earn and Maintain Public Trust (Reputation)
  • E – Attain and Maintain Financial Health
  • F – System Performance and Capability

Figure 2 – Draft “Mission Target” Headings for Left Side of Risk Assessment and Ratings Matrix

Consolidating the interests of the Madison Highway Department into 5 or 6 core objectives (“Mission Targets”) is context specific.  The objectives must be broad enough to cover the entire organization, yet specific enough to fit specific internal and external obligations within them.  The six objectives shown in Figure 2 are a solid first cut at such objectives.  In actual practice, most organizations will have several practice rounds before settling on core objectives that work well for them.  Regular, full, and accurate information exchanges among employees, managers, and stakeholders speed this process along.

The benefits from identifying a handful of core Mission Targets come from clear articulation of what’s important to the Madison Highway Department – for universal use both inside and outside the organization.  The core objectives provide a “headline” summary of Madison’s Mission – understood inside and outside the organization.

With core objectives identified, the context for conducting risk management is established by filling in the rest of the grid on the left side of the Matrix with objective descriptions of factual circumstances in which the risk of not meeting those objectives are assigned to consequence levels.  Figures 3 and 4 illustrate how the Madison Highway Department might choose to define its context for Risk Management.  Figure 3 shows the most significant consequence row – “Very Big” – across each of the six Mission Targets.  Input from across the Highway Department’s employees, managers, and external stakeholders is necessary to identify what makes practical sense to include in the Matrix to measure the risk of not meeting objectives against consequences.


Figure 3 – Draft Risk Assessment and Ratings Matrix – “Very Big” Consequences

Figure 4 (at the right) shows the full range of consequences under one of the Mission Targets:  A – Meet Level of Service Commitments.  Figure 4 shows that the Highway Department has chosen to focus on three level of service commitments:  one around pavement condition, a second around bridge condition, and the third around protection structures (barriers, guard rails, and crash cushions).  [To keep things simple, items like signage, signals, marking, drainage, slope stability, snow clearance are omitted.]

The level of service standards that distinguish “Very Big” from “Very Low” are hypothetical, for illustration only.  Before adopting any level of service commitments, careful internal and external analysis must confirm that these commitments are not only reasonable, but can be met.  More than technical issues are involved, requiring administrative, legislative, and constituent analysis as well.  Other factors, like resource limitations, procurement laws and regulations, project delivery models, and long-term commitments all play a role in finalizing the “context” side of the Risk Matrix.  The result must be workable for the Madison Highway Department.  In practice, several rounds are necessary to properly assemble the “context” side of the Risk Matrix.

Assume for now, that our Risk Assessment and Ratings Matrix is complete.  We’ve filled in the context side of the Matrix, after extensive discussions among employees, managers, legislators, administrative officials, and external stakeholders.  The Highway Department knows that the commitments it has made in the Matrix are workable, and fairly represent Madison’s core objectives.

How might it be used by the Madison Highway Department?  Typically, responsibility for identifying risks under specific portions of the Matrix is allocated to specific people at the home office or district level – as appropriate.  Each district might be assigned to keep an updated version of the Matrix for items in Mission A – Pavement, Bridges, and Protection.  The Risk Matrix also allows every employee, as well as police and emergency personnel, to keep data related to Protection structures up to date.  District reports are simply aggregated into a system-wide assessment of Mission A.

Figure 4 – Draft Mission Target A Consequence Levels

Figure 5 is a draft of the entire left side of the Risk Assessment and Ratings Matrix for the hypothetical State of Madison’s Highway Department.

Figure 5 – Context For Conducting Risk Management – “State of Madison Highway Dept.”

Figure 6 shows the full, hypothetical “Madison” Risk Management and Rating Matrix.

Figure 6 – Risk Management and Rating Matrix for “State of Madison Highway Department”

Part 1 of this series focused on the right side of the Risk Management and Ratings Matrix – the “Heat Map” portion of the Matrix that is used to provide a practical visual representation of enterprise-wide risks across an infrastructure network.

In this Part 2, the focus was on the left side of the Risk Management and Ratings Matrix – the context specific portion of the Matrix that identifies the enterprise’s core objectives and maps the risk of not meeting these objectives to specific consequence levels – the same consequence levels used throughout the matrix.

Part 3 will explore using the full Matrix, with scenario analysis, to attack Avoidable Costs.  Achieving a substantial (30-40%) reduction in life cycle cost while meeting enterprise objectives is the purpose of Enterprise Risk Management.


Miller was professor of civil engineering at MIT, chair of the ABA Section of Public Contract Law, and is an expert on infrastructure procurement.