Enterprise Risk Management in Infrastructure

By:  Dr. John Brown Miller

[This article was published by Civil + Structural Engineer magazine on August 17, 2017.]

Over the last decade, Enterprise Risk Management (ERM) has emerged as an impressive, $22 Billion market segment, along with a more descriptive name – “the eGRC Market.” (July 20, 2017 release by TheStreet on PR Newswire)  The “Enterprise Governance Risk Compliance” market (“ERM” for simplicity here) is expected to grow to $44 Billion by 2022 (at a compound annual growth rate of nearly 15%).  Eighty percent (80%) of global Fortune 1000 companies use ERM logic, software, and services to analyze the effect of uncertainty on objectives – i.e. “risk”.  Expertise services and software have followed closely behind the adoption and use of ISO Standard 31000:2009(En) in 2009.  Software developers in the ERM space include Microsoft, BWise, SAS, IBM, FIS, Thomson Reuters, Wolters Kluwer, MetricStream, EMC, Oracle, and SAP.

Not surprisingly infrastructure owners have the same or similar “risk management” interests as private manufacturers and service providers across the world:

  • to assure safety of personnel and the public;
  • to meet level of service commitments;
  • to comply with laws and regulations;
  • to prevent disruption in the usefulness and availability of assets;
  • to earn and maintain public trust;
  • to protect financial health; and
  • to improve system performance and capability.

ERM systems are in widespread use in manufacturing, medical devices, fleet maintenance, and aviation.  ERM has also been adopted and deployed as an organizational principle for public entities that manage public infrastructure networks.  Much of the experience with ERM in the public infrastructure space is outside the United States – Australia, Canada, England, Scotland, Holland are examples.  As a participant in a 2011 Scanning Tour organized by the FHWA,[1] I had the opportunity to see how Enterprise Risk Management was being used in other parts of the world.  Part 1 presents some of the core logic behind ERM systems in public infrastructure.  ERM systems create very substantial opportunities to sustain core infrastructure from savings in Avoidable Costs while preserving, or upgrading, levels of service (LOS).  Avoidable Costs in the range of 30-40% of life cycle costs to sustain core infrastructure represents real value for money (VforM).

ISO 31000:2009(En) is the English version of the International Standard.  It is an outline standard – containing the broad outlines out what an Enterprise Risk Management system should contain, while leaving the development of the specifics for adaptation to the context in which it is to be used.  ISO 31000 has been applied broadly and effectively by Transport & Main Roads, Queensland, Australia (Brisbane).  Figure 1 shows that TMR adopted the identical Risk Management Process recommended in ISO31000.  The ISO standard establishes an iterative (never-ending) process for Risk Management contained in Section 5 of the Standard.

Figure 1 – ISO 31000:2009(En) adopted by Queensland (Aus): Transport & Main Roads

Queensland TMR created the Risk Assessment and Ratings Matrix in Figure 2, by following the processes in §§ 5.2 and 5.3 of ISO 31000.  These processes will be addressed in Part II:  specifically, Communication and consultation” (§5.2), “Establishing the context” (§5.3), and Monitoring and Review (§5.6).

Figure 2 – Queensland (Australia) Transport and Main Roads Risk Assessment and Ratings Matrix

The right side of Figure 2 – sometimes call a “heat map” – is the place in the Matrix where “Risk assessment” (§5.4) and “Risk treatment” (§5.5) is managed.  The “heat map” is the focus of this Part 1.

Risk assessment is the process of identifying, analysis, and evaluating risk.  The word “risk” is used in a different way than normal usage in English.  In this context, “risk” is related to uncertainty.  All organizations operate in the face of internal and external factors and influences that create uncertainty as to whether the organization will achieve its goals and objectives.  It is in this context that the word “risk” is used.  “Risk” is the effect of uncertainty on objectives.  “Risk assessment” begins with the identification of sources of risk, areas of impact, events that may create risk, along with their causes and potential consequences.  Sources of risk may be within the control of the organization, but they may also be outside of its control.  “Risk analysis” involves developing sufficient understanding of identified risk to support downstream decision-making as to risk evaluation, the consequences of the risk, its  likelihood, and sufficient information to understand how identified risks might be treated in order to remove, lessen, or manage their effect on organizational objectives.  The purpose of “risk evaluation” is to provide a framework for making decisions based on the outcomes of risk analysis as to which risks need treatment, s well as the priority and nature of that treatment.

Figure 3 shows the “heat map” portions of a hypothetical “risk assessment” matrix – in two different stages.  Across the top of Figure 3, are six boxes illustrating “likelihood” that a particular “risk” will occur:  from “Very Unlikely” to “Very Frequently, Daily”.  From Top to Bottom along the left of Figure 3 are six boxes illustrating consequence levels for a particular risk: from “Very Low” to “Very Big.”  The numbers in each box is a numerical indication of the relative significance of the risk.  “1,000,000” is of catastrophic impact, while 0.0001 is of no impact to the objectives of the organization.  The headings, and the numerical entries, are examples for illustration only, and differ for every organization that uses them, because they depend on the objectives of each organization, and the context used.

On the left side of Figure 3, just one “risk” has been identified and placed, based on the organization’s  core mission criteria (not shown in Figure 3).  TMR’s criteria are shown in Figure 2, as an example.  For now, we are focused on the heat map.  The right side of Figure 3 is later in the risk identification, analysis, and evaluation process.  Seven different specific risks have been identified, and placed on the heat map.  Also shown in Figure 3, as part of the evaluation of each risk shown, is the expected placement of the risk in the succeeding year, if it is not “treated” in some fashion in the current planning year.

Figure 3 – Hypothetical Risk Matrices (with one Risk and 7 Risks identified, analyzed, and placed.)

Risk identification, analysis, and evaluation is an on-going process – especially in complex infrastructure networks like a transit system, a highway network, or water and wastewater systems.  In large deployments of ERM systems, risk matrices are usually created locally, at the divisional level, before being aggregated into a network wide analysis.  Or, alternatively, risk matrices can be created by function within a large network.  For example, a transit system might create separate matrices for rolling stock; rail/track structures; stairs/elevators, escalators; signage; platform structures; and stations.  Risk matrices are constructed to fit well into each organization.

“Risk treatment” is the selection among options for modifying risks, followed by implementation.  , “Treatment” includes the following options (from ISO 31000):

  • avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
  • taking or increasing the risk in order to pursue an opportunity;
  • removing the risk source;
  • changing the likelihood;
  • changing the consequences;
  • sharing the risk with another party or parties (including contracts and risk financing); and
  • retaining the risk by informed decision.

Figure 4 – shows some of these options, each of which would be priced as part of the risk evaluation process.  Option 1C would change the likelihood of the risk.  Option 1B would change the consequences of the risk.  Options 1D and 1E would change the likelihood and the consequences.  Operational changes (not shown) could avoid the risk, take increased risk, remove the risk source, or share the risk with another party (perhaps by contract).  These options might be capital expenses, or a series of interim OM&R actions that manage the likelihood and consequence of identified risks.  Similar options are developed for each risk in the Risk Matrix.

Figure 4 – Hypothetical Risk Matrix with Different Risk Treatment Options

The advantages of ERM systems in capturing Avoidable Costs for immediate re-use within an infrastructure network are apparent.  Long term budgeting decisions for capital, as well as OM&R, items are greatly enhanced.  Decisions are based on a known combination of specific risk treatments applied to particular risks.  If coupled with an open, competitive procurement system, ERM systems allow public infrastructure owners to identify the actions that management will take to manage identified risks – at the right place, with skilled people, at the right time, and with value for money.

Capturing Avoidable Costs and for immediate reapplication within the network is a substantial infrastructure opportunity.

[1] Report No FHWA-PL-12-029, August 2012,  Transportation Risk Management: International Practices for Program Development and Project Delivery (84 pp).


Miller was professor of civil engineering at MIT, chair of the ABA Section of Public Contract Law, and is an expert on infrastructure procurement.