U.S. Department of Transportation
Federal Highway Administration
1200 New Jersey Avenue, SE
Washington, DC 20590

Skip to content
Facebook iconYouTube iconTwitter iconFlickr iconLinkedInInstagram

Federal Highway Administration Research and Technology
Coordinating, Developing, and Delivering Highway Transportation Innovations

Public Roads
This magazine is an archived publication and may contain dated technical, contact, and link information.
Public Roads Home | Past Issues | Subscriptions | Article Reprints | Guidelines for Authors: Public Roads Magazine | Sign Up for E-Version of Public Roads | Search Public Roads
| Current Issue |
Back to Publication List        
Publication Number:  FHWA-HRT-21-002    Date:  Winter 2021
Publication Number: FHWA-HRT-21-002
Issue No: Vol. 84 No. 4
Date: Winter 2021


Handling Risk: FHWA'S Integrated Approach

by Daniel Fodera

FHWA is working to make the organization more effective and efficient by applying an enterprise risk management framework that combines strategic planning, performance planning, and internal controls.

Over the years, government operations have changed dramatically, becoming increasingly complex and driven by changes in technology. At the same time, stakeholders expect greater program integrity, efficiency, and transparency in government operations within existing resource constraints.

A backhoe sinks into a mud pit after cutting into a slope. Source: FHWA.
Risk exists throughout an organization, at the enterprise, program, project, and activity levels.

In response, Federal agencies are implementing enterprise risk management, an approach that brings together risk management, strategic and performance planning, and internal control processes. Implementing enterprise risk management engages an organization across all mission and mission-support functions to improve efficiency, effectiveness, and compliance.

"For the Federal Highway Administration, enterprise risk management is the latest step in the agency's journey of continuous improvement," says Peter Stephanos, FHWA's acting Chief Strategy Officer. "What is new is the integrated approach between strategic planning and review, internal control, and risk management."

Using Risk Management to Focus on Results

Strategic and performance planning gained traction in 1993 after Congress required Federal agencies to focus on performance by developing long-term and annual goals, then measuring and reporting on progress toward those goals. The intent was to shift Federal Government focus from program activities and processes to a focus on desired results.

To achieve successful outcomes and fulfill an organization's mission, policymakers and program managers continually seek ways to improve accountability. A key factor in improving accountability is implementing an effective internal control system. Doing so helps the organization adapt to shifting environments, evolving demands, new priorities, and changing risks by applying risk management techniques.

Risk management has been a part of FHWA's approach to stewardship and oversight for two decades. In 2001, FHWA policy called for each office to conduct risk/benefit assessments to evaluate the implementation of FHWA programs and develop work plans consistent with the results. The policy aimed to enable flexibility for FHWA offices in tailoring a process with their partners. As FHWA and its partner agencies became more familiar with the risk/benefit assessment process, FHWA issued additional guidance on how to manage risk.

A graphic titled "What Makes ERM Work?" that shows six boxes with key elements of ERM. Governance: Making decisions at the corporate level. Objective: Knowing what we are striving to achieve. Operating Principles: Knowing where we accept and avoid risks. Assessments: Routinely evaluating our actions. Planning: Clearly communicating critical activities and reduced effort. Monitoring: Tracking indicators against tolerances to assess progress. Source: FHWA.

Managing Risk in the Recovery Act

FHWA used a risk management approach in the successful delivery of the American Reinvestment and Recovery Act of 2009. In order to deliver projects quickly, the $787 billion Recovery Act released an additional $27.5 billion for highway projects across the Nation. Although the highway portion represented a small part of the total program, it was highly visible. The visibility, rapid influx of dollars, economic environment, and Federal reporting requirements gave rise to a challenging risk environment.

Some of the specific risks included projects administered by local public agencies—some of which were unfamiliar with Federal requirements related to contract administration, environmental compliance, civil rights program requirements, and project reporting. FHWA took a national, strategic approach and responded to these risks by increasing communications, providing additional resources, and conducting onsite reviews of projects to identify and resolve issues. Federal-aid divisions identified risks within each State and tailored their risk response activities to their environment. Division and national engineers and technical specialists worked to identify and effectively address risks to individual projects. The result was that FHWA successfully delivered the Recovery Act projects by addressing risks at multiple levels of the organization.

An old steel bridge, closed to traffic. Source: FHWA.
Part of risk management is knowing when to accept or avoid threat risks, and when to pursue opportunities.

Risk Management at All Levels

The multilevel approach to the Recovery Act exemplifies how an organization manages risk. Effective organizations manage risk at the enterprise, program, project, and activity levels.

Risks at the enterprise level affect the entire organization. They may be external strategic risks or internal risks that cut across units or multiple programs. Programs comprise the groups of related projects, subsidiary programs, and program activities. Coordinating and managing risk at a program level provides benefits not available from managing these activities individually. Projects comprise temporary endeavors undertaken to produce a unique product, service, or result. Individual projects may have unique risks to their success. Activities involve a coordinated set of ongoing actions taken to support projects or programs. There are risks at the activity level too.

The responsibility for managing risk at each level lies with the managers or leaders responsible for the success of that part of the organization. Enterprise-level risk is managed by the senior executives, program risk by the program managers, project risk by the project managers, and activity risk by those responsible for that activity.

"The process for managing risk is consistent regardless of whether it's being applied at the enterprise, program, project, or activity level," says Brian Bezio, FHWA's Chief Financial Officer.

A flow chart titled "FHWA Risk Management Process." The six steps of the process are in boxes with arrows from one to the next, and an arrow leads from the last step back to the first, labeled "cycle" and indicated that the process is a continuous cycle. The first step is "identify the context." The second step is "identify the risks." The third step, "analyze the risks," has two sub-steps shown in adjacent boxes below the main box: "assess impact" and "assess likelihood." The fourth step is "prioritize risks." The fifth step is "plan and execute response strategies." The sixth step is "monitor, evaluate, and adjust." The boxes for steps one, five, and six are colored a gray gradient, while steps two through four are colored a yellow gradient and labeled "risk assessment," indicating that these steps in the risk management process specifically relate to risk assessment. A bar below the entire graphic reads "communication and consultation occur at each step." Source: FHWA.

This consistency in the core process can also be seen in the different standards or guides for risk management—such as ISO 31000:2018, the Project Management Institute's Project Management Body of Knowledge, or OMB Circular No. A-123, "Management's Responsibility for Enterprise Risk Management and Internal Control." The process includes communication and consultation, understanding the risk context, risk assessment (identifying, analyzing, prioritizing), responding to risk, and monitoring the results. An important consideration in applying the risk management process is the organization's attitude toward risk—its risk appetite.

Risk Appetite

Risk appetite is the type and amount of risk, on a broad level, that the agency is willing to accept in pursuit of program objectives. Explicit risk appetite statements aid units in understanding when an organization will and will not accept risk in order to achieve goals and objectives. In addition, risk appetite describes how an organization will respond to risk, including the subsequent actions undertaken as a result.

Risk appetite informs decisionmaking. It represents risk posture at the enterprise level, and the absence of a risk appetite statement does not imply that there are not other risks that the agency also faces. FHWA has developed risk appetite statements with the intention that they will evolve over time in response to changing priorities and internal and external contexts.

FHWA risk appetite statements describe opportunities the agency is willing to pursue to help achieve goals and objectives. Acceptable risk means that the benefits of pursuing certain opportunities outweigh the potential threats. For example, transferring certain responsibilities to recipients when effective controls are in place and pursuing the deployment of innovations could realize long-term benefits to transportation, and those benefits could outweigh the risks. Each statement contains conditions that must be met when taking on these risks.

The FHWA risk appetite statements also describe how the agency will respond to threat risks. These are situations where threats, if realized, could have adverse impacts to public safety, system resiliency, the Federal investment, and FHWA's credibility.

Identifying Program Objectives

Defining objectives at the appropriate level of the organization is an essential component of the enterprise risk management framework. By definition, risk represents the effect of uncertainty on objectives, so risk management cannot be effective if objectives are unclear, undefined, or inconsistently understood. FHWA uses its enterprise risk management to explicitly define objectives for Federal Highway programs.

Program objectives support the achievement of FHWA strategic goals and objectives. They provide a consistent framework for understanding risk and developing activities across the organization. The agency evaluates the risks to achieving its program objectives and prioritizes responses based on risk appetite.

Risk Management at FHWA

FHWA applies the risk management process across the enterprise to develop strategic plans every few years and unit performance plans each year. The agency integrates strategic planning, performance planning, and risk management into the performance planning cycle. The cycle begins with the establishment of program objectives and risk appetite. The FHWA leadership team establishes risk appetite and agency-wide program objectives that align to the strategic objectives.

Program offices assess program areas to evaluate efficiency, effectiveness, and compliance at a national level. These program assessments validate or identify critical activities to be undertaken by the agency. They also identify areas to reduce effort or improve efficiency and use of agency resources. The program offices apply the program and risk assessment process to involve stakeholders, offices, and individuals from across the agency. The program offices, coordinating with the Chief Strategy Officer, bring the results of these assessments to the FHWA leadership team, which then communicates them to the agency as draft activities.

Three bridge construction workers stand on a concrete form next to a stream with environment control measures in the water. Source: FHWA.
Managing risk involves paying attention to factors that affect the work, monitoring results, and making adjustments in how to focus resources.

Units provide comments on the draft activities that provide important perspective and are considered in developing a final enterprise performance plan. Units conduct risk assessments to evaluate opportunities and threats to achieving program objectives, assigned critical activities, and available resources. By using the risk management process and applying risk appetite throughout, units identify, evaluate, and prioritize their risks and develop response strategies to address the top risks. The risks identified by FHWA for programs and projects are managed in consultation with State partners within the context of a federally-assisted, State-administered program.

The finalized annual unit performance plans include significant activities for the coming year, critical activities, and responses to top risks. Units implement plans, monitor results, and reassess risks. The program offices and FHWA leadership team monitor and consider performance results and risks, which become part of the organizational context as the cycle repeats.

Framing the Future

The enterprise risk management framework establishes a consistent approach to identify, assess, and prioritize threats and opportunities so that FHWA can decide how to address future issues affecting the Federal-aid and Federal Lands Highway Programs and national objectives. The framework helps to focus limited resources, strengthen the ability to efficiently and effectively manage programs, and communicate consistently about what the agency should focus on and why. Enterprise risk management helps to provide reasonable assurance that FHWA understands the risks associated with achieving objectives and responds appropriately.

A workflow graphic titled "ERM in Practice: Operating Principles." Starting at the left, a diamond labeled "indicator" asks, "within tolerance or acceptable condition?" An arrow labeled "no" leads to a box with the words, "tighten control, add work." This result would indicate where to avoid risks. An arrow labeled "yes" leads from the diamond to a box with the words, "maintain or streamline/remove." This result would indicate where to accept risks. Arrows from each of these boxes (mitigate or accept risk) leads to a box labeled "the work we do." An arrow from there leads to the next box, labeled "Assessment: effective, efficient, compliant." An arrow from there leads to the next box, "Plan: critical activities, reduce effort." From there, an arrow leads to the next box, "Monitor: work progress and results." Two arrows lead from the "monitor" box. One arrow leads back to the first box, indicating a continuing cycle. The second leads to a final circle, labeled "outcomes." Source: FHWA.
How does ERM help achieve objectives? Begin with "The Work We Do" and follow the process.

"Enterprise risk management is about making risk-based corporate decisions to most effectively and efficiently carry out our programs," says Thomas Everett, FHWA's Executive Director. "Through ERM, we will better understand when we should be involved and when we can reduce effort in our program and project level actions. By considering our appetite for risk and by assessing our programs, we can make these decisions in a more informed manner."

Daniel Fodera is the corporate performance and risk management officer in FHWA's Office of Stewardship, Oversight, and Management. He has held positions in field offices and headquarters. Daniel holds one U.S. patent and is a Certified Enterprise Risk Manager. He holds a master's degree in public administration from the University of Maryland Global Campus (Europe) and a Master Black Belt Certificate in Lean Six Sigma from Villanova University.

For more information, contact Daniel Fodera at 404–562–3672 or daniel.fodera@dot.gov.



Federal Highway Administration | 1200 New Jersey Avenue, SE | Washington, DC 20590 | 202-366-4000
Turner-Fairbank Highway Research Center | 6300 Georgetown Pike | McLean, VA | 22101