Introduction
The following is an example risk management process suitable for use to implement the risk-based approach within a Highway Authority. In order for risk management to be successful it must be appropriate and adapted to each organisation.
Figure 2 below shows an example of a risk management process, based on ISO 31000 and the UKRLG HIAMG Part C.
Figure 2 – An Example of a Risk Management Process
The figure shows that two parts of the process, Communications & Consultation and Monitoring &
Review, persist throughout the risk management process and can impact on all stages.
These could be internal discussions that lead to a new risk being identified, or customer
engagement reporting issues on the network which may require a review of inspection frequency.
The risk management process will have regular reviews but should also be agile enough to respond as a part of day-to-day management, embedding the risk-based approach in an authority’s
operations.
The explanations below of the various elements of the process give generic examples of actors, actions, activities and roles which could be involved at each part of the process.
At each stage in the process actions may be required to ensure that risks remain at tolerable levels, or are exploited to an organisation’s advantage.
This will only occur where clear responsibility and accountability is defined and understood, and acted upon for each and every individual risk.
45 Establish Risk Context
The authority’s corporate risk management approach, appetite and framework/process will all need to be clearly understood.
Risk will be managed at many different levels within each Highway Authority, but when implementing a truly risk-based approach the wider risk context must form the start of the process.
Risk management should support the delivery of organisational objectives and as a result, the risk management approach and risk appetite will be owned by the executive and senior management – this will set the context within which risk-based highway management can be developed.
The wider context may include the influence of partners, suppliers, customer groups, Local Enterprise Partnerships, Local Resilience Forums, Government Departments and other issues such as economic circumstances, climate change or political aspirations.
Whilst part of the context, these issues should always be viewed through the filter of the organisation’s risk management approach.
The authority’s designated corporate risk manager will be a key point of contact, as will departmental and team risk management leads.
Government departments, stakeholders, partners and customers may all form part of the groups relevant to the risk context, whilst not setting it directly.
The monitoring and review; and communication and consultation aspects of the process can be used to manage these interactions.
46 Risk Assessment
Risk assessment comprises three stages, these may be recorded on a risk register as a tool to provide a statement of risk management at any particular time, but each aspect is a separate consideration.
Identify Risks
Once the context and approach to risk management has been defined, risks should be identified across the Highway Authority’s operations. These will cover a diverse range of subjects as detailed in section 13.3 of the UKRLG HIAMG.
The risk identification stage is a crucial opportunity to ensure risks are visible throughout the organisation.
Risks should be unmitigated at this stage to allow for later prioritisation.
To fully understand all risks and compare risks across risk groupings will require a collaborative process across the authority with subject matter experts, managers and corporate functions all likely to contribute specific knowledge relevant to differing risk types.
Risk management groups and teams may be useful in facilitating this flow of information and integrating the highways risk process into the corporate risk management framework.
The frequency and format of risk identification will need to be based on the organisation’s risk management guidance and the risk context.
It will be important to establish and regularly review the risk management basis of both the hierarchy and inspection frequency, including the impact of the defined Resilient Network.
It will also be an opportunity for a Highway Authority to consider the sustainability and agility of its arrangements and develop its risk based approach appropriate to local circumstances.
Evaluate Risks
Risk evaluation is a product of understanding the likelihood and consequence of a particular event. It is important to note that whilst this is often viewed as a negative ‘impact’ risks can also present opportunities.
Authorities will already have an established corporate risk management approach and this will need to be extended and adapted to be appropriate to the highway risk-based
approach.
Consequence descriptions in the evaluation process may need to be developed in the highways context, and the corporate risk manager should be consulted as part of this process.
Section 13.5 of the UKRLG HIAMG provides more detail on risk evaluation and should help authorities gain a clear understanding of the risks they face, such that they can be
compared and risk management decisions made.
47 Manage Risks
Treatment of risk ensures that an organisation is conscious of the risks it faces and has a coordinated approach to the management and mitigation of risks, where possible, and is aware of the remaining risk levels where mitigation is not possible or desirable.
The risk appetite of the Highway Authority will shape the management of each risk and will need to be clearly understood and communicated to all those involved in risk management decisions.
It is important to note that financial, resourcing, political, environmental and other circumstances will all impact risk appetite and decisions made, but clear decisions and residual risk levels should be recorded and shared within the authority.
In the example of highway inspection and associated defect repairs it will be equally important for Highway Authorities to deliver efficiencies through accurately identifying risks that can be managed and resolved through planned programmes of work as it will be to make provision for the appropriate prompt response to high risks.
This will rely on good risk management process and competencies.
Communication & Consultation
Communications and consultation is a constant part of the risk management process and impacts at each and every stage, since for risk management to be fully embedded in an organisation the risk management process should be part of normal operations
management.
It is likely that there will be regular cycles of review, but for an organisation to have fully adopted a risk-based approach, all routine management decisions should also be cognisant of the impact, positive or negative, that they will have on remaining risk levels.
This safeguards the organisation’s strategic objectives and focusses delivery but, most importantly, recognises that risk management decisions are routinely made every day, keeping an authority’s risk-based approach agile and relevant to their operations.
Formal consultation, communication and governance will likely be in place for risk management within an authority and wherever possible, this should be adopted and extended to include the highways risk-based approach.
External communications will be essential in seeking to align customer expectations, political aspirations, and a deliverable and sustainable risk management approach.
The preparation and approval governance of such external communications may lead to internal challenge and review of the arrangements and re-affirmation of the message before the communication.
48 Monitoring & Review
At all stages of the risk process different people will identify, evaluate, communicate and manage a risk.
The risk-based approach adopted by an authority should clearly identify roles and
responsibilities of those involved in the process so that ownership and monitoring of each stage of the process is clearly understood and managed appropriately.
Highway Authorities should be mindful of the agility of their risk based approach to support adequate management of locations of increased risk, including when they are located within parts of their network generally exhibiting lower risk characteristics.
Monitoring and review should be dynamic so that as risk levels change, an organisation’s approach to managing the risk can too.
Timely review and appropriate information sharing will be key to an agile and responsive risk management process.
Finally the risk management process itself must be subject to regular review and monitoring to ensure it is fit for purpose and suitably managing risks.
Authorities are often undergoing significant corporate or departmental change which may result in a requirement to amend the process, change management arrangements or reallocate roles and responsibilities to ensure the risk-based approach is continuing to add value and deliver corporate objectives.
49