Enterprise Risk Management

DRAFT Proposal for Formal Enterprise Risk Management

August 25, 2011/01/Kephart

Within FRA and at Fermilab, risk management is considered a core activity within strategic and tactical decision-making. The process requires identification and communication of potential events that may significantly impact the Laboratory negatively and then managing these identified risk events to within an acceptable level. It emphasizes managing risk across the enterprise using common methods and integrated risk management to control and reduce risks. When enterprise risks are identified the relevant Management System Owner is responsible for insuring that the risk is managed, mitigated, and appropriately communicated. FRA and Fermilab use an integrated approach to risk management . The FRA Board of Directors (BOD), Projects , CAS management system owners, line managers, and employees identify risks. These risks are evaluated via a graded approach that raises items of concern to an appropriate level of management . At the highest level of the Fermilab organization, the Assurance Council review items of concern, mitigation strategies , and any residual risk. Any items affecting the corporate parent will be elevated by the Director to the FRA BOD or their representatives. This approach:

  • Ensures the high and moderate risks are addressed such that negative impacts on cost, performance, schedule, people, and other assets are minimized or eliminated, where possible;
  • Ensures risk aspects are factored into decision making, planning and resource allocation;
  • Reduces the uncertainty in executing the mission; and
  • Ensures the methods and criteria for evaluating risks are consistent with FRA guidance and meets the DOE and other stakeholder requirements.

Current enterprise-level risks with their mitigation strategies and management judgment as to the residual level of risk post-mitigation are illustrated and detailed below.

Larger Image  |  Powerpoint File


No. Risk Title Risk Description Mitigation Probability Impact Category
M1 Corporate Governance
9 Catastrophic Event Catastrophic event such as act of God or terrorism that causes widespread loss of life and/or damage to Laboratory FRA Board Committee meetings and Assurance Council meetings to review low probability but very high impact risks and reasonableness of mitigation plans vs required resources. The Laboratory has in place and routinely reviews emergency response plans (ERP) and continuity of operations plans (COOP) Low High Multiple
M2 Stakeholder Relations
4 Major Funding Reduction Political event unrelated to Science and/or HEP or Lack of fruitful interactions with OMB, OSTP, Congress, Scientific Community and other funding stakeholders leading to loss of funding adequate to meet Laboratory mission FRA Board endorses DOE-approved Strategic Plan, then assigns and monitors periodic visits and interactions to provide information to Congress, agencies, and community leaders regarding Fermilab's programs and plans and the consequences of funding actions High High Political
M3 Performance Planning
14 Major Project Problem Appropriate project management tools, procedures and controls are inadequate or not followed resulting in major project problem related to cost, schedule or performance Implementation of DOE O 413 through Office of Project Management Oversight processes, policies and controls; regular management reviews at multiple levels including FSO participation; formal corrective, action processes to address findings, Design Reviews and use of Engineering Manual to avoid technical failures. Medium High Program
M4 Science
16 Major Technical System Failure Failure of a technical component or system that results in loss scientific productivity or damages laboratory mission Robust engineering processes, design reviews, vulnerability studies, spare parts planning, obsolescence mitigation, post mortem analysis for continuous improvement of reliability, etc. Medium High Program
3 Scientific Fraud Act of scientific fraud damages Laboratory's credibility and reputation resulting in loss of DOE support and funding Laboratory Director's Policy 42 on Scientific Research; internal peer review within experimental collaborations, external peer review process for scientific publications Low High Reputation
M5 Finance
6 Major Budget Overrun Contract has insufficient funds to continue operations resulting in Laboratory shutdown and failure to meet contract requirements Monthly monitoring of budget to funding and budget to actuals; standing update at FRA Board Administrative & Finance Committee reviews Low High Financial
7 Large Unallowable Cost Error results in large unallowable costs charged to the contract resulting in need to expend FRA resources, reduced mission resources Laboratory Accounting Procedures and Policies; annual cost allowability internal audit; FRA Board oversight by Audit Committee Medium High Financial
M6 Business Operations
8 Major Theft Major theft of high-value Government owned property and/or radioactive materials, leading to mission budget shortfall to replace item, damage to stakeholder trust and Laboratory reputation Site Security Plan addresses physical security, surveillance activities for employees and security force and additional remote surveillance of high-risk areas. Low High People
13 Significant Labor Issue and/or Employment Law Action Organized labor issue or major EEOC class action which results in adverse publicity and/or lawsuit. Labor action that impedes Laboratory's ability to meet contractual requirements and financial impact on programs WDRS policies, procedures and expertise in managing issues and escalating to internal and external legal counsel at both the Laboratory and FRA levels, employee advisory group and surveys as early warnings of employee concerns Low High People
11 Major Compromise of Personally Identifiable Information(PII) Accidental or intentional compromise of PII of Laboratory employees, users and/or contractors, and inappropriate use of this data WDRS vetting of new hires; ethics program, employee assistance program, training for supervisors in identifying disturbed individuals; procedures for segregation of PII and granting of access only on need-to-know basis, basic IT security measures for laboratory IT systems Low High Security & IT
15 Major Infrastructure Failure Failure of infrastructure or physical plant prevents laboratory or scientific program from conducting operations to achieve contract goals Management and annual update of FESS Facility Condition Database to allow proactive maintenance; risk-based application of maintenance resources Medium High Program
1 Radiation Incident Legal overexposure of employee, user or contractor, or large-scale contamination resulting from accident or failure to follow radiation control procedures leading to Laboratory shutdown, DOE inquiry, and/or loss of stakeholder trust Formal processes and procedures in place to provide for radiation safety; internal and external audits of processes to assure implementation; training and qualifications tracking; well trained Radiation Control Technicians (RCTs) providing oversight of higher risk jobs. Low High ES&H
2 Serious Injury/Accidental Death Accidental death or serious injury of Laboratory employee, user or contractor results in Laboratory shutdown, DOE inquiry, and/or loss of stakeholder trust Formal ES&H processes; internal and external audits of processes to assure implementation; training and qualifications tracking; ISM; use of personal protective equipment and monitoring when hazard cannot be engineered out Low High ES&H
5 Major Environmental Event Environmental problem at Laboratory results in public health concern, or violates EPA, DOE, or other standards leading to possible financial implications for FRA or DOE, and possible Laboratory shutdown, DOE inquiry, and/or loss of stakeholder trust Formal environmental processes; internal and external audits of processes to assure implementation of protective measures; all waste controlled by procedure; emergency procedures in place to respond to release or spill; programs evaluated by outside agencies Low High ES&H
M8 Quality
  [None Currently at Enterprise Level]          
M9 Engineering
  [None Currently at Enterprise Level]          
M10 Information Technology
10 Major IT Security Breach Major security incident that results in loss of scientific and operations productivity and embarassment to the lab or results in fraud, embezzlement or unallowable costs Use of risk-based controls on systems and applications; active program of scanning and monitoring to ensure integrity of system; regular testing of security controls on all systems; separation of duties; active threat analysis and identification; active program of end user training and education Medium High Security & IT
M11 Communications
12 Allegations of Cover Up Lack of transparency or failure to accurately communicate Laboratory negative event to the local and national public and decision makers results in damage to Laboratory's reputation and financial support Lab management commitment to transparency via print and electronic publications and websites for external audiences. Formal Processes for ORPS reporting to DOE and Emergency Operations Center communications in the event of an emergency, Formal press release procedures, including for negative events; Community Advisory Board participation in major communication decisions Low High Reputation
Last modified: 11/20/2012 |