Risk and Decision Analysis 8 (2020) 39–65 39 DOI 10.3233/RDA-190055 IOS Press Implementing enterprise risk management in road organizations: Considerations and a proposed roadmap I. Benekos a , ∗ , G. Yannis b and S. Mavromatis c a Ph.D., Chair of the World Road Association (PIARC)’s Technical Committee A.3 (Risk Management), Head of Laboratory A5 (Risk Management and Resilience), Hellenic Institute of Transport, Centre for Research and Technology Hellas, Marousi, Greece b Ph.D., Professor, Department of Transportation Planning and Engineering, School of Civil Engineering, National Technical University of Athens, Athens, Greece E-mail: geyannis@central.ntua.gr c Ph.D., Assistant Professor, Department of Transportation Planning and Engineering, School of Civil Engineering, National Technical University of Athens, Athens, Greece E-mail: stemavro@central.ntua.gr Abstract. Implementing risk management to an entire organization, though being increasingly applied, may appear challenging, often perceived as requiring substantial effort with unclear benefits. This paper aims at providing road transport organizations and practitioners with key references and a roadmap for designing and implementing Enterprise Risk Management. The methodology relies on synthesizing existing good practices from the road transport sector. A brief overview of state-of-art practices with applications using different structures are provided and implementation drivers, expected benefits and maturity levels are highlighted. Practical considerations and key success factors are discussed, followed by the suggestion of an integrated implementation framework including key concepts and tools. Keywords: Enterprise risk management, risk, organizational risk, risk management implementation 1. Introduction We all perform, unconsciously or consciously, on a daily basis, acting proactively or reactively, some pro- cess for managing consequences from different options we are faced with or events that may occur, whether these may involve simple considerations such as not missing the train and get late to an appointment or more complex ones such as investing in the stock market which requires expert knowledge of the subject matter. Risk management (RM) process is, however, ‘the systematic application of management policies, pro- cedures and practices to the tasks of communicating, consulting, establishing the context identifying, ana- lyzing, evaluating treating, monitoring, and reviewing risk’ [1]. * Corresponding author. Tel.: +30 211 10 69 555; E-mail: ibenekos@certh.gr. Traditionally and/or intuitively, risk has been asso- ciated with threats. The upside of risk, namely oppor- tunities, has been recognized and incorporated in all formal definitions provided by international standards and professional associations (e.g. [2–4]). For example, risk is considered as ‘an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more objectives such as scope, schedule, cost and quality’ [5] referring to a project’s objectives. Experts in technical fields often define risk as ‘a measure of the probability of occurrence and the severity of related consequences of events’ to the examined objective [6]. The typical risk structure is shown with an example in Fig. 1. The trigger event may be defined as the mechanism that leads to the realization of a hazard, i.e. the class- 4 hurricane. Preliminary and intermediate events may amplify or mitigate the probability of occurrence and/or the related consequences. To society or to a company or institution responsible for a specific activity, the total 1569-7371/20/$35.00 © 2020 – IOS Press and the authors. All rights reserved