risk management plan case study

Enterprise Risk Management Case Studies: Heroes and Zeros

By Andy Marker | April 7, 2021

• Share on Facebook
• Share on LinkedIn

Link copied

We’ve compiled more than 20 case studies of enterprise risk management programs that illustrate how companies can prevent significant losses yet take risks with more confidence.   

Included on this page, you’ll find case studies and examples by industry , case studies of major risk scenarios (and company responses), and examples of ERM successes and failures .

Enterprise Risk Management Examples and Case Studies

With enterprise risk management (ERM) , companies assess potential risks that could derail strategic objectives and implement measures to minimize or avoid those risks. You can analyze examples (or case studies) of enterprise risk management to better understand the concept and how to properly execute it.

The collection of examples and case studies on this page illustrates common risk management scenarios by industry, principle, and degree of success. For a basic overview of enterprise risk management, including major types of risks, how to develop policies, and how to identify key risk indicators (KRIs), read “ Enterprise Risk Management 101: Programs, Frameworks, and Advice from Experts .”

Enterprise Risk Management Framework Examples

An enterprise risk management framework is a system by which you assess and mitigate potential risks. The framework varies by industry, but most include roles and responsibilities, a methodology for risk identification, a risk appetite statement, risk prioritization, mitigation strategies, and monitoring and reporting.

To learn more about enterprise risk management and find examples of different frameworks, read our “ Ultimate Guide to Enterprise Risk Management .”

Enterprise Risk Management Examples and Case Studies by Industry

Though every firm faces unique risks, those in the same industry often share similar risks. By understanding industry-wide common risks, you can create and implement response plans that offer your firm a competitive advantage.

Enterprise Risk Management Example in Banking

Toronto-headquartered TD Bank organizes its risk management around two pillars: a risk management framework and risk appetite statement. The enterprise risk framework defines the risks the bank faces and lays out risk management practices to identify, assess, and control risk. The risk appetite statement outlines the bank’s willingness to take on risk to achieve its growth objectives. Both pillars are overseen by the risk committee of the company’s board of directors.  

Risk management frameworks were an important part of the International Organization for Standardization’s 31000 standard when it was first written in 2009 and have been updated since then. The standards provide universal guidelines for risk management programs.  

Risk management frameworks also resulted from the efforts of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The group was formed to fight corporate fraud and included risk management as a dimension. 

Once TD completes the ERM framework, the bank moves onto the risk appetite statement. 

The bank, which built a large U.S. presence through major acquisitions, determined that it will only take on risks that meet the following three criteria:

• The risk fits the company’s strategy, and TD can understand and manage those risks. 
• The risk does not render the bank vulnerable to significant loss from a single risk.
• The risk does not expose the company to potential harm to its brand and reputation. 

Some of the major risks the bank faces include strategic risk, credit risk, market risk, liquidity risk, operational risk, insurance risk, capital adequacy risk, regulator risk, and reputation risk. Managers detail these categories in a risk inventory. 

The risk framework and appetite statement, which are tracked on a dashboard against metrics such as capital adequacy and credit risk, are reviewed annually. 

TD uses a three lines of defense (3LOD) strategy, an approach widely favored by ERM experts, to guard against risk. The three lines are as follows:

• A business unit and corporate policies that create controls, as well as manage and monitor risk
• Standards and governance that provide oversight and review of risks and compliance with the risk appetite and framework 
• Internal audits that provide independent checks and verification that risk-management procedures are effective

Enterprise Risk Management Example in Pharmaceuticals

Drug companies’ risks include threats around product quality and safety, regulatory action, and consumer trust. To avoid these risks, ERM experts emphasize the importance of making sure that strategic goals do not conflict. 

For Britain’s GlaxoSmithKline, such a conflict led to a breakdown in risk management, among other issues. In the early 2000s, the company was striving to increase sales and profitability while also ensuring safe and effective medicines. One risk the company faced was a failure to meet current good manufacturing practices (CGMP) at its plant in Cidra, Puerto Rico. 

CGMP includes implementing oversight and controls of manufacturing, as well as managing the risk and confirming the safety of raw materials and finished drug products. Noncompliance with CGMP can result in escalating consequences, ranging from warnings to recalls to criminal prosecution. 

GSK’s unit pleaded guilty and paid $750 million in 2010 to resolve U.S. charges related to drugs made at the Cidra plant, which the company later closed. A fired GSK quality manager alerted regulators and filed a whistleblower lawsuit in 2004. In announcing the consent decree, the U.S. Department of Justice said the plant had a history of bacterial contamination and multiple drugs created there in the early 2000s violated safety standards.

According to the whistleblower, GSK’s ERM process failed in several respects to act on signs of non-compliance with CGMP. The company received warning letters from the U.S. Food and Drug Administration in 2001 about the plant’s practices, but did not resolve the issues. 

Additionally, the company didn’t act on the quality manager’s compliance report, which advised GSK to close the plant for two weeks to fix the problems and notify the FDA. According to court filings, plant staff merely skimmed rejected products and sold them on the black market. They also scraped by hand the inside of an antibiotic tank to get more product and, in so doing, introduced bacteria into the product.

Enterprise Risk Management Example in Consumer Packaged Goods

Mars Inc., an international candy and food company, developed an ERM process. The company piloted and deployed the initiative through workshops with geographic, product, and functional teams from 2003 to 2012. 

Driven by a desire to frame risk as an opportunity and to work within the company’s decentralized structure, Mars created a process that asked participants to identify potential risks and vote on which had the highest probability. The teams listed risk mitigation steps, then ranked and color-coded them according to probability of success. 

Larry Warner, a Mars risk officer at the time, illustrated this process in a case study . An initiative to increase direct-to-consumer shipments by 12 percent was colored green, indicating a 75 percent or greater probability of achievement. The initiative to bring a new plant online by the end of Q3 was coded red, meaning less than a 50 percent probability of success. 

The company’s results were hurt by a surprise at an operating unit that resulted from a so-coded red risk identified in a unit workshop. Executives had agreed that some red risk profile was to be expected, but they decided that when a unit encountered a red issue, it must be communicated upward when first identified. This became a rule. 

This process led to the creation of an ERM dashboard that listed initiatives in priority order, with the profile of each risk faced in the quarter, the risk profile trend, and a comment column for a year-end view. 

According to Warner, the key factors of success for ERM at Mars are as follows:

• The initiative focused on achieving operational and strategic objectives rather than compliance, which refers to adhering to established rules and regulations.
• The program evolved, often based on requests from business units, and incorporated continuous improvement. 
• The ERM team did not overpromise. It set realistic objectives.
• The ERM team periodically surveyed business units, management teams, and board advisers.

Enterprise Risk Management Example in Retail

Walmart is the world’s biggest retailer. As such, the company understands that its risk makeup is complex, given the geographic spread of its operations and its large number of stores, vast supply chain, and high profile as an employer and buyer of goods. 

In the 1990s, the company sought a simplified strategy for assessing risk and created an enterprise risk management plan with five steps founded on these four questions:

• What are the risks?
• What are we going to do about them?
• How will we know if we are raising or decreasing risk?
• How will we show shareholder value?

The process follows these five steps:

• Risk Identification: Senior Walmart leaders meet in workshops to identify risks, which are then plotted on a graph of probability vs. impact. Doing so helps to prioritize the biggest risks. The executives then look at seven risk categories (both internal and external): legal/regulatory, political, business environment, strategic, operational, financial, and integrity. Many ERM pros use risk registers to evaluate and determine the priority of risks. You can download templates that help correlate risk probability and potential impact in “ Free Risk Register Templates .”
• Risk Mitigation: Teams that include operational staff in the relevant area meet. They use existing inventory procedures to address the risks and determine if the procedures are effective.
• Action Planning: A project team identifies and implements next steps over the several months to follow.
• Performance Metrics: The group develops metrics to measure the impact of the changes. They also look at trends of actual performance compared to goal over time.
• Return on Investment and Shareholder Value: In this step, the group assesses the changes’ impact on sales and expenses to determine if the moves improved shareholder value and ROI.

To develop your own risk management planning, you can download a customizable template in “ Risk Management Plan Templates .”

Enterprise Risk Management Example in Agriculture

United Grain Growers (UGG), a Canadian grain distributor that now is part of Glencore Ltd., was hailed as an ERM innovator and became the subject of business school case studies for its enterprise risk management program. This initiative addressed the risks associated with weather for its business. Crop volume drove UGG’s revenue and profits. 

In the late 1990s, UGG identified its major unaddressed risks. Using almost a century of data, risk analysts found that extreme weather events occurred 10 times as frequently as previously believed. The company worked with its insurance broker and the Swiss Re Group on a solution that added grain-volume risk (resulting from weather fluctuations) to its other insured risks, such as property and liability, in an integrated program. 

The result was insurance that protected grain-handling earnings, which comprised half of UGG’s gross profits. The greater financial stability significantly enhanced the firm’s ability to achieve its strategic objectives. 

Since then, the number and types of instruments to manage weather-related risks has multiplied rapidly. For example, over-the-counter derivatives, such as futures and options, began trading in 1997. The Chicago Mercantile Exchange now offers weather futures contracts on 12 U.S. and international cities. 

Weather derivatives are linked to climate factors such as rainfall or temperature, and they hedge different kinds of risks than do insurance. These risks are much more common (e.g., a cooler-than-normal summer) than the earthquakes and floods that insurance typically covers. And the holders of derivatives do not have to incur any damage to collect on them.

These weather-linked instruments have found a wider audience than anticipated, including retailers that worry about freak storms decimating Christmas sales, amusement park operators fearing rainy summers will keep crowds away, and energy companies needing to hedge demand for heating and cooling.

This area of ERM continues to evolve because weather and crop insurance are not enough to address all the risks that agriculture faces. Arbol, Inc. estimates that more than $1 trillion of agricultural risk is uninsured. As such, it is launching a blockchain-based platform that offers contracts (customized by location and risk parameters) with payouts based on weather data. These contracts can cover risks associated with niche crops and small growing areas.

Enterprise Risk Management Example in Insurance

Switzerland’s Zurich Insurance Group understands that risk is inherent for insurers and seeks to practice disciplined risk-taking, within a predetermined risk tolerance. 

The global insurer’s enterprise risk management framework aims to protect capital, liquidity, earnings, and reputation. Governance serves as the basis for risk management, and the framework lays out responsibilities for taking, managing, monitoring, and reporting risks. 

The company uses a proprietary process called Total Risk Profiling (TRP) to monitor internal and external risks to its strategy and financial plan. TRP assesses risk on the basis of severity and probability, and helps define and implement mitigating moves. 

Zurich’s risk appetite sets parameters for its tolerance within the goal of maintaining enough capital to achieve an AA rating from rating agencies. For this, the company uses its own Zurich economic capital model, referred to as Z-ECM. The model quantifies risk tolerance with a metric that assesses risk profile vs. risk tolerance. 

To maintain the AA rating, the company aims to hold capital between 100 and 120 percent of capital at risk. Above 140 percent is considered overcapitalized (therefore at risk of throttling growth), and under 90 percent is below risk tolerance (meaning the risk is too high). On either side of 100 to 120 percent (90 to 100 percent and 120 to 140 percent), the insurer considers taking mitigating action. 

Zurich’s assessment of risk and the nature of those risks play a major role in determining how much capital regulators require the business to hold. A popular tool to assess risk is the risk matrix, and you can find a variety of templates in “ Free, Customizable Risk Matrix Templates .”

In 2020, Zurich found that its biggest exposures were market risk, such as falling asset valuations and interest-rate risk; insurance risk, such as big payouts for covered customer losses, which it hedges through diversification and reinsurance; credit risk in assets it holds and receivables; and operational risks, such as internal process failures and external fraud.

Enterprise Risk Management Example in Technology

Financial software maker Intuit has strengthened its enterprise risk management through evolution, according to a case study by former Chief Risk Officer Janet Nasburg. 

The program is founded on the following five core principles:

• Use a common risk framework across the enterprise.
• Assess risks on an ongoing basis.
• Focus on the most important risks.
• Clearly define accountability for risk management.
• Commit to continuous improvement of performance measurement and monitoring. 

ERM programs grow according to a maturity model, and as capability rises, the shareholder value from risk management becomes more visible and important. 

The maturity phases include the following:

• Ad hoc risk management addresses a specific problem when it arises.
• Targeted or initial risk management approaches risks with multiple understandings of what constitutes risk and management occurs in silos. 
• Integrated or repeatable risk management puts in place an organization-wide framework for risk assessment and response. 
• Intelligent or managed risk management coordinates risk management across the business, using common tools. 
• Risk leadership incorporates risk management into strategic decision-making. 

Intuit emphasizes using key risk indicators (KRIs) to understand risks, along with key performance indicators (KPIs) to gauge the effectiveness of risk management. 

Early in its ERM journey, Intuit measured performance on risk management process participation and risk assessment impact. For participation, the targeted rate was 80 percent of executive management and business-line leaders. This helped benchmark risk awareness and current risk management, at a time when ERM at the company was not mature.

Conduct an annual risk assessment at corporate and business-line levels to plot risks, so the most likely and most impactful risks are graphed in the upper-right quadrant. Doing so focuses attention on these risks and helps business leaders understand the risk’s impact on performance toward strategic objectives. 

In the company’s second phase of ERM, Intuit turned its attention to building risk management capacity and sought to ensure that risk management activities addressed the most important risks. The company evaluated performance using color-coded status symbols (red, yellow, green) to indicate risk trend and progress on risk mitigation measures.

In its third phase, Intuit moved to actively monitoring the most important risks and ensuring that leaders modified their strategies to manage risks and take advantage of opportunities. An executive dashboard uses KRIs, KPIs, an overall risk rating, and red-yellow-green coding. The board of directors regularly reviews this dashboard.

Over this evolution, the company has moved from narrow, tactical risk management to holistic, strategic, and long-term ERM.

Enterprise Risk Management Case Studies by Principle

ERM veterans agree that in addition to KPIs and KRIs, other principles are equally important to follow. Below, you’ll find examples of enterprise risk management programs by principles.

ERM Principle #1: Make Sure Your Program Aligns with Your Values

Raytheon Case Study U.S. defense contractor Raytheon states that its highest priority is delivering on its commitment to provide ethical business practices and abide by anti-corruption laws.

Raytheon backs up this statement through its ERM program. Among other measures, the company performs an annual risk assessment for each function, including the anti-corruption group under the Chief Ethics and Compliance Officer. In addition, Raytheon asks 70 of its sites to perform an anti-corruption self-assessment each year to identify gaps and risks. From there, a compliance team tracks improvement actions. 

Every quarter, the company surveys 600 staff members who may face higher anti-corruption risks, such as the potential for bribes. The survey asks them to report any potential issues in the past quarter.

Also on a quarterly basis, the finance and internal controls teams review higher-risk profile payments, such as donations and gratuities to confirm accuracy and compliance. Oversight and compliance teams add other checks, and they update a risk-based audit plan continuously.

ERM Principle #2: Embrace Diversity to Reduce Risk

State Street Global Advisors Case Study In 2016, the asset management firm State Street Global Advisors introduced measures to increase gender diversity in its leadership as a way of reducing portfolio risk, among other goals. 

The company relied on research that showed that companies with more women senior managers had a better return on equity, reduced volatility, and fewer governance problems such as corruption and fraud. 

Among the initiatives was a campaign to influence companies where State Street had invested, in order to increase female membership on their boards. State Street also developed an investment product that tracks the performance of companies with the highest level of senior female leadership relative to peers in their sector. 

In 2020, the company announced some of the results of its effort. Among the 1,384 companies targeted by the firm, 681 added at least one female director.

ERM Principle #3: Do Not Overlook Resource Risks

Infosys Case Study India-based technology consulting company Infosys, which employees more than 240,000 people, has long recognized the risk of water shortages to its operations. 

India’s rapidly growing population and development has increased the risk of water scarcity. A 2020 report by the World Wide Fund for Nature said 30 cities in India faced the risk of severe water scarcity over the next three decades. 

Infosys has dozens of facilities in India and considers water to be a significant short-term risk. At its campuses, the company uses the water for cooking, drinking, cleaning, restrooms, landscaping, and cooling. Water shortages could halt Infosys operations and prevent it from completing customer projects and reaching its performance objectives. 

In an enterprise risk assessment example, Infosys’ ERM team conducts corporate water-risk assessments while sustainability teams produce detailed water-risk assessments for individual locations, according to a report by the World Business Council for Sustainable Development .

The company uses the COSO ERM framework to respond to the risks and decide whether to accept, avoid, reduce, or share these risks. The company uses root-cause analysis (which focuses on identifying underlying causes rather than symptoms) and the site assessments to plan steps to reduce risks. 

Infosys has implemented various water conservation measures, such as water-efficient fixtures and water recycling, rainwater collection and use, recharging aquifers, underground reservoirs to hold five days of water supply at locations, and smart-meter usage monitoring. Infosys’ ERM team tracks metrics for per-capita water consumption, along with rainfall data, availability and cost of water by tanker trucks, and water usage from external suppliers. 

In the 2020 fiscal year, the company reported a nearly 64 percent drop in per-capita water consumption by its workforce from the 2008 fiscal year. 

The business advantages of this risk management include an ability to open locations where water shortages may preclude competitors, and being able to maintain operations during water scarcity, protecting profitability.

ERM Principle #4: Fight Silos for Stronger Enterprise Risk Management

U.S. Government Case Study The terrorist attacks of September 11, 2001, revealed that the U.S. government’s then-current approach to managing intelligence was not adequate to address the threats — and, by extension, so was the government’s risk management procedure. Since the Cold War, sensitive information had been managed on a “need to know” basis that resulted in data silos. 

In the case of 9/11, this meant that different parts of the government knew some relevant intelligence that could have helped prevent the attacks. But no one had the opportunity to put the information together and see the whole picture. A congressional commission determined there were 10 lost operational opportunities to derail the plot. Silos existed between law enforcement and intelligence, as well as between and within agencies. 

After the attacks, the government moved toward greater information sharing and collaboration. Based on a task force’s recommendations, data moved from a centralized network to a distributed model, and social networking tools now allow colleagues throughout the government to connect. Staff began working across agency lines more often.

Enterprise Risk Management Examples by Scenario

While some scenarios are too unlikely to receive high-priority status, low-probability risks are still worth running through the ERM process. Robust risk management creates a culture and response capacity that better positions a company to deal with a crisis.

In the following enterprise risk examples, you will find scenarios and details of how organizations manage the risks they face.

Scenario: ERM and the Global Pandemic While most businesses do not have the resources to do in-depth ERM planning for the rare occurrence of a global pandemic, companies with a risk-aware culture will be at an advantage if a pandemic does hit. 

These businesses already have processes in place to escalate trouble signs for immediate attention and an ERM team or leader monitoring the threat environment. A strong ERM function gives clear and effective guidance that helps the company respond.

A report by Vodafone found that companies identified as “future ready” fared better in the COVID-19 pandemic. The attributes of future-ready businesses have a lot in common with those of companies that excel at ERM. These include viewing change as an opportunity; having detailed business strategies that are documented, funded, and measured; working to understand the forces that shape their environments; having roadmaps in place for technological transformation; and being able to react more quickly than competitors. 

Only about 20 percent of companies in the Vodafone study met the definition of “future ready.” But 54 percent of these firms had a fully developed and tested business continuity plan, compared to 30 percent of all businesses. And 82 percent felt their continuity plans worked well during the COVID-19 crisis. Nearly 50 percent of all businesses reported decreased profits, while 30 percent of future-ready organizations saw profits rise. 

Scenario: ERM and the Economic Crisis  The 2008 economic crisis in the United States resulted from the domino effect of rising interest rates, a collapse in housing prices, and a dramatic increase in foreclosures among mortgage borrowers with poor creditworthiness. This led to bank failures, a credit crunch, and layoffs, and the U.S. government had to rescue banks and other financial institutions to stabilize the financial system.

Some commentators said these events revealed the shortcomings of ERM because it did not prevent the banks’ mistakes or collapse. But Sim Segal, an ERM consultant and director of Columbia University’s ERM master’s degree program, analyzed how banks performed on 10 key ERM criteria. 

Segal says a risk-management program that incorporates all 10 criteria has these characteristics: 

• Risk management has an enterprise-wide scope.
• The program includes all risk categories: financial, operational, and strategic. 
• The focus is on the most important risks, not all possible risks. 
• Risk management is integrated across risk types.
• Aggregated metrics show risk exposure and appetite across the enterprise.
• Risk management incorporates decision-making, not just reporting.
• The effort balances risk and return management.
• There is a process for disclosure of risk.
• The program measures risk in terms of potential impact on company value.
• The focus of risk management is on the primary stakeholder, such as shareholders, rather than regulators or rating agencies.

In his book Corporate Value of Enterprise Risk Management , Segal concluded that most banks did not actually use ERM practices, which contributed to the financial crisis. He scored banks as failing on nine of the 10 criteria, only giving them a passing grade for focusing on the most important risks. 

Scenario: ERM and Technology Risk  The story of retailer Target’s failed expansion to Canada, where it shut down 133 loss-making stores in 2015, has been well documented. But one dimension that analysts have sometimes overlooked was Target’s handling of technology risk. 

A case study by Canadian Business magazine traced some of the biggest issues to software and data-quality problems that dramatically undermined the Canadian launch. 

As with other forms of ERM, technology risk management requires companies to ask what could go wrong, what the consequences would be, how they might prevent the risks, and how they should deal with the consequences. 

But with its technology plan for Canada, Target did not heed risk warning signs. 

In the United States, Target had custom systems for ordering products from vendors, processing items at warehouses, and distributing merchandise to stores quickly. But that software would need customization to work with the Canadian dollar, metric system, and French-language characters. 

Target decided to go with new ERP software on an aggressive two-year timeline. As Target began ordering products for the Canadian stores in 2012, problems arose. Some items did not fit into shipping containers or on store shelves, and information needed for customs agents to clear imported items was not correct in Target's system. 

Target found that its supply chain software data was full of errors. Product dimensions were in inches, not centimeters; height and width measurements were mixed up. An internal investigation showed that only about 30 percent of the data was accurate. 

In an attempt to fix these errors, Target merchandisers spent a week double-checking with vendors up to 80 data points for each of the retailer’s 75,000 products. They discovered that the dummy data entered into the software during setup had not been altered. To make any corrections, employees had to send the new information to an office in India where staff would enter it into the system. 

As the launch approached, the technology errors left the company vulnerable to stockouts, few people understood how the system worked, and the point-of-sale checkout system did not function correctly. Soon after stores opened in 2013, consumers began complaining about empty shelves. Meanwhile, Target Canada distribution centers overflowed due to excess ordering based on poor data fed into forecasting software. 

The rushed launch compounded problems because it did not allow the company enough time to find solutions or alternative technology. While the retailer fixed some issues by the end of 2014, it was too late. Target Canada filed for bankruptcy protection in early 2015. 

Scenario: ERM and Cybersecurity System hacks and data theft are major worries for companies. But as a relatively new field, cyber-risk management faces unique hurdles.

For example, risk managers and information security officers have difficulty quantifying the likelihood and business impact of a cybersecurity attack. The rise of cloud-based software exposes companies to third-party risks that make these projections even more difficult to calculate. 

As the field evolves, risk managers say it’s important for IT security officers to look beyond technical issues, such as the need to patch a vulnerability, and instead look more broadly at business impacts to make a cost benefit analysis of risk mitigation. Frameworks such as the Risk Management Framework for Information Systems and Organizations by the National Institute of Standards and Technology can help.  

Health insurer Aetna considers cybersecurity threats as a part of operational risk within its ERM framework and calculates a daily risk score, adjusted with changes in the cyberthreat landscape. 

Aetna studies threats from external actors by working through information sharing and analysis centers for the financial services and health industries. Aetna staff reverse-engineers malware to determine controls. The company says this type of activity helps ensure the resiliency of its business processes and greatly improves its ability to help protect member information.

For internal threats, Aetna uses models that compare current user behavior to past behavior and identify anomalies. (The company says it was the first organization to do this at scale across the enterprise.) Aetna gives staff permissions to networks and data based on what they need to perform their job. This segmentation restricts access to raw data and strengthens governance. 

Another risk initiative scans outgoing employee emails for code patterns, such as credit card or Social Security numbers. The system flags the email, and a security officer assesses it before the email is released.

Examples of Poor Enterprise Risk Management

Case studies of failed enterprise risk management often highlight mistakes that managers could and should have spotted — and corrected — before a full-blown crisis erupted. The focus of these examples is often on determining why that did not happen. 

ERM Case Study: General Motors

In 2014, General Motors recalled the first of what would become 29 million cars due to faulty ignition switches and paid compensation for 124 related deaths. GM knew of the problem for at least 10 years but did not act, the automaker later acknowledged. The company entered a deferred prosecution agreement and paid a $900 million penalty. 

Pointing to the length of time the company failed to disclose the safety problem, ERM specialists say it shows the problem did not reside with a single department. “Rather, it reflects a failure to properly manage risk,” wrote Steve Minsky, a writer on ERM and CEO of an ERM software company, in Risk Management magazine. 

“ERM is designed to keep all parties across the organization, from the front lines to the board to regulators, apprised of these kinds of problems as they become evident. Unfortunately, GM failed to implement such a program, ultimately leading to a tragic and costly scandal,” Minsky said.

Also in the auto sector, an enterprise risk management case study of Toyota looked at its problems with unintended acceleration of vehicles from 2002 to 2009. Several studies, including a case study by Carnegie Mellon University Professor Phil Koopman , blamed poor software design and company culture. A whistleblower later revealed a coverup by Toyota. The company paid more than $2.5 billion in fines and settlements.

ERM Case Study: Lululemon

In 2013, following customer complaints that its black yoga pants were too sheer, the athletic apparel maker recalled 17 percent of its inventory at a cost of $67 million. The company had previously identified risks related to fabric supply and quality. The CEO said the issue was inadequate testing. 

Analysts raised concerns about the company’s controls, including oversight of factories and product quality. A case study by Stanford University professors noted that Lululemon’s episode illustrated a common disconnect between identifying risks and being prepared to manage them when they materialize. Lululemon’s reporting and analysis of risks was also inadequate, especially as related to social media. In addition, the case study highlighted the need for a system to escalate risk-related issues to the board. 

ERM Case Study: Kodak 

Once an iconic brand, the photo film company failed for decades to act on the threat that digital photography posed to its business and eventually filed for bankruptcy in 2012. The company’s own research in 1981 found that digital photos could ultimately replace Kodak’s film technology and estimated it had 10 years to prepare. 

Unfortunately, Kodak did not prepare and stayed locked into the film paradigm. The board reinforced this course when in 1989 it chose as CEO a candidate who came from the film business over an executive interested in digital technology. 

Had the company acknowledged the risks and employed ERM strategies, it might have pursued a variety of strategies to remain successful. The company’s rival, Fuji Film, took the money it made from film and invested in new initiatives, some of which paid off. Kodak, on the other hand, kept investing in the old core business.

Case Studies of Successful Enterprise Risk Management

Successful enterprise risk management usually requires strong performance in multiple dimensions, and is therefore more likely to occur in organizations where ERM has matured. The following examples of enterprise risk management can be considered success stories. 

ERM Case Study: Statoil 

A major global oil producer, Statoil of Norway stands out for the way it practices ERM by looking at both downside risk and upside potential. Taking risks is vital in a business that depends on finding new oil reserves. 

According to a case study, the company developed its own framework founded on two basic goals: creating value and avoiding accidents.

The company aims to understand risks thoroughly, and unlike many ERM programs, Statoil maps risks on both the downside and upside. It graphs risk on probability vs. impact on pre-tax earnings, and it examines each risk from both positive and negative perspectives. 

For example, the case study cites a risk that the company assessed as having a 5 percent probability of a somewhat better-than-expected outcome but a 10 percent probability of a significant loss relative to forecast. In this case, the downside risk was greater than the upside potential.

ERM Case Study: Lego 

The Danish toy maker’s ERM evolved over the following four phases, according to a case study by one of the chief architects of its program:

• Traditional management of financial, operational, and other risks. Strategic risk management joined the ERM program in 2006. 
• The company added Monte Carlo simulations in 2008 to model financial performance volatility so that budgeting and financial processes could incorporate risk management. The technique is used in budget simulations, to assess risk in its credit portfolio, and to consolidate risk exposure. 
• Active risk and opportunity planning is part of making a business case for new projects before final decisions.
• The company prepares for uncertainty so that long-term strategies remain relevant and resilient under different scenarios. 

As part of its scenario modeling, Lego developed its PAPA (park, adapt, prepare, act) model. 

• Park: The company parks risks that occur slowly and have a low probability of happening, meaning it does not forget nor actively deal with them.
• Adapt: This response is for risks that evolve slowly and are certain or highly probable to occur. For example, a risk in this category is the changing nature of play and the evolution of buying power in different parts of the world. In this phase, the company adjusts, monitors the trend, and follows developments.
• Prepare: This category includes risks that have a low probability of occurring — but when they do, they emerge rapidly. These risks go into the ERM risk database with contingency plans, early warning indicators, and mitigation measures in place.
• Act: These are high-probability, fast-moving risks that must be acted upon to maintain strategy. For example, developments around connectivity, mobile devices, and online activity are in this category because of the rapid pace of change and the influence on the way children play. 

Lego views risk management as a way to better equip itself to take risks than its competitors. In the case study, the writer likens this approach to the need for the fastest race cars to have the best brakes and steering to achieve top speeds.

ERM Case Study: University of California 

The University of California, one of the biggest U.S. public university systems, introduced a new view of risk to its workforce when it implemented enterprise risk management in 2005. Previously, the function was merely seen as a compliance requirement.

ERM became a way to support the university’s mission of education and research, drawing on collaboration of the system’s employees across departments. “Our philosophy is, ‘Everyone is a risk manager,’” Erike Young, deputy director of ERM told Treasury and Risk magazine. “Anyone who’s in a management position technically manages some type of risk.”

The university faces a diverse set of risks, including cybersecurity, hospital liability, reduced government financial support, and earthquakes.  

The ERM department had to overhaul systems to create a unified view of risk because its information and processes were not linked. Software enabled both an organizational picture of risk and highly detailed drilldowns on individual risks. Risk managers also developed tools for risk assessment, risk ranking, and risk modeling. 

Better risk management has provided more than $100 million in annual cost savings and nearly $500 million in cost avoidance, according to UC officials. 

UC drives ERM with risk management departments at each of its 10 locations and leverages university subject matter experts to form multidisciplinary workgroups that develop process improvements.

APQC, a standards quality organization, recognized UC as a top global ERM practice organization, and the university system has won other awards. The university says in 2010 it was the first nonfinancial organization to win credit-rating agency recognition of its ERM program.

Examples of How Technology Is Transforming Enterprise Risk Management

Business intelligence software has propelled major progress in enterprise risk management because the technology enables risk managers to bring their information together, analyze it, and forecast how risk scenarios would impact their business.

ERM organizations are using computing and data-handling advancements such as blockchain for new innovations in strengthening risk management. Following are case studies of a few examples.

ERM Case Study: Bank of New York Mellon 

In 2021, the bank joined with Google Cloud to use machine learning and artificial intelligence to predict and reduce the risk that transactions in the $22 trillion U.S. Treasury market will fail to settle. Settlement failure means a buyer and seller do not exchange cash and securities by the close of business on the scheduled date. 

The party that fails to settle is assessed a daily financial penalty, and a high level of settlement failures can indicate market liquidity problems and rising risk. BNY says that, on average, about 2 percent of transactions fail to settle.

The bank trained models with millions of trades to consider every factor that could result in settlement failure. The service uses market-wide intraday trading metrics, trading velocity, scarcity indicators, volume, the number of trades settled per hour, seasonality, issuance patterns, and other signals. 

The bank said it predicts about 40 percent of settlement failures with 90 percent accuracy. But it also cautioned against overconfidence in the technology as the model continues to improve. 

AI-driven forecasting reduces risk for BNY clients in the Treasury market and saves costs. For example, a predictive view of settlement risks helps bond dealers more accurately manage their liquidity buffers, avoid penalties, optimize their funding sources, and offset the risks of failed settlements. In the long run, such forecasting tools could improve the health of the financial market. 

ERM Case Study: PwC

Consulting company PwC has leveraged a vast information storehouse known as a data lake to help its customers manage risk from suppliers.

A data lake stores both structured or unstructured information, meaning data in highly organized, standardized formats as well as unstandardized data. This means that everything from raw audio to credit card numbers can live in a data lake. 

Using techniques pioneered in national security, PwC built a risk data lake that integrates information from client companies, public databases, user devices, and industry sources. Algorithms find patterns that can signify unidentified risks.

One of PwC’s first uses of this data lake was a program to help companies uncover risks from their vendors and suppliers. Companies can violate laws, harm their reputations, suffer fraud, and risk their proprietary information by doing business with the wrong vendor. 

Today’s complex global supply chains mean companies may be several degrees removed from the source of this risk, which makes it hard to spot and mitigate. For example, a product made with outlawed child labor could be traded through several intermediaries before it reaches a retailer. 

PwC’s service helps companies recognize risk beyond their primary vendors and continue to monitor that risk over time as more information enters the data lake.

ERM Case Study: Financial Services

As analytics have become a pillar of forecasting and risk management for banks and other financial institutions, a new risk has emerged: model risk . This refers to the risk that machine-learning models will lead users to an unreliable understanding of risk or have unintended consequences.

For example, a 6 percent drop in the value of the British pound over the course of a few minutes in 2016 stemmed from currency trading algorithms that spiralled into a negative loop. A Twitter-reading program began an automated selling of the pound after comments by a French official, and other selling algorithms kicked in once the currency dropped below a certain level.

U.S. banking regulators are so concerned about model risk that the Federal Reserve set up a model validation council in 2012 to assess the models that banks use in running risk simulations for capital adequacy requirements. Regulators in Europe and elsewhere also require model validation.

A form of managing risk from a risk-management tool, model validation is an effort to reduce risk from machine learning. The technology-driven rise in modeling capacity has caused such models to proliferate, and banks can use hundreds of models to assess different risks. 

Model risk management can reduce rising costs for modeling by an estimated 20 to 30 percent by building a validation workflow, prioritizing models that are most important to business decisions, and implementing automation for testing and other tasks, according to McKinsey.

Streamline Your Enterprise Risk Management Efforts with Real-Time Work Management in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time.  Try Smartsheet for free, today.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

• Browse All Articles
• Newsletter Sign-Up

RiskManagement →

No results found in working knowledge.

• Were any results found in one of the other content buckets on the left?
• Try removing some search filters.
• Use different search filters.

• Contact sales

Start free trial

How to Make a Risk Management Plan (Template Included)

You identify them, record them, monitor them and plan for them: risks are an inherent part of every project. Some project risks are bound to become problem areas—like executing a project over the holidays and having to plan the project timeline around them. But there are many risks within any given project that, without risk assessment and risk mitigation strategies, can come as unwelcome surprises to you and your project management team.

That’s where a risk management plan comes in—to help mitigate risks before they become problems. But first, what is project risk management ?

What Is Risk Management?

Risk management is an arm of project management that deals with managing potential project risks. Managing your risks is arguably one of the most important aspects of project management.

The risk management process has these main steps:

• Risk Identification: The first step to manage project risks is to identify them. You’ll need to use data sources such as information from past projects or subject matter experts’ opinions to estimate all the potential risks that can impact your project.
• Risk Assessment: Once you have identified your project risks, you’ll need to prioritize them by looking at their likelihood and level of impact.
• Risk Mitigation: Now it’s time to create a contingency plan with risk mitigation actions to manage your project risks. You also need to define which team members will be risk owners, responsible for monitoring and controlling risks.
• Risk Monitoring: Risks must be monitored throughout the project life cycle so that they can be controlled.

If one risk that’s passed your threshold has its conditions met, it can put your entire project plan in jeopardy. There isn’t usually just one risk per project, either; there are many risk categories that require assessment and discussion with your stakeholders.

That’s why risk management needs to be both a proactive and reactive process that is constant throughout the project life cycle. Now let’s define what a risk management plan is.

What Is a Risk Management Plan?

A risk management plan defines how your project’s risk management process will be executed. That includes the budget , tools and approaches that will be used to perform risk identification, assessment, mitigation and monitoring activities.

Get your free

Risk Management Plan Template

Use this free Risk Management Plan Template for Word to manage your projects better.

A risk management plan usually includes:

• Methodology: Define the tools and approaches that will be used to perform risk management activities such as risk assessment, risk analysis and risk mitigation strategies.
• Risk Register: A risk register is a chart where you can document all the risk identification information of your project.
• Risk Breakdown Structure: It’s a chart that allows you to identify risk categories and the hierarchical structure of project risks.
• Risk Assessment Matrix: A risk assessment matrix allows you to analyze the likelihood and the impact of project risks so you can prioritize them.
• Risk Response Plan: A risk response plan is a project management document that explains the risk mitigation strategies that will be employed to manage your project risks.
• Roles and responsibilities: The risk management team members have responsibilities as risk owners. They need to monitor project risks and supervise their risk response actions.
• Budget: Have a section where you identify the funds required to perform your risk management activities.
• Timing: Include a section to define the schedule for the risk management activities.

How to Make a Risk Management Plan

For every web design and development project, construction project or product design, there will be risks. That’s truly just the nature of project management. But that’s also why it’s always best to get ahead of them as much as possible by developing a risk management plan. The steps to make a risk management plan are outlined below.

1. Risk Identification

Risk identification occurs at the beginning of the project planning phase, as well as throughout the project life cycle. While many risks are considered “known risks,” others might require additional research to discover.

You can create a risk breakdown structure to identify all your project risks and classify them into risk categories. You can do this by interviewing all project stakeholders and industry experts. Many project risks can be divided up into risk categories, like technical or organizational, and listed out by specific sub-categories like technology, interfaces, performance, logistics, budget, etc. Additionally, create a risk register that you can share with everyone you interviewed for a centralized location of all known risks revealed during the identification phase.

You can conveniently create a risk register for your project using online project management software. For example, use the list view on ProjectManager to capture all project risks, add what level of priority they are and assign a team member to own identify and resolve them. Better than to-do list apps, you can attach files, tags and monitor progress. Track the percentage complete and even view your risks from the project menu. Keep risks from derailing your project by signing up for a free trial of ProjectManager.

2. Risk Assessment

In this next phase, you’ll review the qualitative and quantitative impact of the risk—like the likelihood of the risk occurring versus the impact it would have on your project—and map that out into a risk assessment matrix

First, you’ll do this by assigning the risk likelihood a score from low probability to high probability. Then, you’ll map out your risk impact from low to medium to high and assign each a score. This will give you an idea of how likely the risk is to impact the success of the project, as well as how urgent the response will need to be.

To make it efficient for all risk management team members and project stakeholders to understand the risk assessment matrix, assign an overall risk score by multiplying your impact level score with your risk probability score.

3. Create a Risk Response Plan

A risk response is the action plan that is taken to mitigate project risks when they occur. The risk response plan includes the risk mitigation strategies that you’ll execute to mitigate the impact of risks in your project. Doing this usually comes with a price—at the expense of your time, or your budget. So you’ll want to allocate resources, time and money for your risk management needs prior to creating your risk management plan.

4. Assign Risk Owners

Additionally, you’ll also want to assign a risk owner to each project risk. Those risk owners become accountable for monitoring the risks that are assigned to them and supervising the execution of the risk response if needed.

Related: Risk Tracking Template

When you create your risk register and risk assessment matrix, list out the risk owners, that way no one is confused as to who will need to implement the risk response strategies once the project risks occur, and each risk owner can take immediate action.

Be sure to record what the exact risk response is for each project risk with a risk register and have your risk response plan it approved by all stakeholders before implementation. That way you can have a record of the issue and the resolution to review once the entire project is finalized.

5. Understand Your Triggers

This can happen with or without a risk already having impacted your project—especially during project milestones as a means of reviewing project progress. If they have, consider reclassifying those existing risks.

Even if those triggers haven’t been met, it’s best to come up with a backup plan as the project progresses—maybe the conditions for a certain risk won’t exist after a certain point has been reached in the project.

6. Make a Backup Plan

Consider your risk register and risk assessment matrix a living document. Your project risks can change in classification at any point during your project, and because of that, it’s important you come up with a contingency plan as part of your process.

Contingency planning includes discovering new risks during project milestones and reevaluating existing risks to see if any conditions for those risks have been met. Any reclassification of a risk means adjusting your contingency plan just a little bit.

7. Measure Your Risk Threshold

Measuring your risk threshold is all about discovering which risk is too high and consulting with your project stakeholders to consider whether or not it’s worth it to continue the project—worth it whether in time, money or scope .

Here’s how the risk threshold is typically determined: consider your risks that have a score of “very high”, or more than a few “high” scores, and consult with your leadership team and project stakeholders to determine if the project itself may be at risk of failure. Project risks that require additional consultation are risks that have passed the risk threshold.

To keep a close eye on risk as they raise issues in your project, use project management software. ProjectManager has real-time dashboards that are embedded in our tool, unlike other software where you have to build them yourself. We automatically calculate the health of your project, checking if you’re on time or running behind. Get a high-level view of how much you’re spending, progress and more. The quicker you identify risk, the faster you can resolve it.

Free Risk Management Plan Template

This free risk management plan template will help you prepare your team for any risks inherent in your project. This Word document includes sections for your risk management methodology, risk register, risk breakdown structure and more. It’s so thorough, you’re sure to be ready for whatever comes your way. Download your template today.

Best Practices for Maintaining Your Risk Management Plan

Risk management plans only fail in a few ways: incrementally because of insufficient budget, via modeling errors or by ignoring your risks outright.

Your risk management plan is one that is constantly evolving throughout the course of the project life cycle, from beginning to end. So the best practices are to focus on the monitoring phase of the risk management plan. Continue to evaluate and reevaluate your risks and their scores, and address risks at every project milestone.

Project dashboards and other risk tracking features can be a lifesaver when it comes to maintaining your risk management plan. Watch the video below to see just how important project management dashboards, live data and project reports can be when it comes to keeping your projects on track and on budget.

In addition to your routine risk monitoring, at each milestone, conduct another round of interviews with the same checklist you used at the beginning of the project, and re-interview project stakeholders, risk management team members, customers (if applicable) and industry experts.

Record their answers, adjust your risk register and risk assessment matrix if necessary, and report all relevant updates of your risk management plan to key project stakeholders. This process and level of transparency will help you to identify any new risks to be assessed and will let you know if any previous risks have expired.

How ProjectManager Can Help With Your Risk Management Plan

A risk management plan is only as good as the risk management features you have to implement and track them. ProjectManager is online project management software that lets you view risks directly in the project menu. You can tag risks as open or closed and even make a risk matrix directly in the software. You get visibility into risks and can track them in real time, sharing and viewing the risk history.

Tracking & Monitor Risks in Real Time

Managing risk is only the start. You must also monitor risk and track it from the point that you first identified it. Real-time dashboards give you a high-level view of slippage, workload, cost and more. Customizable reports can be shared with stakeholders and filtered to show only what they need to see. Risk tracking has never been easier.

Risks are bound to happen no matter the project. But if you have the right tools to better navigate the risk management planning process, you can better mitigate errors. ProjectManager is online project management software that updates in real time, giving you all the latest information on your risks, issues and changes. Start a free 30-day trial and start managing your risks better.

Deliver your projects on time and under budget

Start planning your projects.

• Predict! Software Suite
• Training and Coaching
• Predict! Risk Controller
• Rapid Deployment
• Predict! Risk Analyser
• Predict! Risk Reporter
• Predict! Risk Visualiser
• Predict! Cloud Hosting
• BOOK A DEMO
• Risk Vision
• Win Proposals with Risk Analysis
• Case Studies
• Video Gallery
• White Papers
• Upcoming Events
• Past Events

Fehmarnbelt case study

. . . . . learn more

Lend Lease case study

ASC case study

Tornado IPT case study

LLW Repository case study

OHL case study

Babcock case study

HUMS case study

UK Chinook case study

• EMEA: +44 (0) 1865 987 466
• Americas: +1 (0) 437 269 0697
• APAC: +61 499 520 456

Subscribe for Updates

Copyright © 2024 risk decisions. All rights reserved.

• Privacy Policy
• Cookie Policy
• Terms and Conditions
• Company Registration No: 01878114

Powered by The Communications Group

Successful implementation of project risk management in small and medium enterprises: a cross-case analysis

International Journal of Managing Projects in Business

ISSN : 1753-8378

Article publication date: 16 February 2021

Issue publication date: 20 May 2021

Despite the emergence and strategic importance of project risk management (PRM), its diffusion is limited mainly to large companies, leaving a lack of empirical evidence addressing SMEs. Given the socio-economic importance of SMEs and their need to manage risks to ensure the success of their strategic and innovative projects, this research aims to investigate how to adopt PRM in SMEs with a positive cost–benefit ratio.

Design/methodology/approach

This study presents an exploratory and explanatory research conducted through multiple-case studies involving 10 projects performed in Spanish and Italian small and medium-sized enterprises (SMEs).

The results obtained highlight how project features (commitment type, innovativeness, strategic relevance and managerial complexity) and firms' characteristics (sector of activity, production system and access to public incentives) influence PRM adoption, leading to different levels and types of benefits.

Originality/value

The paper offers practical indications about PRM phases, activities, tools and organizational aspects to be considered in different contexts to ensure the project's success and, ultimately, the company's growth and sustainability. Such indications could not be found in the literature.

• Project risk management
• Project management
• Successful implementation

Ferreira de Araújo Lima, P. , Marcelino-Sadaba, S. and Verbano, C. (2021), "Successful implementation of project risk management in small and medium enterprises: a cross-case analysis", International Journal of Managing Projects in Business , Vol. 14 No. 4, pp. 1023-1045. https://doi.org/10.1108/IJMPB-06-2020-0203

Emerald Publishing Limited

Copyright © 2020, Priscila Ferreira de Araújo Lima, Sara Marcelino-Sadaba and Chiara Verbano

Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode

1. Introduction

Risk Management (RM) is a very relevant process that can be related to many companies' survival. The strategic plan of the enterprises is frequently implemented by tackling projects, so project risk management (PRM) has arisen as a very important approach. Taking into account that SMEs make a very relevant contribution to the economy ( Turner et al ., 2010 ); the analysis and the understanding of the key processes of PRM in SMEs is a relevant and pressing question, and the guidelines and tools used by large firms are usually too expensive or too complex to be suitable for SMEs ( Pereira et al. , 2015 ).

Although the relationship between the utilization of a project management (PM) methodology and project success has been well established ( Joslin and Müller, 2015 ), a review of the literature shows that there is not enough deep case analysis about how SMEs have implemented an RM methodology and how the project and the company benefit from it. Therefore, this study aims to understand how PRM can be adopted by SMEs with a positive cost–benefits ratio, considering the managerial and organizational aspects.

Experiences of empirical investigations about RM in other areas, such as portfolio management, project control, multicultural environments, stakeholders management or value creation, have been analysed, but they have not taken into account the RM and the specific characteristics of SMEs ( Teller and Kock, 2013 ; Lin et al. , 2019 ; Liu et al ., 2015 ; Xia et al. , 2018 ; Willumsen et al. , 2019 ). Rodney et al. (2015) have developed an integrated model that simultaneously represents RM and all the PM processes, including the environmental factors, but requires the project manager's effort in establishing different scenarios and identifying and analysing different risks. Nevertheless, the resources that are needed to support the application of this model, in terms of time, costs and knowledge, are usually beyond the capability and affordability of SMEs. These resource-related constraints increase the SMEs’ vulnerability and lead them to an additional need of PRM adoption ( Blanc Alquier and Lagasse Tignol, 2006 ; Dallago and Guglielmetti, 2012 ).

However, the literature on RM has focused mainly on large companies, leaving a gap of empirical evidence addressing small companies ( Kim and Vonortas, 2014 ). A recent literature review conducted on the development paths of RM in SMEs identified the PRM stream as an emerging and relevant field of application only slightly studied ( de Araújo Lima et al ., 2020 ).

Given this gap of knowledge, the current study aims at contributing meaningfully to understand how PRM processes have been implemented in SMEs. Based on the analysis of 10 cases, the benefits of efficiently conducting PRM along the project lifecycle have been identified. Moreover, this paper depicts the enabling and hindering factors for SMEs to successfully adopt PRM with a positive cost–benefit ratio, to projects with different features and in different types of industries.

Additionally, these findings have allowed the researchers to obtain different clusters with specific procedures to follow in order to obtain different levels of benefits in the project. They also provide SME's project managers indications about RM-specific tools that are appropriate for particular innovation levels or specific economic sectors.

In the following section, the result of an in-depth search for previous publications related to PRM and, more specifically, related to PRM in SMEs, has been conducted. As it is described in Section 3 , the main aim of this paper is to identify how to implement a PRM in SMEs reaching high benefits without many resources. This research has been performed through a deep multiple-case study involving 10 projects conducted in Spanish and Italian SMEs. The objectives and methodology applied in the investigation are also detailed in the referred Section. The results obtained are included in Section 4 , organized in within-case analysis and cross-cases analysis. The implications of these results are discussed in the following section, where the different clusters that have been identified – according to the level of benefits obtained through the implementation of PRM – are explained.

2. Literature review

2.1 project risk management.

The specific characteristics of the projects, such as novelty, uniqueness, high number of stakeholders and temporality, indicate that RM is useful to successfully achieve the project's objectives ( PMI, 2017 ). PRM is an integral part of PM, a process in which methods, knowledge, tools and techniques are applied to a project, integrating the various phases of a project's lifecycle in order to achieve its goal ( ISO 21500, 2012 ; PMI, 2017 ).

According to the Project Management Book of Knowledge (PMBoK), all projects involve associated risks, the positive side of which facilitates achieving certain benefits ( PMI, 2017 ). Some of the overall qualitative definitions of risk are the possibility of an unfortunate occurrence, the consequences of the activity and associated uncertainties and the deviation from a reference value ( Aven, 2016 ). A common definition of risk related to PM is an uncertain event or condition that, if takes place, has both negative and positive effects on the project's objectives ( PMI, 2017 ; ISO 31000, 2018 ; Pritchard and PMP, 2014 ; A Project risk management in SMEs PM, 2004 ; TSO, 2009 ). Therefore, organizations must achieve, through PRM, a balance between the risk assumed and the expected benefit.

RM is considered one of the most relevant areas in the training of project managers ( Nguyen et al ., 2017 ); even the project stakeholders expect them to analyse the different risks that can affect projects.

The way risk is understood and described strongly influences the way risk is analysed, and hence it may have serious implications for RM and decision-making ( Aven, 2016 ). It is also important to consider risk as systemic as it allows the investigation of the interactions between risks and encourages the management of the causality of relationships between them, thus forcing a more holistic appreciation of the project risks ( Ackermann et al. , 2007 ).

Technical-operative risks: technology selection, risks related to materials and equipment, risks related to change requests and its implementation, design risks

Organizational risks related to human factors (organizational, individual, project team): risks derived from regulations, policies, behaviour (lack of coordination/integration, human mistakes related to lack of knowledge)

Contract risks: risks of the contract related to the project

Financial/economic risks: inflation, interest rates fluctuation, exchange rate fluctuation

Political risk: environmental authorizations, governmental authorizations

The RM process defined in ISO 31000:2018 is composed of the following phases: initiate (context analysis); identify (risk identification); analyse (qualification and quantification); treatment (plan and implement) and risk monitor and control (monitoring and re-evaluation). The process must be continuous throughout the project lifecycle to increase the chances of the project's success ( Raz and Michael, 2001 ).

Within these processes, communication acquires great importance within RM and is a key element in its success, but only Portman (2009) specifically analyses it. Communication is the basis that allows the entire project team (including the main stakeholders) to understand the context of the project to develop the PRM approach. It is also necessary to define the support structure to address the risks that materialize and to monitor them by periodically communicating the status of defined indicators.

RM helps to achieve project objectives in a much more efficient way as it facilitates the proactive management of problems and the maximization of benefits if opportunities materialize ( Elkington and Smallman, 2002 ; Borge, 2002 ). Teams work with greater confidence and a lower level of stress, which increases their effectiveness ( APM, 2004 ). However, it is clear that a large number of project managers still believe that RM involves a great deal of work, for which they do not have time, and this is particularly common in projects addressed by SMEs ( Marcelino-Sádaba et al. , 2014 ).

One of the biggest issues in performing RM is the lack of systematic risk identification methods that provide characteristic taxonomies for specific project types based on lessons learned from similar projects ( Pellerin and Perrier, 2019 ).

2.2 Project risk management in SMES

The importance of PRM carried out in SMEs has been analysed and highlighted in the literature ( Blanc Alquier and Lagasse Tignol, 2006 ; Naude and Chiweshe, 2017 ). For SMEs, PRM should be carried out at an early stage in the strategic selection of projects to be implemented because their success has a great influence on its survival. However, as Vacik et al. (2018) indicate in their study, only 4% of the companies studied in their research have used risk measurement methodologies in their decision-making, carrying out the process in a qualitative way.

Some studies are available to assist SMEs in identifying and managing risks in specific business sectors; for example in ICT, where software projects are characterized by a high level of uncertainty in the definition of requirements, RM acquires great importance for SMEs project management ( Neves et al. , 2014 ). There are other studies about risk identification and their management in this area, including the one of Sharif et al. (2013) , Lam et al. (2017) , and Taherdoost et al. (2016) .

Despite the fact that different web tools have been developed for SMEs to solve their biggest difficulties in RM ( Sharif and Rozan, 2010 ; Pereira et al. , 2015 ), RM is generally carried out in person by the project manager due to the high cost of a tool and the need for qualified staff to use it.

Many sectors, such as IT, construction and design, usually work by projects and therefore have information on the specific risks associated to them. In the construction sector, for instance, different analyses, methodologies and tools for RM could be identified ( Tang et al ., 2009 ; Rostami et al. , 2015 ; Oduoza et al ., 2017 ; Hwang et al ., 2014 ). The main problems – lack of time and budget – arise when implementing RM among SMEs in this sector.

Tupa et al. (2017) and Moeuf et al . (2020) have analysed the risks and opportunities inherent to SMEs in the new paradigm brought by the Industry 4.0, in which relationships between people and systems are characterized by high connectivity and a significant quantity of data and information to manage. As a result, a new information security risk has emerged. In addition, due to the new connection systems, it will be possible to establish new information flows that update the indicators established for RM. Due to the great importance of decision-making in project success, the training of project managers in these disciplines is one of the key factors that will affect the PRM in the future.

Sanchez-Cazorla et al. (2016) concluded in their study of PRM, “Risk Identification in Megaprojects”, that further empirical studies are required to provide process information over the project lifecycle. The literature review also shows that there are not enough studies on how PRM could be adapted to SMEs.

Although Marcelino et al. (2014) established a methodology related to the project lifecycle and Lima and Verbano (2019) analysed how to implement a PRM methodology with a positive cost–benefit ratio, more studies are needed about the real practice RM in SMEs, best practices in this area and how to adapt them to different economic sectors, company sizes or types of projects addressed.

From the literature review, it could be concluded that specific methodologies are needed for SMEs in order to tackle PRM in an effective way. Nevertheless, not many methodologies in the literature are suitable for SMEs and their specific characteristics since these methodologies require a great amount of resources or the availability of specific tools and software that SMEs usually do not have.

This paper presents a more detailed analysis of the process developed to obtain good practice patterns according to the different economic sectors and types of projects.

3. Objective and methodology

What are the main RM phases, activities, tools and organizational aspects adopted by SMEs in the PRM process?

What are the evidences and outcomes of PRM adoption in SMEs?

What are the enabling and hindering factors to perform PRM in SMEs?

In particular, RQ1 and RQ3 are formulated to understand how to adopt PRM in SMEs, and RQ2 is defined to identify the evidences and outcomes deriving from a successful PRM adoption.

To achieve the research objective and answer the research questions, an exploratory and explanatory research through multiple case studies was conducted as it is the most suitable methodology for this type of research ( Voss et al ., 2002 ; Eisenhardt and Graebner, 2007 ; Yin, 2009 ).

To this extent, a specific empirical framework proposed by Lima and Verbano (2019) for analysing multiple cases of PRM adoption in SMEs was used since it is the only one available in literature in order to analyse cases with objectives similar to the ones in this study. In Figure 1 the process followed to build the framework and the main constructs and variables investigated with the questionnaire can be observed.

The final questionnaire is structured in nine sections reflecting the framework:

Company and respondents profile;

Project overview (i.e. objectives, type of commitment, innovativeness, strategic relevance and managerial complexity of the project);

PRM organization (people involved, training, procedures)

PRM plan, risks and opportunities considered;

(5-8)regarding each PRM phases (risk identification, analysis, treatment, monitoring and control), activities, tools and difficulties faced; finally, PRM hindering and enabling factors were analysed for the whole process;

Evidences and outcomes of the PRM adoption (i.e. the benefits, time and costs of PRM implementation).

The questionnaire included close-ended questions (i.e. number of employees, total cost of the project, etc.), perception questions on a 5-point Likert scale (regarding for example the level of technology innovativeness of the project and the benefits obtained from PRM) and open-ended questions (concerning, for example, the activities and tools adopted and the difficulties faced in each PRM phase, the enabling and hindering factors for PRM adoption). The choice of the type of questions depends on:

the qualitative or quantitative nature of the specific object investigated,

its degree of novelty (i.e. there is a gap in the literature regarding the measurement of PRM benefits; therefore they have been investigated mostly with perception questions),

the interrelation among the specific object with other variables, leading to more significant comprehension with an open-ended question.

The semi-structured interviews, using this questionnaire, were the primary source of data collection, supplemented with documents related to the project.

A pilot case belonging to service industry in the ICT has been selected in order to test the questionnaire. In particular, this project has been chosen considering the large experience of the project manager and his willingness to collaborate to the study; therefore, this pilot case was very useful to verify comprehensibility and validity of the questionnaire and to improve it. Notwithstanding, this study was then excluded from the cases analysed because the company was expanding beyond the limits set for SMEs. Once verified the questionnaire, the sampling of the cases has started.

The project was the unit of analysis of the research, and three characteristics were necessary to fit the selection criteria: a project with PRM implementation; a cost–benefit ratio of PRM adoption higher than 1 and a project developed in an SME.

In order to obtain a broad sample and gain a deeper understanding of the topic of interest in different scenarios, heterogeneity among the cases was necessary. Therefore, in addition to the requested project's features, the researchers selected projects from different industrial sectors and with different end users (external or internal), in order to guarantee the external validity of the research ( Yin, 2009 ). An overview of the 10 selected cases with the main characteristics of the project is displayed in Table 1 .

All interviews were conducted on-site and, to avoid bias and ensure the construct's validity ( Voss et al ., 2002 ), at least two people who were highly involved in the project (project manager, technical leader, project management consultant) responded to the questions individually. The interviews were about 90 min in length and were conducted in the respondents' native languages, which incentivized them to give more information about the project since they felt more comfortable during the process; for this reason, the questionnaire was translated in Italian and in Spanish. After a preliminary analysis of the collected data, integrative information was often requested by phone or email, and a final verification with the respondents of the resulting project report was conducted. The last column of Table 1 displays the number of interviews and the number of interviewees respectively. The researchers have also analysed documents related to the project in order to increase data reliability and to ensure the project's internal validity through triangulation ( Voss et al ., 2002 ).

The interviews were recorded and transcribed for the data analysis. To analyse the collected data, the directed approach to content analysis, the goal of which is to validate or extend conceptually a theoretical framework or theory ( Hsieh and Shannon, 2005 ), was initially used. This approach consists of coding data before and during its analysis. After the initial coding through the semi-structured questionnaires, in order to refine the results, especially those that emerged from the open-ended questions, it was necessary to complete the coding process through a careful analysis of the interviews. As was indicated by Hsieh and Shannon (2005) , since the goal of the research was to identify and categorize all instances of a particular phenomenon, the recorded interviews were transcribed and inductively coded with descriptive coding (using a word or a specific phrase to aggregate the basic topics of the interview transcript) and in vivo coding methods (i.e. assigning a label corresponding to word or short phrase taken from the interview transcript). For example, one interviewee said that they “did not know well the risks”, while another one, in another case, said they needed “to understand well the risk”. Both these expressions were labelled as “lack of knowledge” regarding the possible impact of the risk. The resulting categories were important variables in the inter-cases comparisons.

The entirety of the coding process was done manually. Segments of data were initially summarized, and then pattern coding was applied independently by two research team members; any coding disagreements were discussed until agreement was reached on all coded portions of the interview, in order to overcome the reliability tests ( Tong et al ., 2007 ). Once this process was done, the within-case analysis was conducted. The aforementioned directed approach analysis and the coding process are part of the within-case data analysis. The main goal of a within-case analysis is to describe, understand and explain what has happened in the single case ( Miles et al. , 1994 ). After understanding each case individually, the cross-case analysis was performed, and, as supported by Myers (2000) , partial generalizations to similar populations were made.

The following cross-case analysis allows the researcher to strengthen a theory, built through examination of similarities and differences across cases. Eisenhardt (1989) states that analysing similarities and differences between pairs of cases is a powerful method to better understand the cases and obtain meaningful findings ( Eisenhardt, 1989 ; Voss et al ., 2002 ).

Replication strategy has been used during the cross-case analysis. In this strategy, a theoretical framework is applied to study one case in depth, and the successive cases are examined to see whether the identified pattern matches the pattern in previous cases (creating a cluster) ( Yin, 2009 ). Therefore, both within-case and cross-case analysis of the data were conducted as they are suitable for multiple-case studies ( Eisenhardt, 1989 ; Voss et al ., 2002 ; Yin, 2009 ).

4. Findings

4.1 results from within-case analysis.

The within-case analyses allowed the researchers to answer the research questions proposed in Section 3 . For each case, the results obtained from the questionnaire were carefully analysed. All information collected was organized into tables for the next phase of the data analysis. In addition, a figure with the PRM phases, the activities conducted, the tools used, the difficulties faced in each phase, the gaps in the process and the PRM results was created. Through these analyses, the enabling and hindering factors were identified and the PRM benefits were evaluated and graphically displayed. As an example of the information collected and the analyses conducted, Figure 2 displays the results of the within-case analysis for the first case study.

Phase 1 (risk identification): the main activities are context analysis, risk identification (both activities were conducted in 9 of the 10 cases), stakeholder analysis and opportunity identification; and the main tools are brainstorming (80%), checklist (70%), risk register (50%). It has been emerged that in only 40% of cases interviews with experts were conducted and in 20% of the projects SWOT analysis, FMEA, 5 Whys and root-cause analysis tools were used.

Phase 2 (risk analysis): the main activities are meetings (both formal and informal). Design-related activities and tests have been found in 40% of cases. The main tools are risk matrix, risk register, risk ranking. Nevertheless, 5 Why and expected money value (EMV).

Phase 3 (risk treatment): all the activities identified have the same relevance (between 20 and 40%) being communication/meetings, design/specification changes the most important ones. Other activities are outsourcing decisions, prototype testing, team monitoring and analysis on the job. In all the cases, the main tools were risk mitigation. risk transfer, risk avoidance and risk retention.

Phase 4 (monitor and control): the main activities are risk revaluation and periodic monitoring meeting. Action monitoring plan, meetings and problem replication have been executed in a less relevant way. A main tool does not arise in this phase, being change request monitoring, risk trigger monitoring and risk audit are the ones used.

These results are summarized in Figure 3 .

Responsible for PRM implementation (who)

People involved in the PRM process (which roles)

Roles in PRM clearly assigned (yes/no)

Internal PRM procedures adopted in the project (yes/no)

PRM training plan for the people involved in the project (yes/no)

In all cases, the project manager was responsible for the PRM implementation process. In some of the cases, members of the team or a PM consultant or function manager was involved. In eight cases, the roles in the PRM process were clearly assigned, and in seven cases, the internal PRM procedures were followed, while PRM training was conducted in only two cases.

The innovation, complexity and relevance of the projects were also assessed. Using a 5-point Likert scale, the interviewees were questioned about the project's technologic innovativeness, innovativeness for the market, project management complexity and strategic relevance. On average, the innovativeness for the market and the PM complexity were medium-high, while the project technologic innovativeness was high and the strategic relevance of the projects was even higher.

In the final section of the interview, the main outcomes and evidence of the PRM process were discussed. A list of benefits than can be obtained through the implementation of PRM was created by the researchers. Using a 5-point Likert scale once again, the interviewees were asked about their perception regarding the achievement of these seven benefits (eight in the cases with an external end-user) through PRM adoption, which was very satisfactory.

In addition to the benefits obtained through PRM, other important evidence emerged from the results. In all cases, PRM was considered useful, and the time/cost spent on its implementation was justified by the benefits, as required by the selection criteria. The interviewees of six projects believe that PRM should be adopted in all of the company's projects. In another two interviews, the respondents stated that PRM should be implemented in all innovative projects, while in the other two cases, the interviewees affirmed that the PRM process should be carried on in the strategic projects.

The last research question concerned the enabling and hindering factors for companies to adopt PRM. The respondents have pointed out the following as the enabling factors: previous PRM experience; support of a PM consultant with PRM experience; having a strategic/innovative project (which stimulates PRM adoption); a PRM report requested by the government/project financer and stakeholder support. In terms of the hindering factors, it has emerged that difficulties in the communication with the external client, lack of support from CEO/stakeholders (i.e. no recognition of PRM importance for the project's success) and PRM being seen as a “waste of time” by some of the people involved in the project are the most significant issues. The proof of the benefits obtained through PRM can be used by project managers to convince the CEO, the external clients and all the stakeholders to adopt PRM in the future projects; moreover, they could explain that those benefits could be achieved only with the cooperation of all actors involved in the projects.

Table 2 summarizes the findings obtained: the PRM organizational aspects in the projects, the level of innovativeness and complexity of the projects, the main evidences and the main benefits obtained through PRM implementation.

4.2 Results from cross-case analysis: pattern identification

Group 1: very high level of benefits (cases 4, 7 and 10)

Group 2a: high level of benefits – manufacturing (cases 1, 2 and 9)

Group 2b: high level of benefits – services (cases 5, 6 and 8)

Case 3 had a medium-high innovativeness level and lacked of PRM organization ( Table 2 ). Moreover, some of the PRM phases were poorly implemented, indicating that in this case the lack of structure in the PRM process had a negative impact on the benefits, which were all rated as medium. Given its specific characteristics and the poor results obtained, case 3 was excluded from the clusters.

In group 1 (very high benefits achieved), similarities in the project context (all Spanish manufacturing companies implementing projects with very high strategic relevance) and in the PRM organization (PRM roles assigned, internal procedures adopted and identification of the risk owner) were acknowledged. All companies have identified the same project risk types (i.e. technical-operative risks) and have used two specific tools and performed the same activities to manage these risks. The risks were constantly measured during the projects, and the project manager was responsible for PRM. A consultant with PRM experience in the micro and small company and a project manager with significant PRM experience were crucial for achieving very high benefits.

Six other cases have reached a high level of benefits and, based on the project context characteristics, were split into two groups: manufacturing (group 2a) and services (group 2b).

In the first group, composed of the manufacturing cases, projects have a very high level of innovation and complexity, and the contexts in which they exist are extremely similar. The roles involved in the projects were the same (project manager and project manager consultant), and the same project risks were identified. Several common activities were conducted, and common tools were used in the first three PRM phases.

The project manager's knowledge and experience in implementing PRM enabled the team to adopt process, notwithstanding the fact that in all cases difficulties were faced due to the lack of knowledge and competences about some technical project details (such as material's specific characteristics, client's ERP system that could generate problems in the project). Interesting evidence has emerged in these cases, with opportunities considered and pursued and the risk register being constantly updated as the most significant pieces of evidence.

The third group is formed by three services companies with a very high standard of PRM organization. In contrast to the previous groups, more project risk types were considered in these cases (three in total), which led to the individuation of specific risks in all projects. Similarities are identified in the PRM process, which was slightly adapted in each of the cases. Their strategic relevance has triggered the project managers to adopt PRM, regardless of their lack of knowledge about the difficulties to be faced. While identifying the risks, the opportunities were also considered in all cases.

The project studied in case 3 reached a mid-range level of benefits. Regardless of the project's high level of innovativeness and medium-high level of project management complexity, no PRM roles were assigned, no internal procedures were followed and no PRM training was conducted, indicating a poor level of organization in both cases. The risk analysis was performed sketchily, and there were issues during the “go-live” phase of the project. According to the project manager, “PRM has to be well implemented, otherwise the time dedicated to it will be a waste”. Therefore, in this case, PRM was adopted, and the results were positive, but it is likely that with a better PRM approach, the project would have obtained higher benefits. Given the specific characteristics of the case and the impossibility of replicating the results, this project was not clustered.

Figure 4 summarizes the characteristics of the clusters obtained.

Comparing the benefits graphs in Figure 4 , it could be concluded that the main difference between group 1 (very high level of benefits) and groups 2a and 2b (high level of benefits) is a better decision-making process in the first group. This feature, together with the PRM knowledge of the people involved in the project, led to a better project control (budget, project performance and lower risk impact). On the other hand, the evaluation of budget reserve does not seem to be significantly impacted by PRM, being the lowest perceived benefit in all the groups. A deeper analysis of these differences is discussed in the next section.

5. Discussion

From the analysis of the cases, it can be noted that some common features of PRM adoption are aligned with the results of previous literature. Firstly, in the study of Vacík et al. (2018) , 96% of the analysed companies carried out the RM process in a qualitative way, which indicates that usually no quantitative methods are used. This tendency was confirmed in this research since in all the studied cases the risk analysis was only qualitative. Secondly, many studies about PRM in SMEs, as the ones of Sharif and Rozan (2010) and of Pereira et al. (2015) , state that RM is generally carried out in person by the project manager due to the high cost of the tool and the need for qualified staff to operate it. Also, this statement was confirmed, as in all 10 cases, the project manager was responsible for the PRM implementation and simple tools were used. Moreover, according to Pellerin and Perrier (2019) , one of the biggest issues in performing PRM is the lack of systematic risk identification methods for specific project types based on lessons learned from similar projects. In most of the cases considered in this study, no meetings to discuss the lessons learned were held, and therefore no methods for systematic risk analysis were created. Nevertheless, it is expected that the indications that emerged from this study – about tools and activities to be performed during the risk identification phase and the following PRM phases – can be relevant to developing structured and efficient PRM adoption in SMEs.

only technical-operative risks were considered and identified in all projects;

all PRM phases were followed, but in two cases the risk analysis phase was not fully implemented;

the risk matrix and risk mitigation tools were used in the risk analysis and in the risk treatment phases, respectively, and the risk revaluation activity was performed during the risk monitor and control phase and

when analysing the context in which the projects were developed, it has emerged that all of them had either a very high strategic relevance or a high level of innovation.

As for the PRM organization , the combination of assigning roles in the PRM process, adopting internal procedures and identifying the risk owner is a distinctive feature of the first cluster, in which all projects have achieved very high benefits. In cluster 2a, the roles were not assigned, and no internal procedures were adopted, but there was a consultant with PRM experience, which led these projects to obtain a high level of benefits. Therefore, the identification of the risk owner and the identification of internal PRM procedures, or the involvement of a PM consultant with PRM experience, seem to be necessary aspects to ensuring PRM adoption. In the cases in which there was not a minimum level of knowledge about PRM, the project managers have asked for external support. However, the best option is still to have the knowledge inside the company: in cluster 1, the PRM knowledge was internal; in cluster 2a, it was external and in cluster 2b, it was internal but less consolidated that in the cases of the first cluster.

Regarding the project risks, in cluster 2b, the collaboration of other functional areas with the PRM team led to the consideration of more project risk types. In particular, three types of risk were considered in these projects, indicating a more comprehensive approach of the project context since more functional areas were involved in the PRM team in these cases. It can also be assumed that the service industry, in which all projects of this cluster exist, is more aware of the context of the project than the manufacturing industries, due to the higher involvement of the project stakeholders.

In manufacturing projects in which the strategic relevance was not very high (cluster 2a), only technical-operative risks were considered, while in cluster 1 (manufacturing cases with very high strategic relevance), the organizational risk types, which include lack of competence of the people involved in the process, were also taken into consideration. Therefore, in manufacturing projects, technical operative risks are the primary risks, but if they are strategically relevant, organizational risks must also be considered.

Another positive result from the PRM process is that in clusters 2a and 2b, the opportunities are also being considered, indicating a more comprehensive approach towards risks.

Several differences were identified among the clusters also when analysing the PRM process phases . The studied literature indicates that PRM must be continuous throughout the project's lifecycle in order to be successful, which is confirmed in the cases.

During the risk identification phase of the Spanish projects' implementation (clusters 1 and 2a), many meetings were held, and the risks were constantly measured. In most of these cases, PRM was stimulated by the government, which has facilitated its adoption since the project managers had to deliver to the government a report about the project evolution every six months. During this phase, cluster 2a was the one in which the projects had more activities in common among them (context analysis, risk identification and stakeholder analysis).

Meetings and measurement of risk probability of occurrence, as well as effects based on feelings, were adopted by the manufacturing clusters (1 and 2a) during the risk analysis phase. Risk prioritization and the constant measurement of risks were important to achieving the highest level of benefits (cluster 1). The risk matrix was used in this phase in all cases and served as a basis for risk prioritization in cluster 1.

During the risk treatment phase, two tools were used in the manufacturing clusters: risk mitigation and risk avoidance. In some cases, instead of risk avoidance, the risk retention tool was used. In cluster 2b, only the risk mitigation tool was adopted. Except for the risk revaluation activity in the risk monitor and control phase, in the projects of clusters 2a and 2b, additional activities common to all projects inside the cluster were followed.

The interviewees reported they intend to adopt PRM in the future projects of the company; in cluster 2a in particular, project innovativeness will be the trigger for PRM adoption in future projects.

Regarding the hindering and enabling factors for PRM adoption, the support inside the company to conduct the PRM process and the client cooperation – when needed – are considered crucial factors for successful PRM implementation. In the projects of cluster 1, the company's higher-level management did not interfere in the project managers' decisions about PRM, so the interviewees have not felt any hindering factors during the PRM adoption. Significant hindering factors include the lack of information about the service to be provided or about the technical specifications of the process that are needed to develop a product.

The indications about activities, tools and organizational aspects that enable the effective implementation of PRM in SMEs in different industries represent a significant contribution to the literature of PRM in SMEs since none of the previously published papers have provided this result.

This paper also contributes to informing SMEs that by adopting PRM, they can achieve a positive balance between the risks assumed and the expected benefits, as demonstrated by the 10 cases analysed. As is stated in the PMI (2017) , all projects involve associated risks, the positive side of which allows them to achieve specific benefits. The adoption of PRM has always contributed to the project success of the cases considered, confirming that PRM is positively related to PM performance, as is indicated by Fernando et al. (2018) .

Figure 5 displays a comparison among the clusters according to the variables related to PRM and the benefits obtained.

6. Conclusions

Given the socio-economic importance of SMEs and their need to manage risks to assure project success, this research aims to investigate how to adopt PRM in SMEs with a positive cost–benefit ratio, considering RM phases, activities, tools and organizational aspects that enable the effective implementation of PRM in SMEs.

In order to pursue this objective, a multiple-case study was conducted, analysing 10 cases in Italy and Spain. Three clusters were eventually identified, revealing information about how to implement PRM in SMEs to achieve a high or very high level of benefits, considering different project characteristics and contexts.

The average complexity and innovation of the cases adopting PRM were high since higher project complexity implies higher risks, regardless of the type of industry.

The results obtained through the case studies confirm the literature indicating that SMEs need PM models that are less bureaucratic, with different versions of PRM depending on the characteristics of the project to facilitate its implementation.

From a managerial point of view, the findings offer practical information about PRM phases, activities, tools and organizational aspects to be considered in different types of industries and project complexities for its successful implementation.

Additionally, national and local governments can benefit from this research, taking advantage of the experience of the Spanish government that holds a prominent role in the adoption of PRM in SME projects, requiring periodical reports to financially support the projects.

Thanks to these results, it is possible to increase the diffusion of PRM in SMEs since they can be useful in other projects, thereby promoting the knowledge about and adoption of PRM.

From an academic point of view, this research confirmed the validity of an empirical framework specifically developed by Lima and Verbano (2019) to analyse PRM in SMEs and offers ten new cases to the scant literature devoted to SMEs. In addition, the findings obtained from the cases studied allow to outline the framework displayed in Figure 6 , highlighting the relations among the main constructs. In particular, project features (technology and market innovativeness, strategic relevance, managerial complexity and commitment type) and firm characteristics (sector, production system and public incentives available) have an influence on the adoption of PRM, referring to the following main components (organization, risks and opportunities considered, planning, activities, tools, enabling and hindering factors).

Furthermore, PRM adopted led to different type and level of outcomes and benefits, as emerged in the three clusters analysed. Project dimension and firm dimension, on the contrary, seem not to influence PRM adoption and its benefits.

Finally, as reported in Figure 7 , experience, PM and RM knowledge emerged as enabling factors for a successful PRM implementation; on the other side short time for PRM, lack of technical knowledge and information are the hindering factors.

These findings could support further research in PRM in SMEs, confirming and exploiting the knowledge of this emerging topic and its diffusion. Particularly, this study was not focussed specifically on the relations among the main constructs of the framework that could be examined considering the impact of every single dimension on the others, giving a deeper and specific knowledge on how to implement successfully PRM in SMEs.

Other future studies could be conducted from the starting point of the other limitations of this research: the data collection could be conducted with more than two respondents for each project (if feasible), the sample could be increased to also consider other industrial contexts, other countries and specific project characteristics, so as to expand the validity of this research and the information obtained so far. In addition, a large sample could allow statistical analysis to be performed with a greater possibility of generalization of the obtained results.

Moreover, further research is required to measure the benefits achieved from PRM in a more objective way. It is assumed in the PMBoK that PRM creates value for project outcomes, thereby increasing the probability of project success and strategic benefits ( Willumsen et al. , 2019 ). However, at the moment, there is a very scant literature considering the value of PRM, and no objective measures are available, except the ones regarding the costs, time and quality of the projects. This study offers the identification of the dimensions of PRM benefits, but future studies are needed to refine their measurement.

In conclusion, this research offers an academic and managerial contribution to the emerging topic of PRM in SMEs, which influences the development and sustainability of SME projects and, consequently, the economic growth of many countries' economies.

Construction of the framework

Within-case analysis results from the first case study

PRM phases, activities and tools

Profile of the clusters obtained

Comparison of PRM implementation among the clusters

Framework resulting from the analysis of the cases

Enabling and hindering factors for PRM implementation

Overview of the selected projects

Ackermann , F. , Eden , C. , Williams , T. and Howick , S. ( 2007 ), “ Systemic risk assessment: a case study ”, Journal of the Operational Research Society , Vol. 58 No. 1 , pp. 39 - 51 .

APM ( 2004 ), Directing Change – A Guide to the Governance of Project Management (GoPM) , APM Publishing, London .

Aven , T. ( 2016 ), “ Risk assessment and risk management: review of recent advances on their foundation ”, European Journal of Operational Research , Vol. 253 No. 1 , pp. 1 - 13 .

Blanc Alquier , A.M. and Lagasse Tignol , M.H. ( 2006 ), “ Risk management in small-and medium-sized enterprises ”, Production Planning and Control , Vol. 17 No. 3 , pp. 273 - 282 .

Borge , D. ( 2002 ), The Book of Risk , John Wiley and Sons , New York .

Dallago , B. and Guglielmetti , C. (Eds) ( 2012 ), The Consequences of the International Crisis for. European SMEs: Vulnerability and Resilience , Routledge , Abingdon .

de Araújo Lima , P.F. , Crema , M. and Verbano , C. ( 2020 ), “ Risk management in SMEs: a systematic literature review and future directions ”, European Management Journal , Vol. 38 No. 1 , pp. 78 - 94 .

de Camprieu , R. , Desbiens , J. and Feixue , Y. ( 2007 ), “ ‘Cultural’ differences in project risk perception: an empirical comparison of China and Canada ”, International Journal of Project Management , Vol. 25 No. 7 , pp. 683 - 693 .

Dey , P.K. ( 2012 ), “ Project risk management using multiple criteria decision-making technique and decision tree analysis: a case study of Indian oil refinery ”, Production Planning and Control , Vol. 23 No. 12 , pp. 903 - 921 .

Eisenhardt , K.M. ( 1989 ), “ Building theories from case study research ”, Academy of Management Review , Vol. 14 No. 4 , pp. 532 - 550 .

Eisenhardt , K.M. and Graebner , M.E. ( 2007 ), “ Theory building from cases: opportunities and challenges ”, Academy of Management Journal , Vol. 50 No. 1 , pp. 25 - 32 .

Elkington , P. and Smallman , C. ( 2002 ), “ Managing project risks: a case study from the utilities sector ”, International Journal of Project Management , Vol. 20 No. 1 , pp. 49 - 57 .

Fernando , Y. , Walters , T. , Ismail , M.N. , Seo , Y.W. and Kaimasu , M. ( 2018 ), “ Managing project success using project risk and green supply chain management: a survey of automotive industry ”, International Journal of Managing Projects in Business , Vol. 11 No. 2 , pp. 332 - 365 .

Hsieh , H.F. and Shannon , S.E. ( 2005 ), “ Three approaches to qualitative content analysis ”, Qualitative Health Research , Vol. 15 No. 9 , pp. 1277 - 1288 .

Hwang , B.G. , Zhao , X. and Toh , L.P. ( 2014 ), “ Risk management in small construction projects in Singapore: status, barriers and impact ”, International Journal of Project Management , Vol. 32 No. 1 , pp. 116 - 124 .

ISO 21500 ( 2012 ), Guidance on Project Management , International Organization for Standardization , available at: https://www.iso.org/standard/50003.html .

ISO 31000 ( 2018 ), Principles and Generic Guidelines on Risk Management International , International Organisation for Standardisation , available at: https://www.iso.org/standard/65694.html .

Joslin , R. and Müller , R. ( 2015 ), “ Relationships between a project management methodology and project success in different project governance contexts ”, International Journal of Project Management , Vol. 33 No. 6 , pp. 1377 - 1392 .

Kim , Y. and Vonortas , N.S. ( 2014 ), “ Managing risk in the formative years: evidence from young enterprises in Europe ”, Technovation , Vol. 34 No. 8 , pp. 454 - 465 .

Lam , T.T. , Mahdjoubi , L. and Mason , J. ( 2017 ), “ A framework to assist in the analysis of risks and rewards of adopting BIM for SMEs in the UK ”, Journal of Civil Engineering and Management , Vol. 23 No. 6 , pp. 740 - 752 .

Lima , P.F.D.A. and Verbano , C. ( 2019 ), “ Project risk management implementation in SMEs: a case study from Italy ”, Journal of Technology Management and Innovation , Vol. 14 No. 1 , pp. 3 - 10 .

Lin , L. , Müller , R. , Zhu , F. and Liu , H. ( 2019 ), “ Choosing suitable project control modes to improve the knowledge integration under different uncertainties ”, International Journal of Project Management , Vol. 37 No. 7 , pp. 896 - 911 .

Liu , J. , Meng , F. and Fellows , R. ( 2015 ), “ An exploratory study of understanding project risk management from the perspective of national culture ”, International Journal of Project Management , Vol. 33 No. 3 , pp. 564 - 575 .

Marcelino-Sádaba , Pérez-Ezcurdia , A. , Lazcano , A.M.E. and Villanueva , P. ( 2014 ), “ Project risk management methodology for small firms ”, International Journal of Project Management , Vol. 32 No. 2 , pp. 327 - 340 .

Miles , M.B. , Huberman , A.M. , Huberman , M.A. and Huberman , M. ( 1994 ), Qualitative Data Analysis: An Expanded Sourcebook , Sage , Thousand Oaks .

Myers , M. ( 2000 ), “ Qualitative research and the generalizability question: standing firm with Proteus ”, The Qualitative Report , Vol. 4 No. 3 , p. 9 .

Moeuf , A. , Lamouri , S. , Pellerin , R. , Tamayo-Giraldo , S. , Tobon-Valencia , E. and Eburdy , R. ( 2020 ), “ Identification of critical success factors, risks and opportunities of industry 4.0 in SMEs ”, International Journal of Production Research , Vol. 58 No. 5 , pp. 1384 - 1400 .

Naude , M.J. and Chiweshe , N. ( 2017 ), “ A proposed operational risk management framework for small and medium enterprises ”, South African Journal of Economic and Management Sciences , Vol. 20 No. 1 , pp. 1 - 10 .

Neves , S.M. , da Silva , C.E.S. , Salomon , V.A.P. , da Silva , A.F. and Sotomonte , B.E.P. ( 2014 ), “ Risk management in software projects through knowledge management techniques: cases in Brazilian incubated technology-based firms ”, International Journal of Project Management , Vol. 32 No. 1 , pp. 125 - 138 .

Nguyen , L.D. , Chih , Y.Y. and García de Soto , B. ( 2017 ), “ Knowledge areas delivered in project management programs: exploratory study ”, Journal of Management in Engineering , Vol. 33 No. 1 , 04016025 .

Oduoza , C.F. , Odimabo , O. and Tamparapoulos , A. ( 2017 ), “ Framework for risk management software system for SMEs in the engineering construction sector ”, Procedia manufacturing , Vol. 11 , pp. 1231 - 1238 .

OECD ( 2012 ), Financing SMEs and Entrepreneurs 2012 , AnOECD Scoreboard , Paris .

Pellerin , R. and Perrier , N. ( 2019 ), “ A review of methods, techniques and tools for project planning and control ”, International Journal of Production Research , Vol. 57 No. 7 , pp. 2160 - 2178 .

Pereira , L. , Tenera , A. , Bispo , J. and Wemans , J. ( 2015 ), “ A risk diagnosing methodology web-based platform for micro, small and medium businesses: remarks and enhancements ”, Communications in Computer and Information Science , Vol. 454 , pp. 340 - 356 .

PMI ( 2017 ), A Guide to Project Management Body of Knowledge: PMBoK Guide , 6th ed. , Project Management Institute , Newtown Square, PA .

Portman , H. ( 2009 ), PRINCE2™ in Practice , Van Haren Publishing , s-Hertogenbosch, NL .

Pritchard , C.L. and PMP , P.R. ( 2014 ), Risk Management: Concepts and Guidance , Auerbach Publications , Boca Raton, FL .

Qazi , A. , Quigley , J. , Dickson , A. and Kirytopoulos , K. ( 2016 ), “ Project complexity and risk management (ProCRiM): towards modelling project complexity driven risk paths in construction projects ”, International Journal of Project Management , Vol. 34 No. 7 , pp. 1183 - 1198 .

Raz , T. and Michael , E. ( 2001 ), “ Use and benefits of tools for project risk management ”, International Journal of Project mMnagement , Vol. 19 No. 1 , pp. 9 - 17 .

Rodney , E. , Ducq , Y. , Breysse , D. and Ledoux , Y. ( 2015 ), “ An integrated management approach of the project and project risks ”, IFAC-PapersOnLine , Vol. 48 No. 3 , pp. 535 - 540 .

Rostami , A. , Sommerville , J. , Wong , I.L. and Lee , C. ( 2015 ), “ Risk management implementation in small and medium enterprises in the UK construction industry ”, Engineering, Construction and Architectural Management , Vol. 22 No. 1 , pp. 91 - 107 .

Sanchez-Cazorla , A. , Alfalla-Luque , R. and Irimia-Dieguez , A.I. ( 2016 ), “ Risk identification in megaprojects as a crucial phase of risk management: a literature review ”, Project Management Journal , Vol. 47 No. 6 , pp. 75 - 93 .

Sharif , A.M. , Basri , S. and Ali , H.O. ( 2013 ), “ A study on SME software development background and risk assessment implementation in Malaysia ”, World Applied Sciences Journal , Vol. 26 No. 12 , pp. 1637 - 1642 .

Sharif , A.M. and Rozan , M.Z.A. ( 2010 ), “ Design and implementation of project time management risk assessment tool for SME projects using oracle application express ”, World Academy of Science, Engineering, and Technology (WASET) , Vol. 65 , pp. 1221 - 1226 .

Taherdoost , H. , Keshavarzsaleh , A. and Wang , C. ( 2016 ), “ A retrospective critic re-debate on stakeholders' resistance checklist in software project management within multi-cultural, multi-ethnical and cosmopolitan society context: the Malaysian experience ”, Cogent Business and Management , Vol. 3 No. 1 , 1151116 .

Tang , L.C.M. , Leung , A.Y.T. and Wong , C.W.Y. ( 2009 ), “ Entropic risk analysis by a high level decision support system for construction SMEs ”, Journal of Computing in Civil Engineering , Vol. 24 No. 1 , pp. 81 - 94 .

Teller , J. and Kock , A. ( 2013 ), “ An empirical investigation on how portfolio risk management influences project portfolio success ”, International Journal of Project Management , Vol. 31 No. 6 , pp. 817 - 829 .

Tong , A. , Sainsbury , P. and Craig , J. ( 2007 ), “ Consolidated criteria for reporting qualitative research (COREQ): a 32-item checklist for interviews and focus groups ”, International Journal for Quality in Health Care , Vol. 19 No. 6 , pp. 349 - 357 .

TSO ( 2009 ), Directing Successful Projects with Prince 2 , The Stationery Office , Norwick .

Tupa , J. , Simota , J. and Steiner , F. ( 2017 ), “ Aspects of risk management implementation for industry 4.0 ”, Procedia Manufacturing , Vol. 11 , pp. 1223 - 1230 .

Turner , R. , Ledwith , A. and Kelly , J. ( 2010 ), “ Project management in small to medium-sized enterprises: matching processes to the nature of the firm ”, International Journal of Project Management , Vol. 28 No. 8 , pp. 744 - 755 .

Vacík , E. , Špaček , M. , Fotr , J. and Kracík , L. ( 2018 ), “ Project portfolio optimization as a part of strategy implementation process in small and medium-sized enterprises ”, Economics and Management , Vol. 21 No. 3 , pp. 107 - 123 .

Voss , C. , Tsikriktsis , N. and Frohlich , M. ( 2002 ), “ Case research in operations management ”, International Journal of Operations and Production Management , Vol. 22 No. 2 , pp. 195 - 219 .

Willumsen , P. , Oehmen , J. , Stingl , V. and Geraldi , J. ( 2019 ), “ Value creation through project risk management ”, International Journal of Project Management , Vol. 37 No. 5 , pp. 731 - 749 .

Xia , N. , Zou , P. , Griffin , M.A. , Wang , X. and Zhong , R. ( 2018 ), “ Towards integrating construction risk management and stakeholder management: a systematic literature review and future research agendas ”, International Journal of Project Management , Vol. 36 No. 5 , pp. 701 - 715 .

Yin ( 2009 ), Case Study Research: Design and Methods , 4th ed. , Sage , Thousand Oaks, California .

Acknowledgements

This work was supported by the University of Padova under Grant VERB_SID19_01.

Corresponding author

Related articles, we’re listening — tell us what you think, something didn’t work….

Report bugs here

All feedback is valuable

Please share your general feedback

Join us on our journey

Platform update page.

Visit emeraldpublishing.com/platformupdate to discover the latest news and updates

Questions & More Information

Answers to the most commonly asked questions here

• Harvard Business School →
• Faculty & Research →
• July 2008 (Revised January 2012)
• HBS Case Collection

Enterprise Risk Management at Hydro One (A)

• Format: Print
• | Pages: 22

More from the Author

• Winter 2015
• Journal of Applied Corporate Finance

When One Size Doesn't Fit All: Evolving Directions in the Research and Practice of Enterprise Risk Management

• August 2014
• Faculty Research

Enterprise Risk Management at Hydro One (B): How Risky are Smart Meters?

Learning from the kursk submarine rescue failure: the case for pluralistic risk management.

• When One Size Doesn't Fit All: Evolving Directions in the Research and Practice of Enterprise Risk Management  By: Anette Mikes and Robert S. Kaplan
• Enterprise Risk Management at Hydro One (B): How Risky are Smart Meters?  By: Anette Mikes and Amram Migdal
• Learning from the Kursk Submarine Rescue Failure: the Case for Pluralistic Risk Management  By: Anette Mikes and Amram Migdal

Case Study: Companies Excelling in Risk Management

In this article

In the modern business landscape, navigating uncertainties and pitfalls is essential for sustainable growth and longevity. Effective risk management emerges as a shield against potential threats – and it also unlocks opportunities for innovation and advancement. In this article, we will explore risk management and its significance and criteria for excellence. We will also examine case studies of two companies that have excelled in this domain. Through these insights, we aim to glean valuable lessons and best practices. As such, businesses across diverse industries can fortify their risk management frameworks.

The Significance of Risk Management

Risk management is vital for the sustenance and prosperity of companies, regardless of their size or industry. At its core, it is the identification, assessment and mitigation of potential risks that may impede organisational objectives or lead to adverse outcomes. Having a robust risk management approach means businesses can safeguard their assets, reputation and bottom line. 

The statistics are somewhat alarming. According to research , 69% of executives are not confident with their current risk management policies and practices. What’s more, only 36% of organisations have a formal enterprise risk management (ERM) programme. 

Proactive risk management isn’t just a defensive measure; rather, it is necessary for sustainability and growth. With 62% of organisations experiencing a critical risk event in the last three years, it is important to be proactive. By identifying and addressing potential risks, organisations can become more resilient to external shocks and internal disruptions. This means they’re better able to survive through difficult times and maintain operational continuity. Moreover, a proactive stance enables companies to seize strategic advantages. It allows them to innovate, expand into new markets and capitalise on emerging trends with confidence.

Criteria for Excellence in Risk Management

Achieving excellence in risk management means adhering to several key criteria:  

• Ability to Identify Risks: Exceptional risk management begins with identifying potential risks comprehensively. This involves a thorough understanding of both internal and external factors that could impact the organisation. It includes market volatility, regulatory changes, cybersecurity threats and operational vulnerabilities.
• Assessment of Risks: Once identified, risks must be assessed to gauge their potential impact and likelihood of occurrence. This involves using risk assessment methodologies like quantitative analysis, scenario planning and risk heat mapping, to prioritise risks based on their severity and urgency.
• Mitigation Strategies and Control Measures: Effective risk management relies on proactive mitigation strategies to minimise the likelihood of risk occurrence and mitigate its potential impact. This may involve implementing control measures, diversifying risk exposure, investing in risk transfer mechanisms such as insurance and enhancing resilience through business continuity planning.
• Adaptability to Change: Organisations need to be ready to adapt to emerging risks and changing circumstances. This requires a culture of continuous learning and improvement. This means lessons are learned from past experiences to enhance risk management practices and anticipate future challenges.
• Leadership Commitment: Effective leaders demonstrate a clear understanding of the importance of risk management. They know how to allocate adequate resources, support and incentives to prioritise risk management initiatives.
• Strong Risk Culture: A strong risk culture permeates every level of the organisation. This involves a mindset where risk management is viewed as everyone’s responsibility.
• Robust Risk Management Frameworks: Finally, excellence in risk management requires robust frameworks and processes to guide risk identification, assessment and mitigation efforts. This includes defining clear roles and responsibilities, implementing effective governance structures and leveraging technology and data analytics to enhance risk visibility and decision-making.

Company A: Case Study in Risk Management Excellence

Now, let’s take a look at a case study that highlights risk management excellence in practice.

ApexTech Solutions is a company known for its exemplary risk management practices. Founded in 2005 by visionary entrepreneur Sarah Lawson, ApexTech began as a small start-up in the tech industry. It specialises in software development and IT consulting services. 

Over the years, under Lawson’s leadership, the company expanded its offerings and diversified into various sectors, including cybersecurity solutions, cloud computing and artificial intelligence. Today, ApexTech is a prominent player in the global technology market, serving clients ranging from small businesses to Fortune 500 companies.

Risk management strategies and successes

ApexTech’s journey to risk management excellence can be attributed to several key strategies and initiatives:

• Comprehensive Risk Assessment: ApexTech conducts regular and thorough risk assessments to identify potential threats and vulnerabilities across its operations.
• Investment in Technology and Innovation: ApexTech prioritises investments in cutting-edge technologies such as AI-driven analytics, predictive modelling and threat intelligence solutions.
• Customer-Centric Approach: ApexTech tailors its risk management solutions to meet specific needs and preferences. This fosters trust and long-term partnerships.
• Cybersecurity Measures: ApexTech has made cybersecurity a top priority. The company employs a multi-layered approach to cybersecurity to mitigate the risk of cyberattacks.
• Continual Improvement and Adaptation: ApexTech fosters a culture of continual improvement and adaptation. The company encourages feedback and collaboration among employees at all levels so they can identify areas for improvement and implement solutions to mitigate risks effectively.

By proactively identifying and addressing operational risks, such as supply chain disruptions and regulatory compliance challenges, ApexTech has maintained operational continuity and minimised potential disruptions to its business operations.

ApexTech Solutions serves as a compelling example of a company that has excelled in risk management excellence by embracing proactive strategies, leveraging advanced technologies and fostering a culture of innovation and adaptation. 

Company B: Case Study in Risk Management Excellence

TerraSafe Pharmaceuticals is a renowned company in the pharmaceutical industry, dedicated to developing and manufacturing innovative medications to improve global health outcomes. Established in 1998 by Dr Elena Chen, TerraSafe initially focused on the production of generic drugs to address critical healthcare needs. 

Over the years, the company has expanded its portfolio to include novel biopharmaceuticals and speciality medications.

TerraSafe Pharmaceuticals has a holistic approach to identifying, assessing and mitigating risks across its operations:

• Rigorous Quality Assurance Standards: TerraSafe prioritises stringent quality assurance measures throughout the drug development and manufacturing process. This ensures product safety, efficacy and compliance with regulatory requirements.
• Investment in Research and Development (R&D): TerraSafe allocates significant resources to research and development initiatives. These are aimed at advancing scientific knowledge and discovering breakthrough therapies. With its culture of innovation and collaboration, the company mitigates the risk of product obsolescence.
• Regulatory Compliance and Risk Monitoring: TerraSafe maintains a dedicated regulatory affairs department. This team stays abreast of evolving regulatory requirements and industry standards. They monitor regulatory changes proactively and engage with regulatory authorities to ensure timely compliance with applicable laws and standards. This reduces the risk of non-compliance penalties and legal disputes.
• Supply Chain Resilience: TerraSafe works closely with its suppliers and logistics partners to assess and mitigate supply chain risks like raw material shortages, transportation disruptions and geopolitical instability. It implements contingency planning and diversification of sourcing strategies.
• Focus on Patient Safety and Ethical Practices: The company adheres to stringent ethical guidelines and clinical trial protocols to protect patient welfare and maintain public trust in its products and services.

By investing in R&D and adhering to rigorous quality assurance standards, TerraSafe has successfully developed and commercialised several breakthrough medications that address unmet medical needs and improve patient outcomes. What’s more, the company’s proactive approach to regulatory compliance has facilitated the timely approval and market authorisation of its products in key global markets. This has enabled the company to expand its geographic footprint and reach new patient populations.

Key Takeaways and Best Practices

Despite being in different industries, both companies share similarities. Both ApexTech and TerraSafe Pharmaceuticals know the importance of proactive risk management. They have procedures in place that work to identify, assess and mitigate risks before they escalate. What’s more, both companies are led by visionary leaders who set the tone for decision-making. They prioritise building a strong risk culture with all employees knowing their role in risk management.

Best practices and strategies employed

• Conducting Regular Risk Assessments: Both companies conduct regular and comprehensive risk assessments to identify potential threats and vulnerabilities across their operations.
• Investing in Training and Education: Both invest in training and education programmes so that employees are equipped with the knowledge and skills necessary to identify and manage risks effectively. Employees at all levels contribute to risk management efforts.
• Collaboration and Communication: Both companies know the importance of collaboration and communication in risk management. They create channels for open dialogue and information sharing. Stakeholders collaborate on risk identification, assessment and mitigation efforts.
• Continual Improvement: Both companies have a culture of continual improvement. They encourage feedback and innovation to adapt to changing circumstances and emerging risks.
• Tailored Risk Management Approaches: Both companies develop customised risk management frameworks and strategies that align with their objectives and priorities.

Emerging Trends in Risk Management

One of the most prominent trends in risk management is the increasing integration of technology into risk management processes. Advanced technologies such as artificial intelligence (AI), machine learning and automation are revolutionising risk assessment, prediction and mitigation. These technologies mean companies can analyse vast amounts of data in real time. This allows them to identify patterns and trends and predict potential risks more accurately.

Data analytics is another key trend reshaping risk management practices. Companies are leveraging big data analytics tools and techniques to gain deeper insights. By analysing historical data and real-time information, they can identify emerging risks, detect anomalies and make more informed risk management decisions.

Cybersecurity risks have become a major concern. Threats such as data breaches, ransomware attacks and phishing scams pose significant risks to companies’ data, operation and reputation. Companies are investing heavily in cybersecurity measures and adopting proactive approaches to protect their digital assets and mitigate cyber risks.

Companies are integrating global risk management into their overall risk management strategy too. They are monitoring global developments, assessing the impact of global risks on their business operations and developing contingency plans.

The Role of Leadership

Leadership plays a pivotal role in shaping organisational culture and driving initiatives that promote risk management excellence. Effective leaders recognise the importance of risk management but also actively champion its integration into the fabric of the organisation. Effective leaders:

• Set the Tone: Leaders set the tone by articulating a clear vision and commitment to risk management from the top down.
• Lead by Example: Leaders demonstrate their own commitment to risk management through their actions and decisions.
• Empower Employees: Leaders empower employees at all levels to actively participate in risk management efforts. They encourage employees to voice their concerns and contribute.
• Provide Resources and Support: Effective leaders invest in training and development programmes to enhance employees’ risk management skills and knowledge.
• Encourage Innovation: Leaders encourage employees to think creatively and experiment with new approaches to risk management.
• Promote Continuous Improvement: Leaders create opportunities for reflection and evaluation to identify areas for improvement and drive learning.

Encouraging a Risk-Aware Culture

For organisations to identify, assess and mitigate risks at all levels effectively, they need to encourage a risk-aware culture. Here are some tips for encouraging a risk-aware culture:

Communication and transparency:

• Encourage open communication channels where employees feel comfortable discussing risks and raising concerns.
• Provide regular updates on the organisation’s risk landscape, including emerging risks and mitigation strategies.
• Foster transparency in decision-making processes, particularly regarding risk-related decisions.

Education and training:

• Provide comprehensive training programmes on risk management principles, processes and tools for employees at all levels.
• Offer specialised training sessions on specific risk areas relevant to employees’ roles and responsibilities.
• Incorporate real-life case studies and examples to illustrate the importance of risk awareness and effective risk management.

Empowerment and ownership:

• Empower employees to take ownership of risk management within their respective areas of expertise.
• Encourage employees to identify and assess risks in their day-to-day activities and propose mitigation strategies.
• Recognise and reward employees who demonstrate proactive risk awareness and contribute to effective risk management practices.

Integration into performance management:

• Include risk management objectives and key performance indicators (KPIs) in employee performance evaluations.
• Link performance bonuses or incentives to successful risk management outcomes and adherence to risk management protocols.
• Provide feedback and coaching to employees on their risk management performance, highlighting areas for improvement and best practices.

Challenges in Risk Management

Challenges in risk management are inevitable, even for companies excelling in this domain. Despite their proactive efforts, all organisations encounter obstacles that can impede their risk management practices. Here are some common challenges and strategies for addressing them:

Complexity and interconnectedness:

• Challenge: The modern business environment is increasingly complex and interconnected, making it challenging for organisations to anticipate and mitigate all potential risks comprehensively.
• Strategy: Implement a holistic risk management approach that considers both internal and external factors impacting the organisation. Create cross-functional collaboration and information sharing to gain a comprehensive understanding of risks across departments and business units.

Rapidly evolving risks:

• Challenge: Risks are constantly evolving due to technological advancements, regulatory changes and global events such as pandemics or geopolitical shifts. Organisations may struggle to keep pace with emerging risks and adapt their risk management strategies accordingly.
• Strategy: Stay informed about emerging trends and developments that may impact the organisation’s risk landscape. Maintain flexibility and agility in risk management processes to respond promptly to new challenges.

Resource constraints:

• Challenge: Limited resources, including budgetary constraints and staffing limitations, can hinder organisations’ ability to invest adequately in risk management initiatives and tools.
• Strategy: Prioritise risk management activities based on their potential impact on organisational objectives and allocate resources accordingly. Leverage technology and automation to streamline risk management processes and maximise efficiency.

Compliance and regulatory burden:

• Challenge: Meeting regulatory requirements and compliance standards can be burdensome and complex.
• Strategy: Stay abreast of regulatory developments and ensure compliance with applicable laws and regulations. Implement robust governance frameworks and internal controls to demonstrate regulatory compliance and mitigate legal and reputational risks. Invest in compliance training and education for employees.

Human factors and behavioural biases:

• Challenge: Human factors such as cognitive biases, organisational politics and resistance to change can undermine effective risk management practices, leading to decision-making errors and oversight of critical risks.
• Strategy: Raise awareness about common cognitive biases and behavioural tendencies that may influence risk perception and decision-making. Create a culture of psychological safety where employees feel comfortable challenging assumptions and raising concerns about potential risks.

Conclusion: Striving for Excellence

In this article, we have explored the importance of effective risk management for businesses. We have delved into the criteria for excellence in risk management, showcasing companies such as ApexTech Solutions and TerraSafe Pharmaceuticals that exemplify these principles through their proactive strategies and robust frameworks.

From embracing technology and fostering a culture of innovation to prioritising regulatory compliance and empowering employees, these companies have demonstrated remarkable achievements in navigating complex risk landscapes and achieving sustainable success.

However, it’s essential to recognise that even companies excelling in risk management face challenges. By acknowledging these and implementing strategies to address them, organisations can enhance their resilience and effectiveness in managing risks over the long term.

Assessing Risk

Study online and gain a full CPD certificate posted out to you the very next working day.

Take a look at this course

About the author

Louise Woffindin

Louise is a writer and translator from Sheffield. Before turning to writing, she worked as a secondary school language teacher. Outside of work, she is a keen runner and also enjoys reading and walking her dog Chaos.

Similar posts

The Importance of the Care Certificate in Healthcare Professions

The Impact of Technology on Modern Child Development

Introduction to Meditation and Mindfulness

Innovations in the Treatment and Management of Cardiovascular Diseases

Celebrating our clients and partners.

An official website of the United States government

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

• Publications
• Account settings

Preview improvements coming to the PMC website in October 2024. Learn More or Try it out now .

• Advanced Search
• Journal List
• Risk Manag Healthc Policy

Risk Management in Executive Levels of Healthcare Organizations: Insights from a Scoping Review (2018)

Masoud ferdosi.

1 Health Management and Economics Research Center, Department of Health Services Management, School of Management and Medical Information Sciences, Isfahan University of Medical Sciences, Isfahan, Iran

Reza Rezayatmand

2 Health Management and Economics Research Center, Isfahan University of Medical Sciences, Isfahan, Iran

Yasamin Molavi Taleghani

3 Department of Health Services Management, School of Management and Medical Information Sciences, Isfahan University of Medical Sciences, Isfahan, Iran

This study attempted to present a framework and appropriate techniques for implementing risk management (RM) in executive levels of healthcare organizations (HCOs) and grasping new future research opportunities in this field.

A scoping review was conducted of all English language studies, from January 2000 to October 2018 in the main bibliographic databases. Review selection and characterization were performed by two independent reviewers using pretested forms.

Following a keyword search and an assessment of fit for this review, 37 studies were analyzed. Based on the findings and considering the ISO31000 model, a comprehensive yet simple framework of risk management is developed for the executive levels of HCOs. It includes five main phases: establishing the context, risk assessment, risk treatment, monitoring and review, and communication and consultation. A set of tools and techniques were also suggested for use at each phase. Also, the status of risk management in the executive levels of HCOs was determined based on the proposed framework.

The framework can be used as a training tool to guide in effective risk assessment as well as a tool to assess non-clinical risks of healthcare organizations. Managers of healthcare organizations who seek to ensure high quality should use a range of risk management methods and tools in their organizations, based on their need, and not assume that each tool is comprehensive.

Introduction

Given the World Health Report (2000), the significance of healthcare organizations(HCOs) has grown in global health discourse. 1 However, in the last decade, HCOs have faced two contradictions: first, healthcare costs have increased due to population aging, the introduction of advanced technologies, and increased medical errors. 2 , 3 On the other hand, HCOs have become more complicated due to such factors as efficient customers, biomedical developments, the complexity of services and an increasing number of healthcare users. 2 , 3 Therefore, demand for healthcare is significantly higher than the human capacity and resources available in healthcare departments. 4 Corresponding to these limits, three interventional approaches have been developed at various levels of the HCOs: (i) quality management, (ii) risk management, and (iii) patient safety. 5

In particular, risk management (RM) is a process-oriented method providing a structured framework for identifying, assessing, and reducing risk at appropriate times for HCOs. 6 RM approach protects healthcare providers against unfavorable incidents. 7 This way, RM plays a major role in shrinking uncertainties and enhancing rich opportunities for different areas of the health system. 8 Development of RM helps HCOs and providers to reduce damage due to the probable occurrence of defective processes through identifying error, rooting, and strategy development. 9 Implementing RM in HCOs improves allocation of health resources, 10 process management, decision-making, reduced organizational losses, 11 patient safety, 11 continuous quality improvement, 2 customer satisfaction, 2 organizational performance, 12 hospital reputation, 11 and better community creation. 2

A general framework for RM needs to be identified before implementing the risk process. This framework determines the strategy of organization for identifying risk, risk assessment, and risk reduction. 13 This strategy outlines how the RM process should be implemented in the organization. It determines the resources that are needed, the key roles and responsibilities for that, the ways risk needs to be identified. It shows how the decision-making process looks like while using those strategies. 13 The available evidence suggests that despite the existence of a large number of RM techniques, a few of them have been employed so far in the HCOs. 14 – 16

Risk management is one of the emerging areas in management systems; there are several reports that have provided an overview of risk management inHCOs; however, it is difficult to find studies that have systematically synthesized risk management models at the executive levels of healthcare organizations. 17 – 19 This sector is far behind the rest of the industry in terms of using these techniques. Nowadays, there is a consensus in the healthcare sectors that the knowledge, experience, and expertise of other industries in RM can improve the quality of services provided in the healthcare sectors. 3 Therefore, reviewing the selection of RM techniques seems indispensable. These instruments need to be tailored to the complexities of the healthcare system and the causes affecting incidents in this sector. 20 , 21

The organizational structure of the healthcare system has been classified into executive, administrative and operational, each of which is exposed to some risks. 22 This limited study aims to identify those risks that happen in executive levels. The study would not consider those risks that may happen in the operational levels of healthcare organizations and can be considered as a clinical risk. Mention should be made that the executive levels of healthcare organizations are the headquarters and deputies of the HCOs that provides counseling and control over healthcare delivery units. 22 Therefore, the aim of this review is to scope published different organizational RM models, identify the strengths and weaknesses of each model, and this way, propose a framework for implementing RM in the executive levels of HCOs.

The applied purpose of this study was to integrate existing research on the various areas of RM cycle (risk identification, risk assessment, & risk management) and ultimately provide a centralized knowledge base for future research in the executive levels of HCOs. It is of note that the executive levels of HCOs are the headquarters and deputies of the HCOs that provides counseling and control over healthcare delivery units.

The methodological framework of the scope review described below was guided by such methodologies, which have been published elsewhere. 23 , 24

Scoping Review Question

The first phase was represented by the definition of the scope of the study in compliance with the objectives and the underlying research hypotheses.

Based on preliminary studies, the research questions developed for scoping review are as follows:

• RQ1: How are organizational risks identified and categorized within the executive levels of HCOs?
• RQ2: What is the proposed framework for organizational risk management in the executive levels of HCOs? Also, what is the status of risk management in the executive levels of HCOs based on the proposed framework?
• RQ3: What techniques and tools are available for implementing organizational risk management in the executive levels of HCOs?

Inclusion and Exclusion Criteria

To obtain and include relevant and important documents to concentrate on, a series of inclusion and exclusion criteria should be defined. The selection of the studies was done according to the following inclusion criteria:

(i) Studies on organizational RM and assessment techniques and framework in healthcare organizations or related organizations appropriate for imitation in the healthcare organization; (ii) articles in English; (iii) 2000 to October 2018.

The following studies were excluded: (i) in the format of letters, editorials, news, professional commentaries, and reviews; (ii) without available abstracts or full text or references; (v) Models that cannot be imitated in healthcare organizations; (vi) Published in languages other than English.

Identifying Locating Sources and Relevant Articles

This study was conducted in October 2018 through consulting such databases as Pub Med, ISI, Emerald, Scopus, IEEE, Springer, ProQuest, Cochrane, and Wiley from 2000 to May 2018. The search strategy was the same for all the databases.

The identification of the keywords related to the subjects and the objectives of the study are as follows: initially, keywords were identified by the authors through a brainstorming process. The identified keywords were refined and validated by a team composed of two university academic members and two healthcare managers. The search strategy was formulated using Boolean operators. The formula was searched in the field of title and abstract in online databases. The search strings used are shown in Table 1 , a search for each research question was performed. Also, the search was repeated two times with the following search string. In addition, the references were retrieved from the studies included in the first iteration. The keywords of references that matched with the search keywords were chosen.

Search Strings for Research Questions and Studies

Study Selection and Data Abstraction

The two authors (YMT and MF) independently performed level 1 (titles and abstracts) and level 2 (full article texts) screening forms. All screening and extraction were completed in duplicate. Disagreements were discussed between the two reviewers and a third-party reviewer (R R) was contacted if disagreements could not be resolved. After independent reading of the full texts, the content analyzed and selected the articles that answer the respective research questions. Study quality was not assessed during the scoping review as the objective of a scoping review is to identify gaps in the literature and highlight future areas for systematic review. 23 , 24 The required information extracted based on the research questions and placed in the designed templates.

Three thousand five hundred and seventy-four studies were screened, excluded 761 duplicates, 1556 on title review, 1081 on abstract review and 144 in a full-text review. In total, leaving 37 papers (32 papers first iteration on the database and five studies from hand searching) search for critical appraisal. Table 2 shows the flowchart for the study selection.

Paper Selection Process

Note: Each study may answer several research questions.

Characteristics of Articles Reviewed

Bibliographical information about the 36 articles included in this review can be obtained from Table 3 .

Bibliographical Sources of the Studies Included in the Literature Review

Notes: *Type of study included 1) Empirical quantitative; 2) Empirical qualitative 3) Conceptual/theoretical 4) mixed method. Data collection methods included 1) Survey (questionnaires or checklists); 2) Database, Documents & Records; 3) Interviews; 4) observation; 5) Focus Groups; 6) Ethnographies, Oral History, & Case Studies.

According to Table 3 , 11 articles (14.3%) were used to answer the first research question, 30 articles (38.9%) were used to answer questions 2, and finally, 36 articles (46.8%) were used to answer research question 3. (Total papers >36 because each paper may be classified into two or more study types, or may address two or more review questions.) Also, it could be recognized that all but four articles were published in 2009 or later, this is due to the complexity of environment and type of services provided by organizations and, consequently, use of the RM and risk assessment process as a tool for reducing errors and incidents in recent years.

As can be seen in Table 3 , based on the setting of the studies, Europe had the most study with (59.5%) of the authors affiliated with European universities and institutions. Asia was the next one with (21.6%) of the studies, followed by America (13.5%), Oceania (2.7%), and Africa with 2.7%. Also, most of the studies examined in developed countries. Thus, at this point, we can already identify a need for more research into risk management in developing countries.

As for design, 2(5.4%) studies were empirical quantitative, 5 (13.5%) empirical qualitative, 12 (32.4%) conceptual/theoretical and 18 (48.7%) mix method.

How are Organizational Risks Identified and Categorized Within Executive Levels of Healthcare Organizations?

Risk identification is usually a necessary condition for later risk management. 25 Given dynamic and complex healthcare organizations, different risk sources can trigger hazardous situations, potentially harming the organization. 36 It is therefore essential to consider as many risk sources as possible within a classification to help participants familiarize themselves with the given system and potential risk sources. 36 Although the study strategy did not focus on risk types of healthcare organizations (see methods), the reviewed studies placed significant emphasis on identifying and discussing a variety of typical risks in similar organizations with healthcare organizations.

According to the results of Simsekler et al, risk identification Framework (RID Framework) used to identify risks of the health organizations. 36 The risk identification framework includes a spectrum of inputs (System familiarization), processes (Identification of risks), and outputs (Presentation of the risks) in its structure. 36

Results of the studies, a functional framework for identifying and classifying risks in executive levels of HCOs are presented in Table 4 .

Identification and Classification of Risks in Executive Levels of Healthcare Organization

According to Table 4 , risk sources are classified into two categories (internal and external), and risk identification tools classified into two categories (retrospective-prospective and intra-organizational – inter-organizational).

Which Organization RM Framework and Techniques are Used in Executive Levels of Healthcare Organizations?

A stringent risk management process may enable executive levels of HCOs to cope with the risks presented in the previous section. Once risks have been identified, a number of techniques and actions can be selected to address them.

Various models have been used by organizations to assess and manage risk, the results are which are shown in Table 5 . Based on the findings in Table 5 , the risk management framework that are applicable to the executive levels of HCOs are classified into basic models and combined models. In addition, risk management models are divided by cost, time, and complexity. The approaches of risk management models are also divided into qualitative or quantitative, systemic or individual, retrospective or retrospective, and holistic or partial.

Characteristics of Organization RM and Risk Analysis Techniques

Notes: In output and information item, the status of risk management in organization was determined based on each of the phases of proposed framework. (Y: Fully performed, S: Somewhat performed, N: Not implemented).

According to the studies’ results, a simple and comprehensive framework for RM in executive levels of HCOs was suggested. The proposed framework of the present study consists of five phases that its main phases are adapted from the ISO13000 framework. The following is a suggested framework and techniques that can be used to implement risk management processes in executive levels of HCOs. Finally, in Table 5 examines the extent to which risk management based on the key phases of the proposed framework is established in healthcare organizations.

• Establishing the context,
• Risk assessment (risk identification, risk analysis, and risk evaluation),
• Risk treatment (strategy determination, designing measures and decision-making, planning, and implementation),
• Communication and consultation, and
• Monitoring and reviews.

In the following, RM framework and techniques in executive levels of HCOs for each organization were mentioned.

Establishing the Context (Initiation and Preparations)

The first phase in the risk management process is establishing the context. The context establishment primarily paves the way for the organizational nature of the company such as the project objective and management style or organization culture. In this step, issues such as healthcare organization background, who should conduct the RM process, Identify interested parties, formulate problems, set the objective(s) of RM and Select appropriate methods for RM are reviewed. 43 , 59

The organizational RM team should be multidisciplinary and comprised of various specializations, in particular, managers, process owner experts, and RM experts (consultants and facilitators). 25 , 33 Also, the number of team members depends on the complexity of organizational issues. 33 , 40 , 43

Risk Assessment

The second phase in the risk management process is risk assessment, which involves measuring or estimating the potential frequency of losses and the potential impact of a risk on the organizations' health care. Subsequently, the risks can be ranked according to its importance for the HCOs. In general, the following three steps (risk identification, risk analysis, and risk evaluation) proposed for risk assessment in executive levels of HCOs:

Risk Identification

Describing the process and system definition.

According to the results, there were several methods for outlining risky processes that executive levels of HCOs can use depending on their needs: Textual system description, 8 , 41 , 53 , 59 activity breakdown structure (ABS), 8 radar charts, 34 flow charts, 3 , 25 , 28 , 30 , 38 , 45 , 50 , 56 , 62 process diagrams, 34 , 38 , 45 , 56 , 58 system diagram, 8 , 34 , 62 integration definition (IDEF), 35 and hierarchical task analysis Diagram (HTA) or task diagram, 26 , 28 , 35 , 42 , 57 , 62 communication diagram, 56 , 62 information diagram, 35 , 56 , 62 , 63 organizational diagram, 35 , 56 , 62 , 63 stakeholder diagrams, 56 swim lane activity diagram, 56 state transition diagram, 56 sequence diagram, 56 and data flow diagram. 56

In general, process description tools are divided into two categories of descriptive tools and process tools. Radar charts, also called Kiviat diagrams, were built in order to visualize initial and residual risks for each kind process. 34 ABS is process-oriented instead of being product-oriented, moreover, this method lacks time dimension. 8 Also, a task diagram is used for describing the hierarchy of operations and plans, system mapping for how data is transmitted through activities, Information diagrams for describing information hierarchies, organizational diagrams for describing organizational roles hierarchy and Communication diagrams for displaying information flows between individuals and Business processes and IDEF for linking between inputs and outputs in organizational activities and resources, and Sequence diagrams for interacting information between stakeholders.

According to Cagliano et al, the flow chart included the name or code of both process phase and activity at issue, actors performing the activity; inputs (information, materials, preliminary actions, orders, etc.); a detailed description of operations required by the activity; duration and frequency; controls to monitor activity progress; tools necessary to perform both the activity and related controls and outputs (other activities, information, and data). 8 Moreover, in Parand et al’s study, activities in flow chart classified based on action, retrieval, checking, selection and information, and communication. 28 In general, as the describing the process be stronger, the results of the risk assessment can be more effective.

According to Simsekler et al 36 and Jun et al. 56 Studies, specific types of diagrams were selected by stakeholders as more useful than others in identifying different sources of risks within the given system. In general, employees’ perception, the ease of use and usefulness are the main variables for choosing the most optimal system modeling tool.

After drawing the process flowchart, at this stage, organizational risks or organizational process risks are determined. The applied frameworks for identifying risks in executive levels of HCOs presented in Table 4 .

Cause Identification

Based on some risk assessment models, the effective causes and the root causes of the errors are identified at this stage. Based on the Eindhoven model, the classes of causes error classified into two main categories of latent errors (technical and organizational) and active errors (human errors and other factors). 25 Furthermore, based on the results of some studies, the causes of errors classified in the Institutional context factors, organizational and management factors, work environment factors, team factors, communication factors, individual (staff) factors, training and education factors, equipment factors, task factors, and patient factors. 35 , 36 In addition, based on the results of some studies, the Ishikawa cause-effect diagram can be used to determine the sources of errors. 37 , 45 , 48

Risk Analysis

At this stage, it is possible to estimate the risk, qualitatively, semi-qualitatively or quantitatively according to the probability of the risk. The following steps considered for risk analysis in executive levels of HCOs.

Risk Estimation (Severity and Consequences and Likelihood Estimation)

At this stage, it is possible to risk estimation according to the probability and severity of risk. There are numerous qualitative, semi-quantitative and quantitative methods that try to estimate individual components of risk for a result to better reflect the reality.

Using verbal descriptors (low, medium, or high), 26 risk weights, 25 , 34 , 38 , 49 , 59 , 61 encoding, 30 , 40 , 52 , 60 , 61 scoring tables, 25 – 27 , 30 , 32 , 37 Bayesian methods, 46 Monte Carlo method, 46 , 60 and historical data, 49 suggested for estimating the severity and probability of risk in executive levels of HCOs.

In quantitative risk estimation methods (Monte Carlo and Bayesian), activities find a probabilistic form and a distribution function is specified for them. 46 , 60 In qualitative risk estimation methods, risks are prioritized based on their potential impacts on project objectives based on qualitative variables. Qualitative methods of risk estimation can either lead to further analysis in quantitative risk estimation or directly to risk response planning. 30 , 60

Interview with experts, 32 , 53 questionnaire design, 32 , 61 Delphi method or expert, 60 and focus group, 38 , 44 , 46 , 49 - 51 , 53 identified an applied method for risk estimation in executive levels of HCOs.

Risk Presentation

Present-estimated risks based on risk presentation formats, included a single number index (e.g. 1/100,000), 27 , 37 use failure space vs success space, 54 fuzzy numbers scales, 30 , 32 , 40 , 41 , 52 , 61 tables (e.g. sizes or bands of fatalities are 1–10, 11–100, and 101–1000), 30 , 40 risk matrix, 25 , 33 , 43 , 52 , 53 , 57 graphs or diagrams (e.g. Frequency-Number (F-N) curve), 35 , 46 and maps (e.g. risk contour plot). 45

In sensitivity analysis, the management index (Risk Index x Sensitivity) provided further ranking for those risks that have equivalent Risk Indexes. Given its scope, this analysis may not necessarily constitute an integrated step of risk analysis. 49

Synthesize information about the main risk elements included risks and their causes and contributing causes, frequency or probability, consequences due to risk, and estimated risks. 49

Risk Evaluation

Risk evaluation is the process of comparing the results of the risk analysis with the risk evaluation criteria defined during the context establishment to determine whether the cyber-risks are acceptable. In this step, the following steps considered for risk evaluation in executive levels of HCOs.

Select Risk Evaluation Criteria

There was a wide range of qualitative and quantitative risk criteria or standards for evaluation of various types of errors in executive levels of HCOs. Selection of risk criteria may also depend on the results of the risk analysis and how risks are estimated. 60

Compare Estimated Risks Against the Risk Criteria and Prioritize or Rank Risks

This step concerned with making decisions about prioritization and comparison of risks to be managed, based on the outcomes of risk analysis. 27

A simple method for risk filtering was a Pareto analysis. 26 , 30 , 58 , 60 Moreover, in some studies, decision tree, 25 , 28 , 49 , 57 priority matrix, 25 , 30 , 35 criticality matrix, 34 , 44 Criticality scale, 34 , 38 , 49 , 60 and risk prioritization grid used to determine acceptable and unacceptable risks. 27 Furthermore, simple additive weighting (SAW), 32 and hazard totem pole (HTP) 60 methods can be used as practical and quantitative methods for risk evaluation. SAW was a simple and most applicable multi-attribute decision method which is known as a weighted linear combination or scoring technique. 32

Risk Treatment

This phase involved defining and implementing actions for mitigating the determined risk level and verifying that the residual risk level is acceptable. 27

Determine Organization RM Strategies

The four common organization RM strategies options:

• Avoid: elimination involves elimination of risks at the source.
• Reduce: The strategy of risk reduction involves reduction, but not a complete elimination, of the frequency of occurrence of undesirable risks and/or the severity of their consequences. 53 , 60

These comprise two fundamental approaches to risk reduction, which were:

• SHARE (spread or transfers): sharing the risk to another entity and/or function. Risk sharing is carried out in different ways, including risk sharing by insurance and contract, risk transfer and physical transfer.
• Accept: Risk can be retained in cases where it cannot be avoided or transferred. 25 , 44 , 45 , 53 , 60

Moreover, theory of problem-solving by an inventive method, 25 Generating Options for Active Risk Control (GO-ARC) Technique 64 and dynamic systems development method (DSDM) 50 used to redesign the process and improve strategies.

In the GO-ARC Technique, risk control options are divided into 5 categories (elimination, design controls, administrative controls, detection/situational awareness, and preparedness). The first three consist of the 3-tiered hierarchy of risk controls. The remaining two, detection/situational awareness and preparedness help users consider risk controls to reduce the severity of harm or prevent harm in the midst of an on-going systems breakdown; they are aimed at promoting resilience, as opposed to focusing solely on preventing systems breakdowns in the first place. In general, GO-ARC improves the trend of producing risk control options. Use of the Generating Options for Active Risk Control (GO-ARC) Technique can lead to more robust risk control options.

On the other hand, the DSDM framework is complicated to become a general framework for solving task problems. At DSDM, the primary effort is to provide software that is good enough to meet the needs of the business and that it can progress to the next iteration. 50

Additionally, the SWOT matrix with four strategy areas, SO (maxi-maxi) and ST (maxi-mini) and WO (mini-maxi) and WT (mini-mini), was used to determine strategies and corrective actions. 31

RM Measures and Decision-Making

RM strategies and measures were often difficult to compare and evaluate executive levels of HCOs. The best decision is the one that yields the greatest expected value. The interventions prioritized according to two criteria of their ability to reduce the root causes (interventional power) and perception of their implementation based on what is anticipated (reliability of intervention). 26 , 30

The best performance measures can be selected based on criteria such as safety, profitability, quality, efficiency, effectiveness, time, cost, available resources, performance, environmental conditions, and satisfaction. 41 , 42 , 45 , 46 , 59 In one study, AHP/ANP and BOCR (benefits, opportunities, costs, and risks) used to select the best RM strategies. 41

Planning and Implementation

Finally, a plan also defined risk ownership, roles and responsibilities, and time frames to implement mitigation strategies. 45 Risk governance structure was a useful tool for risk assessment planning. In this method, the roles and responsibilities of each employee determined in the RM plans. 39 , 40 , 45 Moreover, using the pilot study method 43 , 59 and simulation, 41 , 49 suggested before the implementation in a wide range.

These steps are typically performed as iterative cycles that controlled and triggered by two continuously running activities: risk review and monitoring, communication, and consultation.

Communication and Consultation

Communication and consultation with internal and external stakeholders needed to keep them informed of process outputs and let them provide inputs. 27

Risk-related information should be shared based on appropriate access levels in the exchange organization or between decision-makers and other stakeholders. These should address the issues related to risk itself, its causes, its consequences (if there is information about them), and the measures taken to deal with it.

Communication and consulting with project stakeholders can be a key factor in a favorable execution of risk management and in achieving better results. In practice, regular reporting is of important components of communication that helps senior managers identify the risks they are faced with. Summary reports prepared from risks, in fact reflect the status of the responding guidelines and the trend index of risk occurrence. 59

Work sessions, 29 , 59 intranet-based calendars, 59 reports and gatherings, 59 wiki page, 45 and PMBOOK software, 46 are suggested as tools for information exchange in executive levels of HCOs.

Monitoring and Review: (Re-Assessment – a Continuous and Cyclic Process)

Effective risk management requires a reporting and reviewing structure in order to ensure that risks are effectively identified and evaluated and responses and controls are in a timely manner. In this phase, policies and following of standards should be regularly verified and the performance of standards should be reviewed to identify improvement opportunities. 27

Various methods such as risk compliance readiness template, 45 risk project update template, 45 data management system, 60 variance analysis, 46 risk reassessment, 46 Wiki page as collaborative workspace, 45 control chart, 43 trend analysis, 46 risk auditing, 39 , 46 visual process control, 43 and communication plan 43 recognized to monitor and evaluate the effective and efficient RM cycle in executive levels of HCOs.

By conducting continuous monitoring and reviewing of risk, it is ensured that new risks are being identified and managed, and executive programs are effectively implemented and developed. 46

Given different and dynamic nature of organizations, various frameworks and techniques are used in managing and accessing organization risks. Therefore, recognizing organization RM framework is an important step in RM in executive levels of HCOs. In this study, based on a review of studies, frameworks and tools that can be used to implement organizational risk management in the executive level of HCOs are proposed.

According to the first question of this study, healthcare organizations may be faced with risks that may prevent the mission and achievement of the organization’s objectives, so at the first step of risk management, risk resources should be identified with optimal tools. 17 In the present study, using an innovative approach, a framework for identifying and classifying risks in the executive levels of HCOs was proposed. The proposed framework included three steps of input, process, and output.

Input phases considered a spectrum of inputs to help increase understanding of the system, and awareness of potential organization risks that can occur in complex and changeable healthcare systems. 36 Input phases consist of (Risk Sources, 8 , 36 Nature of Hazards, 36 and Time). 36 At the process stage, the tools that can be used as intra- or inter-organization and retrospective-prospective in the executive levels of healthcare organizations are determined. 55 Finally, in the presence of the risk stage (output stage), the identified risks were clearly registered in executive levels of HCOs. 8

Using this framework is a helpful guide for managers to identify potential error in the executive levels of HCOs. Based on the results of the study by Pott et al 57 and Similker et al, 17 different approaches should be used to identify risks in organizations, and data from different resources should be integrated to gain a general view into the risks of a system.

We have no standard answer as to which one of the risk identification tools is a more optimal tool. Each tool is used to identify a range of risks, so the best approach to identify all risks is to integrate retrospective and prospective analysis to understand a broader scope of the risks.

Based on the results of the studies, organizational risks, 8 , 26 , 31 , 45 , 59 technological supports, 8 , 31 , 34 , 40 , 45 , 60 and information and communication, 8 , 31 , 34 , 40 , 55 , 59 were identified as the most important resources of risk in most studies, so treatment of these risks is of high importance in the executive levels of HCOs.

In today’s world, when being faced with healthcare organization risks, managers have realized the need to develop a risk management framework at the organization level. According to the second and third questions of this study provides a state of the art based on the review of studies and it tried to propose a framework for risk management and techniques applicable to each of the stages of risk management and risk assessment in executive levels of HCOs. The term “framework” has a broader scope than the term “technique.” The risk management framework includes guidelines for analyzing, assessing, and managing risks in healthcare organizations. In contrast, management, and risk assessment techniques considered as analytical tools for analyzing data and risk information.

In general, the risk management framework has required stability, but there is no strong and complete risk assessment and risk management techniques that can be applied completely for risk management in organizations, and managers of healthcare organizations must make the decisions necessary to determine the optimal tool for risk management and assessment at each time and based on specific conditions and position of the organization. Therefore, Table 5 presents limitations, strengths and weaknesses and factors influencing the selection of each of the models for risk management and risk assessment in executive levels of HCOs. Therefore, the content of this table can help risk analysts, healthcare managers and other stakeholders to make rational decisions about identifying risk management and risk assessment models in executive levels of HCOs.

According to the results of the studies, there was a wide range of well-known and successful tools for single and combined risk assessment and a hierarchy of risk analysis models suggested for executive levels of HCOs.

Hierarchy of risk analysis and risk assessment models divided:

High-level tools: At this level, risk assessment tools cover a wide range of risk scenarios and provide various information for the organization based on risk scenarios. However, such tools should not be used when the details need to be emphasized in risk assessment. Some risk assessment tools employed at this level are All the combined models presented in Table 5 for analysis and risk assessment, 30 , 35 , 38 , 40 , 42 , 43 , 45 , 50 , 52 Six Sigma, 43 , 45 IRMAS, 59 CREA (Clinical Risk and Error Analysis). 35

Mid-level tools: Implementing risk assessment tools at this level makes it possible to provide the modest information and details for the organization considering risk scenarios. Some risk assessment tools employed at this level are Health failure mode and effect analysis (HFMEA), 25 , 42 , 50 HFMEA/FMEA/FMECA, 8 , 25 , 26 , 28 , 30 , 37 , 38 , 49 root cause analysis (RCA), 38 , 43 , 50 bow-tie model, 48 , 51 hazard and operability analysis (HAZOP). 35

Low-level tools: At this level, risk assessment tools evaluate the limited range of risk scenarios, but with more details for the organization. Some risk assessment tools employed at this level are: Preliminary risk analysis method (PRA), 34 fault tree analysis (FTA), 54 change risk assessment model (CRAMS), 46 change analysis (CHA), 46 human reliability assessment (HRA), 8 Pareto analysis (PA), 26 , 30 relative ranking/risk indexing (RI), 32 , 60 5 whys technique, 8 , 36 hazard checklists (HCl), 35 change analysis (CA), 28 strategic risk analysis (SRA). 31

Optimal implementation of the risk management process is nothing but the adoption of the most appropriate techniques and tools available in each phase. However, there is no strong and complete risk assessment and risk management techniques that can be applied completely for risk management in organizations, and managers of healthcare organizations must make the decisions necessary to determine the optimal tool for risk management and assessment at each time and based on scope of risk analysis, legal requirements, results/information needed data, resources and time available, complexity and size of risk analysis and type of activity or system and concerning issues. As a general rule, the best risk management tool is to overcome the participants’ mental judgment.

Most of the models extracted from the results of the study were somewhat similar and presented the same components. The three main factors that were found in all risk management models included measurement, management, and monitoring. Therefore, based on the results of the studies and the nature of healthcare organizations, the risk management process had one primary phase and four main phases. In the primary phase, the objectives and prerequisites for risk management are set out for execution. The main phases are as follows: Risk assessment (identifying potential risks, determining the likelihood and consequence of the identified risk and determining the level of the risk), risk treatment (how to reduce the impact of unacceptable risks and selecting appropriate responses to them), monitoring and reviewing (effectiveness of measures) and the latest activity of the process of communication and consultation with the stakeholders on the trend have been carried out.

The proposed framework of this study is very similar to the iso13000 framework, with the difference that more details are provided in the framework of the present study. The ISO13000 approach describes the organization’s risk management in a comprehensive, strategic, and holistic way. 45

Also, the model developed in the present study has several specific features compared with the previous models: 1) In the present research it was tried that the research literature be integrated in the field of risk management and provide a framework that is more comprehensive; 2) According to the search strategy, all risk management frameworks of healthcare organizations and organizations adaptable with healthcare organizations were examined and there was no particular dependence on the specific industry and from this perspective, they have more advantages compared to some frameworks that were established regarding a specific industry; 3) The proposed framework is provided based on the internal and external flows dominant on healthcare organization. Managers of healthcare organizations today need a structured and coherent approach to identify, analyze, and manage risk across a range of intra- and inter-organizational activities; 4) With the establishment of the proposed model in the organization, the basic assumptions dominant on healthcare organizations are examined in specific time periods and, if necessary, continuous improvement in healthcare organizations is done in a dynamic cycle.

Regarding the status of healthcare organizations in establishing each of the main phases of the proposed risk management framework, studies have identified and evaluated the risk, and the treatment phase and risk monitoring were neglected in most studies. However, risk management should be done throughout the life of the organization. New risks need to be identified and managed at every stage of the organization’s life. Also, based on Table 5 , most studies were not done at the phase of risk assessment, process mapping, and cause identification. While many system mapping approaches have been widely used in various industries, healthcare organizations have only used a limited number of them to process mapping. 62 Each process mapping tool has a specific application, and managers and professionals should use the most useful of them to identify sources of risk in healthcare organizations. The most important phase, guiding the risk management process, and determines the main policies in risk management is the phase of planning and setting objectives, which is done incompletely in most studies. Risk managers should pay great attention to risk planning; obviously, if this is not done in a fully transparent manner, the execution of risk management will be subject to some uncertainty. 43 , 46

Based on the results of Table 5, in most studies (89.6% of studies), risk management attitude was prospective and in few studies, each of prospective and retrospective risk management approaches was emphasized. Whereas, based on the results of the Kessele-Habraken et al study, the integration of prospective and retrospective analysis is important in improving the safety and optimization of organizational processes. 58

As we proposed, information about incidents and their retrospectively reported frequencies could be used as a reference point in the prospective analyses, which might facilitate frontline staff in the risk assessment. Conversely, prospectively developed failure scenarios could be used as guideline for retrospective.

Further Research Avenues and Limits

In this study, a framework for the execution of risk management in the executive levels of HCOs was proposed. Like any other management framework, successful implementation of the organization RM framework in executive levels of HCOs necessitate organizational commitment, establishing a stimulating culture, accurate planning, stakeholder engagement, strong and effective management, and use of available resources to implement the stages. Based on the results, it can be suggested that studies of risk management are increasing over time; however, there are still new cases that need further investigation and researches, some of which are mentioned below.

• Studies evaluating the effectiveness of risk management frameworks were very scarce and the effectiveness of risk management models should be examined in the future.
• The amount of outcome studies was not significant with respect to the investigated period (2000–2018). The outcome of most studies was also partial and lacks the necessary comprehensiveness. In most studies, the identification and assessment of risk were dealt with, and the phases of risk treatment and monitoring was neglected. Future studies, therefore, need to be implemented with a holistic view of the risk management process in healthcare organizations.
• In most studies, the sample size was very small, and risk management was performed at a micro level in the healthcare organization and organizations adaptable with the terms of healthcare. Therefore, the risk management needs to become dominant in a more comprehensive way and in larger-scales in the healthcare organization.
• Based on the results, various tools have been identified to achieve the risk management framework at different phases. The variety of the materials collected, together with the limited evidence for each topic, make it difficult to come to general conclusions, so it is necessary to conduct a cost-benefit analysis of risk assessment techniques.
• In this study, risk sources have been identified theoretically and for staff areas of healthcare organizations and some risks may not have been identified, although maybe a significant threat to the health system. Therefore, we cannot claim that this framework can be extended to other organizations in the health system.
• The volumes of the most studies of risk management in healthcare organizations are related to risk assessment, so it is recommended that all future phases of risk management in healthcare organizations be established.
• For some phases of organization risk management, there were only conceptual studies; therefore, a feasibility study is needed to effectively implement various phases of RM in organizations.
• Development of the organization RM framework for other areas of healthcare, development of advanced technological solutions to facilitate risk assessment, development of tools or criteria for effective and efficient implementation of organization RM frameworks, managers’ perceptions of organization RM frameworks are factors which should be considered for further research.

One limitation of this study was that the number of findings in the systemic review was dependent on the selection of keywords and input/output criteria. Therefore, more models can be extracted for organizational risk management. Also, non-English studies were not included and there may, therefore, be a bias towards inclusion of studies performed in English-speaking countries. In addition, articles were exclusively selected from journals, hence, other parts of literature, such as books, book sections, and gray literature were excluded from the process as journal articles are readily available in journal databases and are usually used as a mean of scientific communication.

Despite these limitations, this study has several strengths. First, all models of risk management and evaluation in healthcare organizations and organizations that could be modeled for the executive levels of the HCOs were examined in this study. Second, this paper contributes to the field of risk management research in healthcare. Third, the tools and techniques for risk assessment and management that are applicable to staff areas of healthcare organizations are mentioned.

Based on the findings and considering the ISO31000 model, a comprehensive yet simple framework for risk management is developed for the executive levels of HCOs. It includes five main phases: establishing the context, risk assessment (risk identification, risk analysis, and risk evaluation), risk treatment (strategy determination, designing corrective actions, planning, and implementation), Monitoring, and review, and communication and consultation.

Tools and techniques were also suggested for use at each phase of the proposed risk management framework. These techniques have been selected to best apply to non-clinical risks in healthcare organizations. Managers of healthcare organizations who seek to ensure high quality should use a range of risk management methods and tools in their organizations, based on their need, and not assume that each tool are comprehensive.

Acknowledgments

We would like to thank all the staff members who assisted with our research.

The authors report no conflicts of interest in this work.

• Study Guides
• Homework Questions

Week 7 Case Study-Risk

What caused Dubai floods? Experts cite climate change, not cloud seeding

• Medium Text

DID CLOUD SEEDING CAUSE THE STORM?

CAN'T CREATE CLOUDS FROM NOTHING

Sign up here.

Reporting by Alexander Cornwell; editing by Maha El Dahan and Alexandra Hudson

Our Standards: The Thomson Reuters Trust Principles. New Tab , opens new tab

The European Parliament approved rules on Tuesday to give consumers the right to have worn-out products like washing machines and smartphones repaired by producers, to cut waste and make goods last longer.

World Chevron

Famine risk 'very high' in Gaza, especially in north, US official says

Israel has taken significant steps in recent weeks on allowing aid into Gaza, the U.S. special regional envoy for humanitarian issues said on Tuesday, but considerable work remained to be done as the risk of famine in the enclave is "very high."

An aide to a member of the European Parliament for the far-right Alternative for Germany has been arrested in Germany on suspicion of "especially severe" espionage for China, the latest in a spate of such arrests across Europe.